Insider Negligence, Sophisticated Attacks Worry Federal IT Managers: Survey

While sophisticated attacks topped the list of threats keeping government IT staffs awake at night, negligent insiders were also high on the list, Cisco found in a recent survey.

Federal government IT and cyber-security professionals are worried about sophisticated threats and the level of visibility they have in their networks, Cisco found in a recent online survey. Many of the professionals are seeing the cloud as a way to improve security while reducing costs.

Employee behavior, increasingly sophisticated cyber-threats and lengthy IT processes top the list of cyber-security concerns by federal agencies, according to the results of a Cisco report released Sept. 14. The "Federal Cyber-Security Study" explored the security challenges faced by the IT staffs in the federal government.

IT staffs remain concerned about trust within their departments, the survey found. Nearly two-thirds of the respondents said the greatest risks in the next 12 months will likely come from sophisticated attacks, "negligent use of data" by internal personnel and increased activity on social media sites.

Improving trust, visibility and resilience is "critical" to improving an agency's cyber-security posture, regardless of whether the focus is on "building clouds, securing networks or managing information technology procurements," said Bill Cooper, director of cyber-security programs at Cisco Systems.

About 70 percent of staffs are concerned about the increasingly sophisticated nature of cyber-attacks. Nearly half of the staffs surveyed said their agency had experienced at least one phishing attack in the past 12 months, the survey found.

Theft or loss of computers, mobile devices and other portable media was the second most common cyber-incident, at 32 percent, followed by denial of service attacks and data infiltration, at 18 percent and 15 percent, respectively. The respondents felt there needs to be more visibility into the networks to secure their agency, and only half said they have a clear picture of all network activity.

Increased visibility would allow agencies and departments to identify "hot spots," find and fix vulnerabilities, and improve response times. About 65 percent felt education and training would be most useful to address cyber-security challenges. Approximately 58 percent said network intrusion detection capabilities would be useful, and 51 percent felt maintaining situational awareness is important.

In light of looming budget cuts, respondents said they plan to invest in networks and people to fight off cyber-threats. Half of the respondents said they plan to invest in ways to identify system vulnerabilities, and 37 percent plan to increase training. Another 32 percent plan to develop threat-resistant networks, although it was not clear from the study what technology or processes were meant by that.

More than half of agency staffs felt it takes too long to gain approval to purchase and deploy the technology necessary to protect networks. A similar number of staff felt budget cuts are negatively impacting their cyber-security goals.

The "decision makers and implementers" in the study said shifting operations to the cloud will improve security capabilities and reduce threats, especially since the physical infrastructure is getting old and needs to be replaced. The cloud would deliver "trust and visibility" while reducing costs and increasing resilience, according to the report's authors.

Nearly 40 percent are planning to shift to a "Cloud First" policy, while 25 percent of the respondents are discussing the shift. About 16 percent have completed the shift, and another 16 percent are planning to shift to "Cloud First," according to the report.

Cloud First was first announced by former United States CIO Vivek Kundra in 2010. The initiative specified that all agencies must move at least one system to a hosted environment in 2011.

The online survey collected information from 200 government IT, cyber-security and network professionals representing federal, civilian and independent agencies, the Department of Defense and all branches of the military, intelligence agencies, government contractors, the judiciary and Congress.