Insiders are biggest threat to govt cyber security
Netwrix survey finds that 100% of government regard their own end users as greatest security risk
Government organisations overwhelmingly regard their own employees as the biggest threat to security, according to a survey conducted by Netwrix.
The global survey of over 700 organisations, 10% of which were government, found that all government organisations believed the end user to be the biggest threat to security. Fifty-seven percent of respondents said that they had dealt with security incidents caused by human error last year, while 43% said they had incidents of misuse of IT by users. Fourteen percent reported downtime caused by human error.
Overall, only 14% of government entities felt that they were adequately protected against cyber security threats.
The Netwrix 2017 IT Risks Report found that lack of time (57%) and lack of budget (54%) were the most commonly cited reasons for lack of focus on security, followed by growing complexity of IT infrastructure (43%) and data assets (43%).
The majority of respondents also said their organisations have not implemented a security governance or risk management within their IT infrastructures and around three-quarters of respondents said there are no dedicated security personnel in their organisation, with the general IT team taking responsibility for cybersecurity.
Government IT security strategies, where they exist, focus on protecting endpoints (57%), corporate mobile devices (50%) and on-premises systems (43%), the survey found. Future security priorities for investment include systems to prevent IP theft (43%), data breaches (29%) and fraud (14%).
Newtrix, which specialises in IT audit including security analytics, said that the lack of preparation by government agencies means that they are always in reactive mode when it comes to security.
"Government entities are lagging behind in understanding what is happening beyond the traditional perimeter. The majority of respondents have zero visibility into BYOD, shadow IT and cloud systems. Visibility into user activity across the IT infrastructure is not very common: Only 38% of respondents claim to be well aware of the activity of users, IT admins and third parties with legitimate access to internal systems. This is extremely strange considering the fear of malicious insiders that all of the respondents expressed. Moreover, one would think that if government entities don't track all user activity, at least they would know what is happening with their data. Sadly, the data-centric approach is not popular either. Only four in ten organisations thoroughly monitor activity in databases, though 60% of the respondents deem it critical," the company said in the report.
Government agencies did see the benefit of deeper visibility into user activity, with 86% of respondents saying it would help them to detect and mitigate human factor risks, and investigate incidents more quickly (71%), however public sector agencies still suffer from a lack of systems for visibility.
The poor level of security and lack of visibility is also causing government agencies to have issues with compliance audits, with 33% of government entities reporting that they had trouble passing such audits last year.
"The general conclusion we can draw is that government agencies need to start approaching IT risk from the top down: Senior management must get more deeply involve and fund cyber-security initiatives. Otherwise, their IT teams will not have the visibility required to maintain stable IT operations, comply with regulatory requirements and identify ongoing security threats, let alone proactive risk mitigation," the report said.