The Associated Press (AP) reports that federal agencies’ efforts to protect sensitive government information are failing to keep up with the actions of international cyber criminals, and that national cybersecurity is “unwittingly being undermined by federal employees and contractors”.
Despite the government spending more than $100 billion over the last 40 years to secure its data, hackers have always found a way in. Two recent examples: earlier this month the US State Department shut its unclassified network because of a suspected cyber attack, and in October the White House’s unclassified network was also revealed to have been hacked. Neither incident was officially reported.
The federal government is under no obligation to publicize data losses – usually explaining any incident with the phrase “unscheduled maintenance” – so the AP “filed dozens of Freedom of Information Act requests, interviewed hackers, cybersecurity experts and government officials and obtained documents describing digital cracks in the system” to determine the extent of the problem. Its findings are telling.
Employees to blame
Of the 228,700 incidents last year involving federal agencies, contractors, and companies that run critical infrastructure, employees were to blame for at least half. According to AP’s analysis, government workers frequently “clicked links in bogus phishing emails, opened malware-laden websites and [were] tricked by scammers into sharing information.”
An annual White House review of federal breaches found that:
- 21% were caused by government workers violating policies.
- 16% were the consequence of lost or stolen devices.
- 12% were caused by the improper handling of printed sensitive information.
- 8% occurred because of the installation – whether deliberate or unwitting – of malicious software by government workers.
- 6% were caused by phishing attacks.
Adequate staff training is not just an issue for federal agencies
While the technological response to hacking is increasingly sophisticated, cyber criminals find that humans are often the weakest link in the information security chain. All organizations therefore need to be aware that a robust information security posture should encompass the entire enterprise, and that people and processes should be addressed as well as technology.
ISO 27001 is the international information security management standard that sets out the requirements of an information security management system (ISMS), and against which enterprises can achieve certification to demonstrate their compliance with international best practices.
The Standard is growing in popularity and reputation: certifications to ISO 27001 increased 29% from 2012 to 2013 in the US according to the latest ISO survey, and numbers are only expected to grow.
IT Governance’s fantastic Thanksgiving deals provide great savings for North American customers on essential ISO 27000 books, tools, training, and standards, including 30% off ISO27001 training courses.