Two reports released this week paint an imposing picture for anyone who is tasked with safeguarding the massive amounts of data collected by federal agencies.
In a study published Wednesday, Vormetric’s Insider Threat Report came away with some stark findings: More than 93 percent of U.S. respondents said their organizations were “somewhat or more vulnerable” to insider threats, with 59 percent of “privileged users” posing the biggest threats to organizational data.
“As much as we may have hoped to believe it, the Edward Snowden affair was not our data security pinnacle,” said Andrew Kellett, lead analyst for consulting firm Ovum, which helped produce the report. “Almost half of the U.S. organizations polled experienced a data breach or failed a compliance audit in the past year – which tells us the situation has probably gotten more complicated.”
The report also found while organizations are fighting for every dollar they need to protect against all threats, where that money is being applied doesn’t always align with the biggest security weaknesses faced by IT professionals. While servers and databases pose the highest risk, the report finds that spending remains focused on endpoint and mobile security.
“The scattergun approach that sees [security budget] increases spread across a wide range of security protection solutions suggests that there is still a significant amount of firefighting going on,” the report states.
The authors of the report suggest that IT security should lessen focus on mobile devices and put more emphasis on access control technology and data encryption, which would provide peace of mind whether data is stored in the company’s own databases or in the cloud.
“Irrespective of where the data is being held, it is important to know and be able to control who gets access and what they can do with that access,” the report reads. “This provides the ability to highlight and report on misuse that could otherwise put company-sensitive data at risk.”
Yet in another report issued this week, George Mason University’s Mercatus Center, a free-marked-focused think tank, found that even as the federal government fights its own battles with cybersecurity budgets, the number of federal data breaches — including data that contained personally identifiable information — continues to rise.
Using data from the Congressional Research Service and the Government Accountability Office, the study tracks spending related to the Federal Information Security Management Act from 2006 to 2013, along with the total reported number of federal information security incidents. While FISMA spending has moderately increased (the report’s author attributes the jumps and subsequent declines in spending to changes to OMB’s methodology for calculating FISMA spending), federal cybersecurity incidents have jumped 1,012 percent since 2006, from 5,503 to 61,214 in 2013.
As the number of incidents rose, so did the amount of personally identifiable information of federal personnel, veterans and civilians.
“The federal government’s own failure to improve internal cybersecurity practices after years of increased spending and information-sharing among agencies calls into question the effectiveness of President Obama’s proposals to extend these policies to the private sector,” the Mercatus Center report concludes. “While cybersecurity vulnerabilities and data breaches remain a considerable problem in the private sector as well as the public sector, policies that failed to protect the federal government’s own information security are unlikely to magically work when applied to private industry.”
Combining information from both studies, it’s clear to see that federal CIOs have to manage growth on numerous levels — growth of cloud, growth of attacks, growth of threat factors — if they plan on keeping their data as safe as possible.