Government Executives Grapple with an Array of IT Security Threats
Data leaks concern executives
Government executives expressed widespread concern about data leakage, whether caused by malicious actions or accidental missteps, according to an online survey of 209 executives, conducted by 1105 Government Information Group Content Solutions, although few of those surveyed believe their current agency data protection measures fail to measure up.
In total, the survey conducted online in Februrary, garnered 209 responses from public sector executives from organizations ranging from the Department of Defense to civilian federal agencies, to executives from state and local governments. Roughly a fifth of government agencies responding to the survey reported that external IT security incidents have increased in the past year.
That clearly melds with the latest research results available from the Government Accountability Office. In the last five years, the number of incidents reported by federal agencies to US-CERT (the United States Computer Emergency Readiness Team) has increased from 5,503 incidents in fiscal year 2006 to 41,776 incidents in fiscal year 2010. In the latest GAO report, agencies cited a skyrocketing increase in the volume of malicious software since 2009, up by over 650%, according to GAO figures. (Read the full GAO report at: http://www.gao.gov/assets/590/585570.pdf)
In the 1105 Government Information Group Content Solutions Information Security Survey, the average annual loss due to internal and external security incidents was reported at $800,000. And the costs associated with such incidents included both ‘hard’ and ‘soft’ costs, such as staff time.
Survey respondents said that the number of external security incidents in the past year averaged 5.4 per organization. This compared to an average of 4.3 internal security breach incidents reported during the same period. A total of 70% of respondents agreed that while internal IT security threats were mostly innocent mistakes without malicious intent, those internal incidents, nonetheless must be watched and guarded against.
Indeed, across all levels of government, government executives expressed greater concern about external threats, though survey respondents noted a slight increase in security breaches from internal sources in the last year. Typically, respondents said the motives behind internal breaches were largely considered benign.
Not surprisingly, agencies that have suffered financial loss from IT security incidents were more apt to increase their IT security budgets in the coming year. Prior experience has proven to be a strong driver when it comes to investing in threat protection. Nearly half of those who reported they will receive IT threat prevention budget hikes in the coming fiscal year pointed to financial loss as the result of a security incident. The average annual agency budget for IT security threat prevention, across all levels of government was reported at $2.75 million. Survey respondents from DoD agencies reported higher budgets, citing an average of $5.6 million. Civilian agency respondents said their budgets for threat prevention averaged about $1.5 million. And state and local government respondents reported an average budget of $2.1 million for security threat prevention.
A whopping 92% of those surveyed said they expect to spend at least as much, if not more for IT security threat prevention in the coming year. Across all levels of government, the average anticipated spending increase was 16%. Of the 8% of respondents who expected to pay less for threat protection, the majority were from state and local agencies, which tend to face tighter budgetary restrictions than their federal government counterparts.
According to the survey results, many agencies have already conducted third-party threat prevention assessments to better understand their IT security exposure and what can be done to prevent data leakage. In total, 40% of civilian agencies surveyed have conducted a third party feasibility assessment, while only 21% of state and local government respondents and 19% of DoD respondents have completed similar studies.
The seemingly constant stream of viruses, worms, rootkits, denial-of-service (DoS) attacks and other security threats underscore how the government’s network perimeter has expanded and blurred, as the proliferation of mobile and remote users has grown. Today, because government IT organizations must provide network access to stakeholders ranging from suppliers to other partners and constituents, so they can access pertinent information – it has become imperative for IT administrators to be proactive in implementing threat prevention strategies, said Lauren Jones, senior principal analyst for Deltek's Federal Market Analysis program.
IT security threat prevention is defined as a series of strategies that collectively build a multi-layer security protection plan to prevent malicious attacks from entering government networks and corrupting systems and data. Jones advises government organizations to avoid implementing security features on an ‘ad-hoc’ basis. In an era of greater transparency and accountability -- along with tight budgets – agency-wide security strategies are required, she explained.