Government Executives Grapple with an Array of IT Security Threats

download-pdf
Data leaks concern executives

Government executives expressed widespread concern about data leakage, whether caused by malicious actions or accidental missteps, according to an online survey of 209 executives, conducted by 1105 Government Information Group Content Solutions, although few of those surveyed believe their current agency data protection measures fail to measure up.

In total, the survey conducted online in Februrary, garnered 209 responses from public sector executives from organizations ranging from the Department of Defense to civilian federal agencies, to executives from state and local governments. Roughly a fifth of government agencies responding to the survey reported that external IT security incidents have increased in the past year.

That clearly melds with the latest research results available from the Government Accountability Office. In the last five years, the number of incidents reported by federal agencies to US-CERT (the United States Computer Emergency Readiness Team) has increased from 5,503 incidents in fiscal year 2006 to 41,776 incidents in fiscal year 2010. In the latest GAO report, agencies cited a skyrocketing increase in the volume of malicious software since 2009, up by over 650%, according to GAO figures. (Read the full GAO report at: http://www.gao.gov/assets/590/585570.pdf)

Information Security

In the 1105 Government Information Group Content Solutions Information Security Survey, the average annual loss due to internal and external security incidents was reported at $800,000. And the costs associated with such incidents included both ‘hard’ and ‘soft’ costs, such as staff time.

Survey respondents said that the number of external security incidents in the past year averaged 5.4 per organization. This compared to an average of 4.3 internal security breach incidents reported during the same period. A total of 70% of respondents agreed that while internal IT security threats were mostly innocent mistakes without malicious intent, those internal incidents, nonetheless must be watched and guarded against.

Indeed, across all levels of government, government executives expressed greater concern about external threats, though survey respondents noted a slight increase in security breaches from internal sources in the last year. Typically, respondents said the motives behind internal breaches were largely considered benign.

Not surprisingly, agencies that have suffered financial loss from IT security incidents were more apt to increase their IT security budgets in the coming year. Prior experience has proven to be a strong driver when it comes to investing in threat protection. Nearly half of those who reported they will receive IT threat prevention budget hikes in the coming fiscal year pointed to financial loss as the result of a security incident. The average annual agency budget for IT security threat prevention, across all levels of government was reported at $2.75 million. Survey respondents from DoD agencies reported higher budgets, citing an average of $5.6 million. Civilian agency respondents said their budgets for threat prevention averaged about $1.5 million. And state and local government respondents reported an average budget of $2.1 million for security threat prevention.

Information Security

A whopping 92% of those surveyed said they expect to spend at least as much, if not more for IT security threat prevention in the coming year. Across all levels of government, the average anticipated spending increase was 16%. Of the 8% of respondents who expected to pay less for threat protection, the majority were from state and local agencies, which tend to face tighter budgetary restrictions than their federal government counterparts.

According to the survey results, many agencies have already conducted third-party threat prevention assessments to better understand their IT security exposure and what can be done to prevent data leakage. In total, 40% of civilian agencies surveyed have conducted a third party feasibility assessment, while only 21% of state and local government respondents and 19% of DoD respondents have completed similar studies.

The seemingly constant stream of viruses, worms, rootkits, denial-of-service (DoS) attacks and other security threats underscore how the government’s network perimeter has expanded and blurred, as the proliferation of mobile and remote users has grown. Today, because government IT organizations must provide network access to stakeholders ranging from suppliers to other partners and constituents, so they can access pertinent information – it has become imperative for IT administrators to be proactive in implementing threat prevention strategies, said Lauren Jones, senior principal analyst for Deltek's Federal Market Analysis program.

IT security threat prevention is defined as a series of strategies that collectively build a multi-layer security protection plan to prevent malicious attacks from entering government networks and corrupting systems and data. Jones advises government organizations to avoid implementing security features on an ‘ad-hoc’ basis. In an era of greater transparency and accountability -- along with tight budgets – agency-wide security strategies are required, she explained.

Threats of All Shapes and Sizes

Public sector executives responding to the 1105 Government Information Group Content Solutions Information Security Survey cited a range of internal and external sources as the biggest information security threats to their organizations.

Interesting survey findings about attackers included:
* Insider Threats - 70% of respondents said they were very concerned about such threats, with state and local agencies less concerned about insiders than their federal counterparts.
* Accidental Data Leakage - 70% expressed that they were very concerned about information loss due to accidental data leakage.
* Criminals – 67% of survey respondents reported external perpetrators were a looming concern. Infrastructural damage from criminal attacks, and the costs associated with the fallout of a criminal attack caused the greatest concern among survey respondents.
* Foreign Governments - 59% of respondents reported they were very concerned about the risk of attack from foreign governments. Not surprisingly, Department of Defense organizations were most likely to be concerned about this category of threats.

The total number of responses exceeded 100% because government executives were asked to check all categories that applied.

Source: 1105 Government Information Group Content Solutions Information Security Survey conducted by Beacon Technology Partners


GAO Report Highlights Most Common Threats

In addition to the 1105 survey, the latest GAO report on IT security threats noted that agencies have reported the following types of incidents as occurring most frequently, including:
*Unauthorized access - Gaining logical or physical access to a federal agency's network, system, application, data, or other resource without permission.
*Denial of service - Preventing or impairing the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim of, or participating in a denial-of-service attack.
*Malicious code - Installing malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are not required to report malicious logic that has been successfully quarantined by antivirus software.
*Improper usage - Violating acceptable computing use policies.
*Scans/probes/attempted access - Accessing or identifying a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service.

Source: GAO, Oct. 2011


Survey Demographics

The survey was conducted online in February for 1105 Government Information Group Content Solutions by Beacon Technology Partners, a primary market research firm in Shirley, Mass. In total, the survey garnered 209 responses, representing a confidence interval of +/- 6.7. Respondents included public sector executives involved in finding solutions for IT security threats, from government organizations ranging from the Department of Defense to civilian federal agencies, to executives from state and local governments as well.

When it comes to the adoption of new technologies, 58% of respondents described themselves as conservative and 42% said they were progressive. The 1105 Government Information Group Content Solutions IT Security Survey focused on threat prevention priorities and solutions. Threat prevention is defined as the protection of an agency's data and systems from unauthorized access or misuse to ensure availability, confidentiality and privacy.

Solutions addressed in the survey included:
*The protection and management of identities, including employees, partners and constituents;
*Securing online operational transactions; and
*Protecting sensitive data throughout an agency’s IT infrastructure.


About this Report

This report was commissioned by the Content Solutions unit, an independent editorial arm of 1105 Government Information Group. Specific topics are chosen in response to interest from the vendor community; however, sponsors are not guaranteed content contribution or review of content before publication. For more information about 1105 Government Information Group Content Solutions, please email us at GIGCustomMedia@1105govinfo.com