solarwinds federal cybersecurity survey 2015
TRANSCRIPT
© 2015 Market Connections, Inc.
SolarWinds® Federal Cybersecurity Survey Summary Report
2015
© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Background and Objectives
2
SolarWinds contracted Market Connections to design and conduct an online survey among 200 federal government IT decision makers and influencers in December 2014. SolarWinds was not revealed as the sponsor of the survey.
The main objectives of the survey were to:
• Determine challenges faced by IT professionals to prevent insider and external IT security threats
• Gauge confidence levels of combating insider and external IT security threats
• Measure change in concern and investment of resources in addressing threats
• Determine the most important IT security tools used to mitigate risk associated with insider and external threats
• Quantify common causes of IT security breaches caused by the careless employee
Throughout the report, notable significant differences are reported.
Due to rounding, graphs may not add up to 100%.
BACKGROUND AND OBJECTIVES
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
3
Organizations Represented
RESPONDENT CLASSIFICATIONS
• If a respondent did not work for any of the specific organization types noted below, the survey was terminated.
Which of the following best describes your current employer?What agency do you work for?
2%
3%
3%
39%
54%
0% 10% 20% 30% 40% 50% 60%
Federal Legislature
Intelligence Agency
Federal Judicial Branch
Department of Defense orMilitary Service
Federal, Civilian or IndependentGovernment Agency
Organizations RepresentedSample Organizations Represented
(In Alphabetical Order)
Air Force Department of the Interior (DOI)
ArmyDepartment of Transportation
(DOT)Department of Agriculture (USDA) Department of Treasury (TREAS)
Department of Commerce (DOC)Department of Veteran Affairs
(VA)
Department of Defense (DOD) Environmental Protection Agency
(EPA)
Department of Energy (DOE) Judicial/Courts
Department of Health and Human Services (HHS)
Marine Corps
Department of Homeland Security (DHS)
National Aeronautics and Space Administration (NASA)
Department of Labor (DOL) Navy
Department of Justice (DOJ)Social Security
Administration (SSA)
Department of State (DOS) US Postal Service (USPS)
N=200
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
8%
17%
40%
41%
43%
50%
0% 10% 20% 30% 40% 50% 60%
Other involvement in IT security and/or IToperations and management solutions
Make the final decision regarding IT security and/orIT operations and management solutions or
contractors
Manage or implement security and/or IT operationsand management solutions
Develop technical requirements for IT securityand/or IT operations and management solutions
Evaluate or recommend firms offering IT securityand/or IT operations and management solutions
On a team that makes decisions regarding ITsecurity and/or IT operations and management
solutions
4
Decision Making Involvement
RESPONDENT CLASSIFICATIONS
How are you involved in your organization’s decisions or recommendations regarding IT operations and management and IT security solutions and services? (select all that apply)
• All respondents are knowledgeable or involved in decisions and recommendations regarding IT operations and management and IT security solutions and services.
Note: Multiple responses allowed
N=200
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
4%
13%
22%
13%
14%
36%
0% 10% 20% 30% 40%
1-2 Years
3-4 Years
5-9 Years
10-14 Years
15-20 Years
20+ Years
Tenure
12%
1%
7%
7%
10%
32%
33%
0% 5% 10% 15% 20% 25% 30% 35%
Other
CSO/CISO
Security/IA director ormanager
CIO/CTO
Security/IA staff
IT/IS staff
IT director/manager
Job Function
RESPONDENT CLASSIFICATIONS 5
Which of the following best describes your current job title/function?How long have you been working at your current agency?
Job Function and Tenure• A variety of job functions and tenures is represented in the sample, with most being IT
management and working at their agency for over 20 years.
Examples Include:
• Program Manager
• Engineer
• Director Operations
N=200
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
4%
4%
6%
6%
7%
8%
9%
13%
17%
29%
0% 5% 10% 15% 20% 25% 30% 35%
Other
Lack of clear standards
Lack of manpower
Lack of technical solutions available at my agency
Inadequate collaboration with other internalteams or departments
Lack of training for personnel
Lack of top-level direction and leadership
Competing priorities and other initiatives
Complexity of internal environment
Budget constraints
6
IT Security Obstacles
IT SECURITY OBSTACLES, THREATS AND BREACHES
• Budget constraints top the list of significant obstacles to maintaining or improving agency IT security. This has decreased from 40% in the SolarWinds CyberSecurity Survey conducted Q1 2014.
What is the most significant high-level obstacle to maintaining or improving IT security at your agency?
N=200 = statistically significant difference
January 2014: Budget
constraints 40%
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
1%
3%
3%
10%
14%
18%
23%
30%
38%
46%
53%
0% 10% 20% 30% 40% 50% 60%
None of the above plague my agency
Unsure if these threats plague my agency
Other
Industrial spies
For-profit crime
Terrorists
Malicious insiders
Hacktivists
Foreign governments
General hacking community
Careless/untrained insiders
7
Sources of Security Threats
IT SECURITY OBSTACLES, THREATS AND BREACHES
• Careless/untrained insiders are noted as the largest source of security threat at federal agencies. This has increased from 42% in the SolarWinds CyberSecurity Survey conducted in Q1 2014.
What are the greatest sources of IT security threats to your agency? (select all that apply)
Note: Multiple responses allowed
N=200
Defense Civilian
General hacking community 33% 55%
For-profit crime 8% 18%
= statistically significant difference
January 2014: Careless
untrained insiders 42%
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
5%
15%
20%
24%
29%
29%
33%
42%
47%
0% 10% 20% 30% 40% 50%
Other
Backup servers
File servers and storage arrays
In transit through the network
Employee or contractor owned mobile device (BYOD)
Cloud servers
Government owned mobile device
Removable storage media (USB drive, CDs, etc.)
Employee or contractor desktop/laptop
8
At-Risk Data Location
IT SECURITY OBSTACLES, THREATS AND BREACHES
• About half of respondents indicate data on employee or contractor personal computers and removable storage media is most at risk.
Where do you think your government agency’s data is most at risk?
Note: Multiple responses allowed
N=200
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
9
Change in Concern and Resources
IT SECURITY OBSTACLES, THREATS AND BREACHES
How has your organization’s concern changed over the last two years for the following types of IT security threats?
How has your organization’s investment in resources changed over the last two years for the following types of IT security threats?
• Federal agencies’ concern has increased in the last two years for internal and external threats, but the investment in resources lags slightly.
N=200
1% 4% 3% 1% 2% 2%3%7% 6% 2%
8% 7%16%
38% 39%
28%
45% 48%
44%
29% 31%
46%
32% 33%
37%23% 22% 23%
14% 11%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Malicious externalthreats
Malicious insiderthreats
Accidental/carelessinsider threats
Malicious externalthreats
Malicious insiderthreats
Accidental/carelessinsider threats
Investment in ResourcesConcern
Significantly increased
Somewhat increased
Remained the same
Somewhat decreased
Significantly decreased
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
10
Source of Damaging Breaches
IT SECURITY OBSTACLES, THREATS AND BREACHES
• Malicious external threats are considered more damaging than malicious internal threats, but the majority believe malicious insider threats to be equally as damaging as malicious external threats.
• Respondents indicate malicious insiders to be more damaging than careless insiders, but more than one-third believe accidental insiders to be equally as damaging as malicious insiders.
Of the two, which source of breach would be more costly or damaging to your organization? Those perpetrated by:
37%
26%
38%
Most Damaging Breach Source
Maliciousexternal threats
Maliciousinternal threats
Both are thesame
43%
22%
35%
Most Damaging Insider Breach
Maliciousinsider
Accidental/careless insider
Both are thesame
N=200
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
11
Organization Security Policies
ORGANIZATION IT SECURITY POLICIES
• The majority of respondents indicate having a formal IT security policy for end users that supplements current federal security policies.
• Three-quarters of the respondents indicate that policy communication is done frequently and regularly.
Does your organization have a formal IT security policy for end users that supplements current federal security policies such as DISA STIGs and NIST FISMA?How are these IT security policies communicated to end users?
85%
7%
9%
Organization Has IT Security Policy
Yes
No
Not sure
4%
4%
48%
55%
56%
76%
0% 20% 40% 60% 80%
Other
They are not communicatedor reviewed
They are available for access viaan internal system/Intranet
Whenever there is an update inpolicy
After initial hire
Frequently and regularly (i.e.,via email reminders and tips)
How Policies Are Communicated
N=200 N= 170Note: Multiple responses allowed
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
12
Security Policy Confidence
ORGANIZATION IT SECURITY POLICIES
Please rate your confidence in your organization’s IT security policies and practices at combating the following types of security threats:
9%
14%
14%
52%
55%
56%
39%
31%
31%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Malicious external threats
Malicious insider threats
Accidental/careless insider threats
Not at all confident Somewhat confident Very confident
N=200
• Slightly more than half of respondents are somewhat confident in their security polices at combating internal and external security threats. Only about one-third are very confident.
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
13
Obstacles to Threat Prevention
PREVENTING AND MITIGATING THREATS
What would be the top obstacles or challenges when trying to prevent threats at your federal government agency?
Note: Multiple responses allowed
N=200
Malicious Insider Threat
Accidental/Careless
Insider Threat
Malicious External Threat
Increased use of mobile technology 44% 56% 47%
Inadequate monitoring of user authentication activity and failures
41% 39% 32%
Inadequate automation of IT asset management 38% 39% 34%
Inadequate log data analysis to indicate possible insider threats
38% 36% 32%
Inadequate configuration management of IT infrastructure 35% 30% 32%
Legal or ethical issues that restrict efforts to profile or identify insider/external threats
31% 27% 22%
Insufficient security training for government employees or contractors
30% 46% 28%
Inadequate change management approval process 30% 35% 22%
Insufficient clearance process and background investigations 30% 22% 15%
Lack of executive buy-in for security strategy or resource investment
30% 30% 19%
None of the above 9% 8% 9%
= statistically significant difference= top obstacle
• The increased use of mobile technology is noted as the top obstacle for preventing threats, though there are multiple significant differences seen among the different types of threats.
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
14
Obstacles to Threat Prevention
PREVENTING AND MITIGATING THREATS
What would be the top obstacles or challenges when trying to prevent threats at your federal government agency?
N=200
• Respondents with tenure of 20 years or more see the lack of executive buy-in as an obstacle to preventing accidental insider threats. Civilian agency respondents see the lack of executive buy-in more of an obstacle for malicious external threats.
• Respondents with tenure of 10 years or more see an inadequate change management approval process as an obstacle to preventing malicious external threats.
• Relative to IT/Security staff, respondents at a manager or director level see inadequate automation of IT asset management more as an obstacle preventing accidental insider threats.
= statistically significant difference
11%
24%
0%
5%
10%
15%
20%
25%
30%
35%
Lack of executive buy-in for security strategy orresource investment
Obstacle Preventing Malicious External Threats by Agency
Type
Defense Civilian
Obstacle Preventing Accidental Insider Threat by Tenure
< 10 years 10-20 years > 20 years
Lack of executive buy-in for security strategy or resource investment
24% 23% 42%
Obstacle Preventing Malicious External Threat by Tenure
< 10 years 10-20 years > 20 years
Inadequate change management approval process
13% 25% 30%
Obstacle Preventing Accidental Insider Threat by Job Level
IT/Security StaffIT/Security Manager/
Director
Inadequate automation of IT asset management
34% 51%
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
15
Tools to Prevent Threats
PREVENTING AND MITIGATING THREATS
• IT security tools that are deemed most useful to mitigate risks differ whether the threat is internal or external.
In your opinion, what are the most important IT security tools used to mitigate the risk associated with insider/external threats?
Note: Multiple responses allowed
N=200
Top Tier Malicious Insider Threat
Accidental/Careless
Insider Threat
Malicious External Threat
Identity and access management tools 46% 39% 39%
Internal threat detection/intelligence 44% 36% 29%
Intrusion detection and prevention tools 43% 32% 50%
Security incident and event management or log management 42% 31% 37%
Advanced security/threat analytics 40% 23% 37%
Web security or web content filtering gateways 37% 29% 38%
File and disk encryption 35% 30% 41%
IT configuration management and reporting 34% 28% 26%
Patching 34% 27% 34%
Next-generation firewalls (NGFW) 34% 28% 42%
= statistically significant difference= Most important tool
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
16
Tools to Prevent Threats
PREVENTING AND MITIGATING THREATS
• A greater proportion of respondents indicate web application firewalls as a useful tool to mitigate malicious external threats relative to internal threats.
• A significantly greater proportion of respondents indicate internal security training is a useful tool to prevent risk associated with careless insider threats.
In your opinion, what are the most important IT security tools used to mitigate the risk associated with insider threats?
