The State of Cybersecurity: Some Alarming Statistics

By Jeff Schroeder • August 10, 2016

(ISC)2 recently released a report based on the survey results of a targeted pool of executive-level government officials and contractors with the goal of reporting on the state of cybersecurity in the Federal Government. The individuals surveyed are accountable for enterprise-wide security and the key findings from the report paint a rather bleak picture for the federal workspace. While some federal entities protect their assets better than others, it’s hard not to feel like cybersecurity is still consistently put on the back burner when budgets get tight and hard decisions have to be made.

A positive aspect that (ISC)2 notes is that with all the media coverage, which isn’t enough if you ask my opinion, organizations may finally be realizing its not ‘if’ but ‘when’ you have a breach. I’m not completely convinced as we’ve talked with numerous companies that ‘just don’t think they’re that important’ to be victims of cyber-attacks, but any progress is better than none. That, however, just about wraps up the positive aspects of the report as the rest of the results are much more worrisome. Below are a few I’d like to highlight:

  • Only 67% believe their agency can appropriately respond to a cyber incident.
  • 59% believe their agency struggles to understand how cyber attackers could potentially breach their systems.
  • 40% are unaware of where their key assets are located.
  • 40% believe their incident response plan is not effective in responding to cyberattacks.

Given the 2nd, 3rd, and 4th bullets, I was actually surprised to see that 67% believed they could appropriately respond to a cyber incident. With almost 2/3rds of the respondents believing they struggle to understand how their systems could be breached and 40% unaware of where their key assets are, I’m not convinced that a majority of the respondents could effectively and efficiently detect, scope, contain, and remediate an incident. Incidents are more than likely run like a fire drill, with all participants just hoping the place doesn’t burn to the ground.

While the (ISC)2 report focuses on the federal government, our work in the private sector, unfortunately, doesn’t leave me to believe they’re any better off. The heavy hitters tend to do a decent job, or at least have the budget to try, but security practices, in general, are abysmal. The latest DFARS requirements and looming December 2017 deadline have at least got these organizations discussing security, though not always in a positive light. Most of these organizations still struggle with the ‘how’ and the overall ‘why’, but the fact it has to be done is no longer up for debate.

Regardless of whether it’s the private or public sector, I think the statistics are probably pretty similar and speak for themselves. Security can’t be an afterthought.

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft