On July 8, 2015, the Government Accountability Office (“GAO”) issued a report finding that agencies across the federal government continue to have shortcomings in preventing, detecting, and responding to cyber threats.  The number of reported cyber incidents involving personally identifiable information (“PII”) at federal agencies more than doubled from 2009 to 2014.  The GAO examined 24 agencies and made recommendations to protect federal information and systems in certain key areas.

The GAO determined that agencies are deficient in implementing risk-based cybersecurity programs.  In 2014, 19 out of the 24 agencies reported a material weakness or significant deficiency related to information security controls, and inspectors general at almost all of the agencies listed information security as a major management challenge.  The GAO found a number of controls weaknesses, including the lack of encryption to protect sensitive data, users with access permissions beyond their job-related duties, the lack of software updates to protect against known vulnerabilities, and the ability of unauthorized users to access systems.  The GAO recommended the implementation of stronger security controls in certain areas, including controls to prevent and detect unauthorized access to computer systems and controls to segregate duties to prevent a single individual from controlling all key aspects of a computer system.

The report found that federal agencies do not have consistent policies and procedures in place to respond to data breaches involving PII.  Furthermore, not all agencies have responded effectively to cyber incidents.  The GAO noted that cyber incidents have affected agencies across the federal government, including the Internal Revenue Service, Office of Personnel Management, and the U.S. Postal Service.  Part of the difficulty is that federal agencies face a wide array of cyber threats ranging from unintentional mishaps to intentional targeting from criminals, hackers, or foreign nations, and agencies must develop policies and procedures to confront all of these challenges.

The GAO recommended the development of more comprehensive incident response plans and practices to limit the risks from PII-related data breaches.  The GAO also recommended improvements to and better implementation of the EINSTEIN program—designed to detect and protect federal systems from known cyber vulnerabilities—which has not been deployed as widely as intended among federal agencies.

The private sector faces many of the same cyber challenges from the same criminals, hackers, and foreign nations as the federal government.  Companies should review their own policies and consider adopting some of the GAO’s proposals where appropriate for their businesses.  In particular, companies should consider encryption, software upgrades, stronger user authentication, and the division of roles so that a single individual does not control all aspects of a computer system.

Please click here for a copy of the GAO Report, Information Security: Cyber Threats and Data Breaches Illustrate Need for Stronger Controls across Federal Agencies.