Note: Multiple responses allowed
N=200
Lower Tier Malicious Insider Threat
Accidental/Careless
Insider Threat
Malicious External Threat
Network Admission Control (NAC) 33% 31% 30%
Endpoint forensics 31% 27% 25%
Advanced endpoint protection 30% 27% 31%
Web Application Firewall (WAF) 29% 23% 38%
Mobile device management or mobile-specific security tools 28% 29% 27%
Endpoint and mobile security 27% 27% 28%
Internal security training 27% 50% 25%
Cloud application security management or auditing 26% 23% 24%
IT asset management and reporting 23% 26% 21%
= statistically significant difference
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
4%
24%
28%
31%
33%
36%
37%
37%
41%
44%
49%
0% 10% 20% 30% 40% 50% 60%
Other
Insecure configuration of IT assets
Incorrect disposal of hardware
Not applying security updates
Incorrect use of approved personal devices
Device loss
Poor password management
Using personal devices that are against company IT…
Accidentally deleting, corrupting or modifying critical…
Data copied to insecure device
Phishing attacks
17
Accidental Insider Breach Causes
INSIDER BREACH CAUSES AND DETECTION DIFFICULTIES
• The most common causes of accidental insider IT security breaches are phishing attacks, followed by data copied to an insecure device and accidentally deleting, corrupting or modifying critical data.
What are the most common causes of accidental insider IT security breaches caused by the untrained or careless employee?
Note: Multiple responses allowed
N=200
Defense Civilian
Device loss 26% 43%
= statistically significant difference
IT/ Security Staff
IT/SecurityManager/ Director
Insecure configuration of IT assets
17% 36%
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
18
Insider Threat Detection Difficulties
INSIDER BREACH CAUSES AND DETECTION DIFFICULTIES
• The volume of network activity is noted most often as what makes insider threat detection and prevention most difficult. One third also note the lack of IT staff training, the use of cloud services and pressure to change configuration quickly versus securely.
In today’s environment, what makes insider threat detection and prevention more difficult?
3%
19%
22%
23%
24%
24%
26%
27%
27%
30%
34%
35%
35%
40%
0% 10% 20% 30% 40% 50%
Other
Functionality of and access to critical systems
Inadequate change control practices
Complexity of monitoring tools
Inadequate configuration management of IT assets
Inadequate visibility into users’ network activity
Inadequate monitoring of storage devices
Growing adoption of BYOD
Cost of sophisticated tools
Use of mobile devices
Pressure to change IT configurations quickly more so than…
Growing use of cloud services
Lack of IT staff training
Volume of network activity
Defense Civilian
Inadequate configuration management of IT assets
17% 28%
Inadequate monitoring of storage devices
18% 32%
= statistically significant difference
Note: Multiple responses allowed
N=200
IT/ Security Staff
IT/SecurityManager/ Director
Volume of networkactivity
29% 44%
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
19
Select Comments
COMMENTS
Please feel free to share any other comments or concerns regarding your agency’s IT security challenges and success stories.
It is a huge priority to address them [security breaches] and we are doing our best within our allotted funding. (IT Analyst, VA)
Security is a challenge, and the enemy is increasingly sophisticated, keeping ahead of technology advances and ever increasingly attempting to break into our networks. (Chief Engineer, Army)
Interestingly we have positioned ourselves relatively strongly against external threats, but it is the accidental or malicious insider threat which has caused us more problems. People do what they want to do and there are so many people (particularly younger) who view security as interference and also have some skills to successfully work around security protocols. (Director of Operations, DCMA)
The employees just need to get used to "The Suck" of security. It will take time to work in an environment which is designed to protect the organization and the individual. (Defense Coordinating Officer, Army)
Our security holes begin at the top. [Senior managers] expect that they are protected and they are above any security holes - to the effect, they insist on admin rights to network resources. The administration supports this view and turn a "blind eye" to the risk. (Network Manager, Federal Agency)
“
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Contact Information
RESEARCH TO INFORM YOUR BUSINESS DECISIONS
Laurie Morrow, Director of Research Services | Market Connections, Inc.
14555 Avion Parkway, Suite 125 | Chantilly, VA 20151 | 703.378.2025, ext. 101
Lisa M. Sherwin Wulf, Federal Marketing Leader | SolarWinds
703.234.5386
www.solarwinds.com/federal
LinkedIn: SolarWinds Government
20