(ISC)2 recently released a report based on the survey results of a targeted pool of executive-level government officials and contractors with the goal of reporting on the state of cybersecurity in the Federal Government. The individuals surveyed are accountable for enterprise-wide security and the key findings from the report paint a rather bleak picture for the federal workspace. While some federal entities protect their assets better than others, it’s hard not to feel like cybersecurity is still consistently put on the back burner when budgets get tight and hard decisions have to be made.
A positive aspect that (ISC)2 notes is that with all the media coverage, which isn’t enough if you ask my opinion, organizations may finally be realizing its not ‘if’ but ‘when’ you have a breach. I’m not completely convinced as we’ve talked with numerous companies that ‘just don’t think they’re that important’ to be victims of cyber-attacks, but any progress is better than none. That, however, just about wraps up the positive aspects of the report as the rest of the results are much more worrisome. Below are a few I’d like to highlight:
- Only 67% believe their agency can appropriately respond to a cyber incident.
- 59% believe their agency struggles to understand how cyber attackers could potentially breach their systems.
- 40% are unaware of where their key assets are located.
- 40% believe their incident response plan is not effective in responding to cyberattacks.
Given the 2nd, 3rd, and 4th bullets, I was actually surprised to see that 67% believed they could appropriately respond to a cyber incident. With almost 2/3rds of the respondents believing they struggle to understand how their systems could be breached and 40% unaware of where their key assets are, I’m not convinced that a majority of the respondents could effectively and efficiently detect, scope, contain, and remediate an incident. Incidents are more than likely run like a fire drill, with all participants just hoping the place doesn’t burn to the ground.
While the (ISC)2 report focuses on the federal government, our work in the private sector, unfortunately, doesn’t leave me to believe they’re any better off. The heavy hitters tend to do a decent job, or at least have the budget to try, but security practices, in general, are abysmal. The latest DFARS requirements and looming December 2017 deadline have at least got these organizations discussing security, though not always in a positive light. Most of these organizations still struggle with the ‘how’ and the overall ‘why’, but the fact it has to be done is no longer up for debate.
Regardless of whether it’s the private or public sector, I think the statistics are probably pretty similar and speak for themselves. Security can’t be an afterthought.