How Edward Snowden’s actions impacted defense contractors
A new ThreatTrack Security study sheds light on the attitudes of a very exclusive group of IT and security managers – those employed by U.S. defense contractors – at a time when national cybersecurity is under scrutiny.
75% of the respondents indicated that the Edward Snowden incident has changed their companies’ cybersecurity practices in one of the following ways:
- 55% say their employees now receive more cybersecurity awareness training
- 52% have reviewed or re-evaluated employee data access privileges
- 47% are on higher alert for anomalous network activity by employees
- 41% have implemented stricter hiring practices
- 39% say their own IT administrative rights have been restricted.
63% of the survey respondents hold either secret, top secret or confidential clearances. However, of those who have access to or store confidential information, 27% do not hold such clearances. This represents a potential privileged access problem wherein contractor employees without such clearances may have easy access to sensitive government data.
In addition to revealing how their security practices have changed in light of the Edward Snowden incident, the survey also explored subjects such as whether data breaches are being reported, what the most difficult aspects of cyber defense are, whether senior leaders at contractor organizations are being infected by malware due to risky online behavior, whether the government is providing proper guidance and support for cyber defense, and whether contractors are concerned that their organization may be vulnerable to sophisticated cyber threats.
The survey found a high level of confidence in government guidance on how to protect sensitive data. 88% of respondents felt that they get what they need in terms of support on that front. However, 62% still reported that they are concerned their organization is vulnerable to APTs, targeted malware attacks and sophisticated cybercrime and cyber-espionage tactics.
The two most difficult aspects of defending against advanced malware were reported to be the volume of malware attacks (61% said this was the case) and the complexity of that malware (59%). An additional 29% said there is not enough budget for the right tools, and 22% indicated they just don’t have access to an automated malware analysis solution that can detect and remediate the most sophisticated threats in real-time.
“It’s interesting to note that while defense contractors seem to have better security practices in place and are more transparent than many companies in the private sector, they are finding the current cyber threat onslaught just as difficult to deal with,” said ThreatTrack Security President and CEO Julian Waits, Sr. “Well over half are concerned that they are vulnerable to targeted attacks and cyber-espionage, and given the type of data they are handling and storing, we think that number needs to get a lot smaller – and fast.”
26% of respondents reported that there is a shortage of highly-skilled security personnel (malware analysts) on staff. Past studies have shown that this shortage is compounded by the fact that IT security staff is routinely multi-tasking between new malware sample analysis – which typically takes more than 2 hours per sample – and cleaning malware off executives’ devices.
Although much more responsible than their private sector counterparts, at the following rates, defense contractor IT managers revealed a device used by a member of their senior leadership team had become infected with malware due to executives:
- Visiting a pornographic website (13%) – compared to 40% in other enterprises
- Clicking on a malicious link in a phishing email (40%) – compared to 56% in other enterprises
- Allowing a family member to use a company-owned device (14%) – compared to 45% in other enterprises.
The study also revealed much more transparency about data breaches in defense contractor organizations than in the general enterprise community. Only 8% said they were aware of a data breach at their company that had not been reported to customers, partners or government agencies with which they contract. This compared to 57% of malware analysts in enterprise environments who said they were aware of breaches that were unreported.
The independent blind survey of 100 IT/security managers or staff within defense contractor organizations that handle data for the US government was conducted by Opinion Matters on behalf of ThreatTrack Security from November 2013 to January 2014.