The evolution of the Internet has allowed the private and public sector to leverage innovative solutions to improve efficiency and possibly reduce IT expenses. However, this IT revolution has not been entirely peaceful, as cybersecurity risks continue to plague information executives at every turn.
According to a recent TechAmerica study of federal information officers, including CIOs, CTOs and other major heads of IT departments, cybersecurity risks are the top concern for decision-makers in 2012. This comes as no surprise to many IT professionals, as nearly every aspect of today's business is run on the web in some capacity.
TechAmerica cited an earlier study by the Government Accountability Office that revealed federal organizations experienced roughly 5,000 data security incidents in 2006, but well over 40,000 in 2011. This could suggest many things, including the notion that cyberattacks are becoming more prominent and dangerous or that agencies are losing ground on their data protection initiatives.
Interestingly, many of the responding CIOs said the insider threat was a growing, unabated presence.
Insider threats concern executives
"Most major data breaches have come from the inside, yet most of our resources are directed at outsider threats," one CIO told TechAmerica.
The survey found that many respondents are worried about exposing sensitive data, such as Social Security numbers and other personally identifiable information. Federal executives also said that internal problems tend to crop up because of poor enforcement of password policies, as some employees will share logins or use simple passcodes that are easily deciphered, TechAmerica noted.
A separate report by AlgoSec found that poor internal security management poses a greater risk than malicious outsiders. The survey also found that nearly 28 percent of respondents cited insiders as a prominent threat to the corporate network.
"Poor visibility into what is occurring in the network, insider threats and poor processes that result in out-of-process changes are responsible for much of the day-to-day risk," AlgoSec vice president of marketing Nimmy Reichenberg said. "Regardless of latest attack vector or breach that makes headlines, it all goes back to strong security processes, visibility and control."
However, insiders are not the only issue.
Evolving external threats create tension in federal agencies
Outsiders have always posed a concern to IT departments. While the number of malicious external parties has not necessarily grown, their sophistication has matured, TechAmerica reported. Instead of traditional hackers, organizations are increasingly facing hacktivists – individuals who breach data networks for political or social reasons, as opposed to financial gain.
The real trouble that many federal agencies face is finding a balance between security and efficiency, as too much protection can hamper operations.
"We have tools in place to prevent cyberattacks but we have to find a balance between security and operational use. If we want to be completely secure, our tools will not be as operationally useful," one CIO told techAmerica. "We are constantly trying to find that balance to manage risk."
TechAmerica recommends that decision-makers conduct more internal security audits to ensure all processes are protected and no vulnerabilities exist. Federal organizations should also build cybersecurity into new systems, as this tends to be an afterthought for many agencies and diminishes the initiative's success rate.
"With the complexity of risk profiles increasing, the internal audit needs to up its game to be proactive and intentional and not simply reactive," PricewaterhouseCoopers internal audit services leader Jason Pett said in a separate report.
By taking simple steps to prepare for internal and external threats, federal organizations can continue to innovate without worrying about experiencing issues down the line.
Data Security News from SimplySecurity.com by Trend Micro