The State of Cybersecurity: Some Alarming Statistics

By Jeff Schroeder • August 10, 2016

(ISC)2 recently released a report based on the survey results of a targeted pool of executive-level government officials and contractors with the goal of reporting on the state of cybersecurity in the Federal Government. The individuals surveyed are accountable for enterprise-wide security and the key findings from the report paint a rather bleak picture for the federal workspace. While some federal entities protect their assets better than others, it’s hard not to feel like cybersecurity is still consistently put on the back burner when budgets get tight and hard decisions have to be made.

A positive aspect that (ISC)2 notes is that with all the media coverage, which isn’t enough if you ask my opinion, organizations may finally be realizing its not ‘if’ but ‘when’ you have a breach. I’m not completely convinced as we’ve talked with numerous companies that ‘just don’t think they’re that important’ to be victims of cyber-attacks, but any progress is better than none. That, however, just about wraps up the positive aspects of the report as the rest of the results are much more worrisome. Below are a few I’d like to highlight:

  • Only 67% believe their agency can appropriately respond to a cyber incident.
  • 59% believe their agency struggles to understand how cyber attackers could potentially breach their systems.
  • 40% are unaware of where their key assets are located.
  • 40% believe their incident response plan is not effective in responding to cyberattacks.

Given the 2nd, 3rd, and 4th bullets, I was actually surprised to see that 67% believed they could appropriately respond to a cyber incident. With almost 2/3rds of the respondents believing they struggle to understand how their systems could be breached and 40% unaware of where their key assets are, I’m not convinced that a majority of the respondents could effectively and efficiently detect, scope, contain, and remediate an incident. Incidents are more than likely run like a fire drill, with all participants just hoping the place doesn’t burn to the ground.

While the (ISC)2 report focuses on the federal government, our work in the private sector, unfortunately, doesn’t leave me to believe they’re any better off. The heavy hitters tend to do a decent job, or at least have the budget to try, but security practices, in general, are abysmal. The latest DFARS requirements and looming December 2017 deadline have at least got these organizations discussing security, though not always in a positive light. Most of these organizations still struggle with the ‘how’ and the overall ‘why’, but the fact it has to be done is no longer up for debate.

Regardless of whether it’s the private or public sector, I think the statistics are probably pretty similar and speak for themselves. Security can’t be an afterthought.

Cybersheath Blog

CMMC Compliance Dashboard: Gain New Visibility into Compliance

CMMC is not a compliance framework. It’s a maturity model. That has big implications for how you approach compliance, but also how you keep track of all the elements that make up compliance. And yet, visibility has been one of the most difficult challenges facing DIB contractors. It used to…

CMMCEnclave: Add Versatility with a More Flexible Approach

The enclave approach to CMMC compliance is one of the most cost effective and least disruptive ways to safeguard CUI. You can maintain high-value custodial security of CUI without upending your existing processes, procedures, and people. That way, you can maintain the proper level of CMMC compliance and remain eligible…

How to Offboard Your Managed Services Provider

For any of a variety of reasons including lack of communication, slow response times, or prolonged downtime, your organization has decided to change your managed service provider (MSP). Whether you have already signed an agreement with a new MSP or you are actively looking for a replacement, now is the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft