Skip to main content
close search
site logo
Dive Brief

Poor access control dooms federal cybersecurity, watchdog finds

Published Oct. 3, 2017
Samantha Schwartz's headshot
Samantha Schwartz Reporter

Dive Brief:

  • All 24 agencies of the CFO Act showed continued weakness in access control and security management, according to the Government Accountability Office's (GAO) September report on federal information security. Between $3 million and $1.3 billion were spent on IT security practices, which ranged between 1% and 22% of organizations' overall IT budget.
  • Information security incidents increased from 5,503 in 2006 to 77,183 in 2015. However, reported incidents dropped by 60% to 30,899 in 2016. Reporting guidelines changed in 2016, which removed reporting on non-cyber incidents or attempted accesses.
  • Lost or stolen devices accounted for 18% of threat factors, followed by web-based application attacks at 16%, improper organization authorization at 13% and email and phishing schemes at 11%.

Dive Insight:

The federal government is constantly criticized for its outdated technical infrastructure. Many agencies are facing turmoil in technical leadership, which can lead to inefficiencies in modernization, cybersecurity and overall IT strategy. U.S. government currently ranks 16th out of 18 industries for overall cybersecurity.

GAO reports are typically unforgiving of federal IT practices and federal agencies accountable for their failings. After the July 2015 data breach at the Office of Personnel Management (OPM), the agency was issued 19 security tasks by the GAO. In August, the GAO granted OPM completion of only 11 of the 19 requirements.

OPM's data breach remains a lesson in cybersecurity, but other agencies have become high profile examples too. The U.S. Securities and Exchange Commission (SEC) is currently in the midst of its own security review following a breach, which was the result of a software vulnerability.

Still, about 90% of cyber risks are a result of human error, and the GAO's information security report highlights the matter. Access controls, which include boundary protection, authorization, identity authentication, auditing and monitoring and physical security, were weak in all 24 agencies. Security management, particularly in the establishment of a security management program, was also wide-ranging.

Organizations, including federal agencies, are accountable for employee actions, and a lack of proper identification protocols or companywide security training can result in expensive and humiliating breaches. 

Recommended Reading

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
Newgen Recognized in Gartner® Magic Quadrant™ for Enterprise Low-code Application Platforms Fi…
From Newgen Software
October 30, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell