By Andy Lausch, Vice President of Federal Sales for CDW Government, Inc.
Late last month, a security breach in the House Ethics Committee -- in which a junior staff member inadvertently shared confidential information -- once again highlighted a critical issue for federal civilian and Department of Defense agencies alike: even the most robust security policies and technologies are often no match against employees who are unaware that their actions violate security policies or subvert protective technologies.
In recent Senate hearing testimony, former House Rep. Tom Davis, architect of the Federal Information Security Management Act, made the point, "Most of the security breaches that have grabbed headlines in recent years aren't the result of some evil cyber genius, but federal employees failing to adhere to basic security protocols. A lost laptop, a stolen BlackBerry, computers never returned when an employee leaves an agency -- these can result in the personal information of untold thousands being put at risk."
To better understand the cybersecurity threats facing federal civilian and Defense agencies each day, where those threats come from, and how they can be defeated, CDW Government, Inc. (CDW-G) surveyed 300 Federal IT professionals on the front lines of cybersecurity. The resulting CDFW-G Federal Cybersecurity Report reveals that more than half of federal IT professionals experience a cybersecurity incident at least weekly. Most report that the number and severity of those incidents has stayed the same or increased year over year, despite agency efforts to keep networks secure. The majority of agencies say their biggest threats come from external sources, employee non-compliance with security procedures, inappropriate Web surfing and carelessness with devices open the gate to external cybersecurity threats.
Agencies are making use of currently available industry-standard technologies to protect agency networks. CDW-G found that 81 percent of agencies have an internet firewall and 71 percent have intrusion protection/detection. Although there is still room for improvement, the use of such solutions raises the question: if the technology is available and effective, why are agencies still experiencing consistent or increasing cybersecurity incidents?
One explanation: cybersecurity is not just a technology issue -- it is a management and cultural challenge for federal agencies. Federal IT security professionals need the participation of the federal employees, managers and senior staff that they support. To change behaviors and reinforce new habits, federal IT security professionals are calling for increased end-user education, both to reduce internal cybersecurity incidents and to close the door to external threats. In fact, the majority of federal civilian and defense agency respondents to CDW-G's survey said their priority for improving agency cybersecurity is more end-user education.
Federal agencies are positively on the right track. CDW-G found that 82 percent of agencies provide ongoing training classes on security policies and procedures. However, despite agency training commitments, many agencies still experience avoidable internal risks. More than 70 percent of agencies have experienced inappropriate Web surfing/downloads in the last 12 months, and more than 40 percent have seen the unauthorized transfer of sensitive information.
A February report issued by the US Senate's Homeland Security and Governmental Affairs committee identified an interesting challenge, which may explain why the training programs federal agencies already have in place haven't been enough. Many times, well intentioned end users misunderstand security policies, or even choose to ignore policies they deem inconvenient. Further, employees may feel that certain security procedures inhibit productivity. Some employees, the report said, bring work home on personal portable devices that may not meet agency security standards. While the desire to do more for the agency is laudable, behaviors that introduce cybersecurity threats are not. The report recommended that security training become a routine process that also makes clear why certain security procedures are in place.
End-user training should evolve in response to evolving cybersecurity threats. As a first step, CDW-G recommends that agencies reassess their training methods. This includes establishing programs and metrics to measure training success, communicating security policies that include guidelines for acceptable use and policy acknowledgement and establishing consequences for non-compliance with agency cybersecurity policies.
During the last several years, federal agencies have proven they can do more with less in challenging budget environments. Unfortunately, they are simply outpaced by organized crime, increasingly sophisticated hackers, and state-sponsored professionals. They also appear to be outpaced by well intentioned end users, who knowingly or not, are opening the door to further cyber attacks. It is time for computer users to step up and take an active role in cybersecurity efforts. Much like Americans have made recycling an everyday task, it is time for users to form a new habit -- making smart, network-protecting activity a part of their daily routines.
Andy Lausch, vice president of CDW Government's federal government business unit, oversees the long- and short-term performance, strategy, initiatives, and talent development of CDW-G's Federal team.
Subscribe to this comment's feed
| < Prev | Next > |
|---|
Company