This just in from the “you’re kidding me, right?” department: Cybersecurity attackers snuck into nearly three in four government agencies in 2016. Yep, some 72 percent of government entities fell victim to compromised security last year, a new Netwrix study on IT security risks uncovered.
How can that be? It seems that government organizations are laggards in understanding security technology beyond the traditional perimeter defense, Netwrix’s IT Risks Survey found. Ok, fine. But, as it turns out, that’s only the drive-by observation. The deeper dive finds the most common cause of government security lapses is human error and insider misuse, otherwise known in some circles as the triumvirate of operator error, inadequate training and shaky policies, although Netwrix wisely did not make those accusations.
Still, a strong case can be made that's why all of the respondents to the survey from the government sector regarded employees as the biggest threat to security. (Note: In total, 723 IT pros participated. Netwrix didn't say how many were from government.)
“So, why do government entities have little trust in their own employees? The main reason is bad experiences,” wrote Ryan Brooks, a Netwrix product evangelist, in a blog post. Last year, human errors caused security incidents in 57 percent of government organizations and system downtime in 14 percent, Brooks said. Some 43 percent of entities confirmed they had to investigate security incidents that involved insider misuse, he said.
In a newly released infographic that homes in on security risks in government, IT specialists collectively said this:
- 57 percent of government entities focus on endpoint protection rather than data.
- Government entities are willing to invest in protection against intellectual property theft (43 percent), data breaches (29 percent) and fraud (14 percent).
- 75 percent of government entities do not have any visibility into BYOD, 67 percent lack insight into shadow IT, and 60 percent have no visibility into their cloud infrastructures.
- 14 percent of government entities consider themselves to be well prepared to beat IT risks.
- The IT departments of government agencies are mainly restrained by lack of time (57 percent), insufficient budget (43 percent), and IT infrastructure complexity (43 percent).
- 75 percent of government entities do not have a separate information security function.
- 86 percent of government entities say even fragmented visibility helps them better detect human factor risks.
“One would think that if government entities don’t track all user activity, at least they would know what is happening with their data,” Brooks wrote. “Sadly, the data-centric approach is not popular either. Only four in ten organizations thoroughly monitor activity in databases, though 60 percent of the respondents deem it critical.”
Brooks pointed to recent data breaches at the IRS, Navy and the Office of Personnel Management as “logical consequences” of failing to monitor user activity and data manipulations.
Netwrix previously offered similar data cuts from the survey for the healthcare and finance verticals.