The State of Cybersecurity: Some Alarming Statistics

By Jeff Schroeder • August 10, 2016

(ISC)2 recently released a report based on the survey results of a targeted pool of executive-level government officials and contractors with the goal of reporting on the state of cybersecurity in the Federal Government. The individuals surveyed are accountable for enterprise-wide security and the key findings from the report paint a rather bleak picture for the federal workspace. While some federal entities protect their assets better than others, it’s hard not to feel like cybersecurity is still consistently put on the back burner when budgets get tight and hard decisions have to be made.

A positive aspect that (ISC)2 notes is that with all the media coverage, which isn’t enough if you ask my opinion, organizations may finally be realizing its not ‘if’ but ‘when’ you have a breach. I’m not completely convinced as we’ve talked with numerous companies that ‘just don’t think they’re that important’ to be victims of cyber-attacks, but any progress is better than none. That, however, just about wraps up the positive aspects of the report as the rest of the results are much more worrisome. Below are a few I’d like to highlight:

  • Only 67% believe their agency can appropriately respond to a cyber incident.
  • 59% believe their agency struggles to understand how cyber attackers could potentially breach their systems.
  • 40% are unaware of where their key assets are located.
  • 40% believe their incident response plan is not effective in responding to cyberattacks.

Given the 2nd, 3rd, and 4th bullets, I was actually surprised to see that 67% believed they could appropriately respond to a cyber incident. With almost 2/3rds of the respondents believing they struggle to understand how their systems could be breached and 40% unaware of where their key assets are, I’m not convinced that a majority of the respondents could effectively and efficiently detect, scope, contain, and remediate an incident. Incidents are more than likely run like a fire drill, with all participants just hoping the place doesn’t burn to the ground.

While the (ISC)2 report focuses on the federal government, our work in the private sector, unfortunately, doesn’t leave me to believe they’re any better off. The heavy hitters tend to do a decent job, or at least have the budget to try, but security practices, in general, are abysmal. The latest DFARS requirements and looming December 2017 deadline have at least got these organizations discussing security, though not always in a positive light. Most of these organizations still struggle with the ‘how’ and the overall ‘why’, but the fact it has to be done is no longer up for debate.

Regardless of whether it’s the private or public sector, I think the statistics are probably pretty similar and speak for themselves. Security can’t be an afterthought.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security