According to the U.S. Federal Government Edition of the 2016 Vormetric Data Threat Report (DTR), 90 percent of federal government organizations feel vulnerable to data threats. The report features the responses of 1,100 senior IT security executives at large enterprises worldwide, including more than 100 in U.S. federal government organizations.
Other report findings include:
• 61 percent have experienced a past data breach, with nearly one in five indicating a breach in the last year.
• Skill shortages at 44 percent, and budgets at 43 percent, are identified as top barriers to adoption of better data security.
• In spite of news stories highlighting nation state hacking, the top external threat actors identified were cybercriminals at 76 percent, with nation state hackers a distant fourth at 47 percent.
• Bright spots include 58 percent increasing spending to offset threats to data, and 37 percent increasing spending on data-at-rest defenses this year.
The report also showed that:
• The top categories for increased spending over the next 12 months among U.S. government respondents were network defenses at 53 percent, followed by analysis and correlation tools at 46 percent.
• 60 percent of respondents believe network defenses are very effective at safeguarding data, more than any other vertical and well above the U.S. average of 53 percent.
• With data-at-rest defenses the most effective tools for protecting data once other defenses have failed, these defenses were ranked last in terms of U.S. federal spending plans, with just 37 percent planning to increase their spending on data-at-rest defenses, compared to the U.S. average of 45 percent.
Slow moving compliance standards consistently fail to stop today’s multi-level, multi-phase attacks, the report said. As learned from data theft incidents at companies that had reportedly met compliance mandates (such as Target), being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen. Yet 57 percent of U.S. federal respondents view meeting compliance requirements as a very or extremely effective way to protect sensitive data.
A perception of complexity was identified as the number one barrier to adopting data security more widely, selected by 51 percent of federal respondents. To some extent, this may be a misconception, as modern data security solutions no longer have the deployment and maintenance problems of older solutions that respondents may be familiar with.
Complex deployments also typically require significant staffing, and "lack of staff to manage" came in as the second highest barrier at 44 percent. In addition, budgetary constraints received the highest ranking as a data security adoption barrier in the federal government sector at 43 percent, well ahead of more wealthy verticals like financial services at 26 percent.
The biggest internal threat actors identified were privileged users at 64 percent. As a result of their roles, these users typically have access to all the data associated with the systems and applications that they manage, unless encryption and access controls are used to limit their actions. Contractor accounts were a distant second at 43 percent.
Surprisingly, despite reports of attacks from Iran, North Korea and China against federal targets such as the IRS, Department of State and others, U.S. federal respondents ranked nation state hackers as the fourth ranked external threat at 47 percent, while cybercriminals held the top spot at 76 percent.
In addition, the report says cloud, big data and the Internet of Things (IoT) represent big challenges for feds.
• Cloud: Top concerns included security breaches or attacks at the service provider and increased vulnerabilities from a shared infrastructure, each with 70 percent of responses. Even so, 84 percent of U.S. federal respondents are planning on storing sensitive data in some form of public cloud environment (IaaS, PaaS or SaaS) within the next 12 months. Encrypting data and maintaining local control over keys was the number one factor that would increase federal respondents’ willingness to use public cloud, at 47 percent of responses.
• Big Data: 56 percent of respondents were planning to store sensitive data within these environments, but few were worried. Only 15 percent regard big-data implementations as presenting a top three risk for loss of sensitive information.
• IoT: Security concerns seem to reflect IoT’s early stage of adoption. Securing sensitive data generated by IoT devices was the primary concern for respondents at 35 percent, followed by the loss or theft of IoT devices at 29 percent.
A number of positive results from respondents indicate that U.S. federal agencies are taking steps in the right direction to recognize and deal with the problem.
• 58 percent are increasing spending to protect sensitive data.
• 37 percent of U.S. federal respondents plan to invest in data-at-rest defenses this year.
• 48 percent are looking to implement data security to follow industry best practices.
Many are planning to implement newer security tools that are more effective at protecting data even when other defenses have been compromised. These include cloud security gateways (40 percent), application encryption (34 percent), data masking (31 percent) and tokenization (27 percent).
“Albert Einstein’s oft-used quote is fitting—if doing the same thing over and over and expecting a different result isn’t the definition of insanity, it is certainly a recipe for placing our nation’s critical assets at risk,” said Vice President of Marketing for Vormetric Tina Stewart. “Public sector organizations need to realize that doing more of the same won’t help us achieve an improved data security posture. More attention must be paid to techniques that protect critical information even when peripheral security has failed, and data-at-rest security controls such as encryption, access control, tokenization and monitoring of data access patterns are some of the best ways to achieve this.”