You would think government agencies would have a keen focus on cybersecurity risks, but apparently not! A report by the United States Office of Management and Budget (OMB) has found that nearly three-quarters of Federal agencies reviewed have either “at risk” or “high risk” cybersecurity arrangements. 71 of 96 agencies assessed were either missing, had insufficiently deployed or had significant gaps in their fundamental cybersecurity policies, processes or tools.

Other damning observations made by the report included:

  • 73% did not have the ability to detect and investigate attempts to get into their system’s large volumes of data. This basically means that agencies cannot detect when large amounts of information leave their networks, which is a big worry considering the prevalence of major data breaches!
  • Federal agencies could not identify the attack method used in 11,802 of the 30,899 cyber incidents that led to the compromise of information or system functionality in 2016
  • only 59% reported having processes in place to communicate cyber risks across their enterprises
  • only 16% were encrypting their information at rest
  • only half of the organisations were able to identify what software was authorised to operate on their systems

Unsurprisingly, the OMB described these current circumstances as “untenable”.

The two most significant areas of risk identified in the agency assessments were overabundance of legacy IT systems (which suffer heightened vulnerability to cyberattack) and shortages of experienced and capable cybersecurity personnel. These two factors arise time and again in the event of data breaches. The lack of proper management of cybersecurity risks amongst companies in the Asia Pacific was also highlighted in our blog this month.

It is worrying that government agencies could be left so exposed, given the sort of information they are privy to on a daily basis!