In the wake of last year’s massive OPM data breaches, Federal Chief Information Officer Tony Scott launched an unprecedented 30-day cybersecurity sprint: from June to July 2015, agencies raced to bolster their systems and develop preemptive cybersecurity strategies. The resulting report showed that 14 of 24 agencies had successfully adopted multi-factor authentication – the sprint’s clearest benchmark.
However, in spite of demonstrated improvement in federal-wide security efforts, Senator Tom Carper notes continued gaps in cyber infrastructure: “We are reminded nearly every day that more needs to be done in order to stay ahead of the ever-evolving threat…. Far too many agencies need to step up when it comes to strengthening their cyber defenses.”
In order to learn more about the current state of cybersecurity strategy across organizations, Government Business Council deployed a flash poll on January 13, 2016 to a random sample of government employees on the following question:
GBC received responses from 108 federal, state, and local government employees. While a plurality of respondents say that their organization has implemented a proactive, comprehensive cybersecurity strategy, 16% indicate that their agency is still in the earlier stages of implementing a strategy, and 18% indicate that they have yet to develop any sort of long-term strategy. In addition, nearly 3 in 10 respondents are unsure of the current state of their agency’s cybersecurity strategy, indicating potential communication gaps.
The White House Office of Management and Budget (OMB) advises agencies to place particular emphasis on incident detection and response, minimizing the number of privileged users and functions, and accelerating implementation of multi-factor authentication. In addition, organizations are directed to focus on recruiting skilled cybersecurity personnel and improving risk awareness among all employees. While agencies tend to focus on enhancing technical security capabilities, it is critical that they also address the human elements of threat prevention – providing training on threat recognition and online best practices are essential toward combating insider threats, and the apparent communication gaps that currently exist within organizations suggest room for improvement with regard to workforce cyber hygiene.
Cyber breaches are becoming increasingly salient, but they need not be a crippling factor. By crafting and communicating long-term defensive strategies, organizations can more successfully navigate potential threats in their path toward serving citizens.