Posted by: GuyPardon
Application security, CA, compliance, Critical infrastructure, cybersecurity, Federal Information Security Management Act of 2002, FISMA, Government, Government agency, Ponemon Institute, research, Security, United States, United States Department of Health and Human Services
A new study of top government IT executives conducted by the Ponemon Institute identified outsourcing, cyberterrorism and an increasingly mobile workforce as significant threats to data, government systems and the nation’s critical infrastructure.
IT executives from the Departments of Defense, Justice, Homeland Security and Health and Human Services represented the largest proportion of respondents to the study, which was sponsored by CA Inc.
The study found that 63 percent of respondents perceived the increasingly mobile workforce “as contributing significantly to endpoint security risks as a result of insecure mobile data-bearing devices that are susceptible to malware infections as well as insecure wireless connectivity.”
Perhaps reflecting the current zeitgeist around the “Government 2.0” movement and compliance concerns around enterprise 2.0 tools, the study showed that 79% of respondents see increased use of collaboration tools as a significant risk to data protection.
Specifically, the use of social computing platforms is increasing the storage of unstructured data that could contain sensitive information in a repository that is not effectively secured. Fifty-two percent of respondents identified the use of Web 2.0 applications as a vector for increased risk for sensitive data loss, including social networking, social messaging and wikis.
Unstructured data and outsourcing were viewed as the top two root causes creating increased cybersecurity risks for insecure sensitive and confidential information among respondents. This concern is reflected at the Department for Homeland Security, where application security has been referenced as both a supply chain risk and a cyberterrorism threat.
As reported by the study, 38% of respondents were unsure if there had been cybercrime on the network in the past year. What’s perhaps more significant is the 2% to 5% of people who know that it had happened. And that may not reflect the true total.
“I do feel the numbers are underreported,” said David Hansen, CA’s corporate vice president and general manager of the company’s security management unit. “In the past, cybercrime incidents have tended to be brushed under the carpet. More pressure on disclosure has forced some changes to happen and is helpful for awareness.”
Data breaches, by way of contrast, must be published or reported, and 34% of respondents said that their agency had experienced two to five data breaches in the past year. Overall, 75% of respondents said that their agency had experienced a data breach in the last year. Respondents overwhelming chose wireless networks as the primary threat vector, followed by endpoints and networks.
Finally, 48 % of respondents said their organization isn’t taking appropriate steps to comply with the Federal Information Security Management Act (FISMA) and 55% don’t have adequate security technologies to protect information assets and critical infrastructure.
“When I talk to government agencies, they look at FISMA compliance as a necessary evil,” said Hansen. “I think they might have to either redefine it to address new threats and create a lower common denominator or push for accountability.”
The question now, as bills like the ICE Act or the Cybersecurity Act work their way through Congress, is whether FISMA reform will adequately address the vulnerabilities that government IT executives are worried about.
“The problem is that, in many cases, government doesn’t have a lot of control of a lot of critical infrastructure, like manufacturing, power plants or private networks,” said Hansen. “Part of cybersecurity is about critical infrastructure and things that are not covered by FISMA. Most of those systems have no viruses or malware protection. That hasn’t been an issue because those systems weren’t connected to the Internet. Now, systems are being connected and are creating massive exposures that just weren’t there before.”
The Ponemon Institute’s “Cybersecurity Mega Trends” study is available for download from CA.com as a PDF.