[pullquote]“Pointing to hackers, terrorists or foreign governments as the top threats to our government’s security seems obvious. . . . But who could imagine that their own colleagues could accidentally cause security breaches with comparable impact to those executed with malicious intent?”
—Chris LaPoint, Group Vice President of Product Management, SolarWinds[/pullquote]
In December, 2014, SolarWinds, in conjunction Market Connections, conducted its second annual blind survey of 200 IT and IT security decision makers in the federal government, military and intelligence communities in an effort to uncover their most critical IT security challenges and to determine how to make potential federal cybersecurity threats visible so IT can confront them.
Respondents exposed a need for internal cybersecurity threat prevention, identifying careless and untrained insiders as their greatest source of federal cybersecurity threats — over malicious external sources such as hackers and terrorists. At the same time, they disparately reported malicious external threat sources maintained priority for threat prevention investment. Key findings include:
Insider threats now most prevalent and damaging to government agencies
- More than half (53%) of federal IT Pros identified careless and untrained insiders as the greatest source of federal cybersecurity threats at their agencies, up from 42 percent from the survey conducted last year.
- Nearly two-thirds (64%) believe malicious insider threats to be as damaging as or more damaging than malicious external threats, such as terrorist attacks or hacks by foreign governments. Further, 57 percent believe breaches caused by accidental or careless insiders to be as damaging as or more damaging than those caused by malicious insiders.
- Nearly half of respondents said government data is most at risk of breach from employees’ or contractors’ desktops or laptops. Top causes of accidental insider breaches include phishing attacks (49%), data copied to insecure devices (44%), accidental deletion or modification of critical data (41%) and use of prohibited personal devices (37%).
[pullquote]“Interestingly we have positioned ourselves relatively strongly against external threats, but it is the accidental or malicious insider threat which has caused us more problems. People do what they want to do and there are so many people (particularly younger) who view security as interference and also have some skills to successfully work around security protocols.”
—Director of Operations, DCMA[/pullquote]
Investment in insider threat prevention falls short
- While 29 percent of federal IT Pros said budget constraints are the single most significant obstacle to maintaining or improving IT security, this figure is down from 40 percent last year. Yet investment is still not increasing for insider threat prevention.
- Although most agencies increased investment over the past two years to address malicious external threats (69%), less than half did so for malicious insider threats (46%) or accidental insider threats (44%). In fact, some said investment decreased for insider threats (9%).
- Insider threat detection difficulties also include a high volume of network activity (40%), lack of IT staff training (35%), growing use of cloud services (35%), pressure to change IT configurations quickly more so than securely (34%), use of mobile devices (30%), cost of sophisticated tools (27%), and growing adoption of BYOD (27%).
- Although 85 percent of federal IT Pros said they have formal IT security policies, 46 percent noted insufficient security training for employees as an obstacle to threat prevention.
Fortunately, there are ways to identify and thwart malicious insider activity. Key activities agencies can do include monitoring connections and devices on the network, and maintaining logs and data of user activity. In this way, IT Pros can assess WHERE on the network certain activity took place, WHEN it occurred, WHAT assets were on the network and WHO was logged into those assets.
- Know WHAT is (and was) on the network by using tools that monitor network performance for anomalies, track devices, offer network configuration and change management, manage IT assets, and monitor IP addresses keep federal IT Pros aware of the objects and traffic on their networks.
- Utilize user device tracking software, IP address management, security information and event management (SIEM), and log and event management software to find out WHO and WHAT are responsible for certain activity on the network and accelerate the identification and termination of suspicious activity.