Federal agencies are at a staggeringly increased risk of information security attack. The U.S. General Accountability Office (U.S. GAO) released a report in September 2016 titled Federal Information Security: Actions Needed to Address Challenges, authored by Information Security Issues Director Gregory C. Wilshusen. Over the past nine years, the GAO report states, security incidents at federal agencies have increased 1300%.
The report includes data-driven insight into the state of security at federal agencies, as well as a recommended series of actions for organizations to address. While it's critical reading for government security officials, there's also a wealth of insights for professionals who work in a corporate setting. Join us as we review the findings of this report and how they should impact security strategies at public and private organizations.
1. Risks Have Increased
The sheer volume of incidents reported by organizations surveyed by the GAO increased immensely during the nine-year period covered in the report.
As cybercriminals are growing more sophisticated, the networks of both private organizations and federal agencies have grown more complex. The increased digitization of personal identifying information (PII) and business workflows have also compounded the complexity of modern information security.
While it's likely very unsurprising to any information security pro that you're operating in an environment of increased risks, the 1300% growth in incidents is an important stat to absorb. Many of the most common barriers to risk response the study identified included:
- Difficulty with personnel recruitment and retention
- Rapidly-changing threats
- Quickly-changing technologies
- Lack of information-sharing mechanisms
2. Many Recommendations Have Not Been Implemented
The GAO has recommended 2,500 best security practices for federal agencies. The report stated that approximately 1,000 have not been implemented.
While the research did not detail whether these weaknesses were at odds with FISMA compliance requirements, security professionals can assume that following NIST guidelines and other compliance best practices will improve security. While compliance may not always be enough protection against threats, it's critically important—and modern security professionals need technological resources to make compliance simpler.
3. Business Continuity is Critical
Federal agencies, alongside private organizations, have increasingly digitized PII over the past decade. Technological systems are used to back up payments, intellectual resources, critical operations, and personal information at organizations in many industries.
While this digitization of information and workflows has enhanced productivity, it's also increased risk surface. This finding of the GAO report speaks to the importance of information security as a core business objective and the importance of business continuity planning. If your organization is ever subject to crime, do you have the ability to quickly and efficiently restore your operations and assets?
4. Patching is Inconsistent
The GAO report stated that "federal agencies consistently fail to apply critical security patches in a timely manner on their systems, sometimes [for] years after the patch is available." It also noted that many agencies were reliant on unsupported software that were unpatched due to a lack of vendor support, which can introduce security vulnerabilities.
These wide-open vulnerabilities are likely due to resource shortages in security departments as well as quickly-expanding technology portfolios. For organizations subject to compliance with FISMA, PCI, and other regulatory measures, regular patching is a necessity.
5. Talent (and Resource) Shortages are Looming
In an analysis of federal agencies, a lack of qualified security personnel was identified as a common challenge. This particular finding ties into other observations stated in the report, including a lack recommendation implementation, poor frequency of reporting, and limited ability to respond to threats in a timely manner.
The recommendations included hiring contractors, smarter recruitment, and investing in training to build a talent force for the future. As security directors struggle against a lack of qualified applicants, there may be a need to implement better technological safeguards to provide immediate protection against threats.
How to Respond to GAO's Recommendations on Federal Security
Security leaders at both government and private organizations are dealing with many of the same pain points—a rapidly expanding threat vector, a lack of resources, and a growing number of endpoints to protect. While investing in contractor talent and training your existing staff to assume different roles is important, evaluating your tech portfolio is also a critical measure for the present.
Today's security leaders need tools with the built-in intelligence to aid in 24/7/365 compliance efforts and reveal emergent vulnerabilities in rapidly-changing networks. Cimcor is the only agent-based file integrity monitoring software that offers the ability to remediate negative changes to critical system files in real-time. With built-in intelligence, security professionals are able to easily distinguish the difference between positive, neutral, and negative changes in their security.
To learn more about how CimTrak's real-time file integrity monitoring and network-wide oversight technologies can aid in compliance with FISMA, PCI, HIPAA, and more, download the Definitive Guide to File Integrity Monitoring today.
December 14, 2016