Despite Adequate Security Guidance From The Government,
Defense Contractors Say They Remain Vulnerable To Cyber-Attack

Highest Security Levels
The ThreatTrack Security defense contractor survey focused on a unique population of IT managers a...
Another 24% of all respondents, however, answered they don’t think “there are any difficult aspects” in defending their
The Snowden leaks have had a stronger impact on companies with smaller IT security budgets, while contractors
with budgets...
It is clear the Edward Snowden affair has had a profound impact on U.S. defense contractors, especially among
Upcoming SlideShare
Loading in...5

Threattrack security-us-defense-contractor-cybersecurity-study


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Threattrack security-us-defense-contractor-cybersecurity-study

  1. 1. Despite Adequate Security Guidance From The Government, Defense Contractors Say They Remain Vulnerable To Cyber-Attack Summary Most defense contractors say the government gives them adequate guidance to prevent cybercrime, and they have tightened security policies in the wake of the Edward Snowden case. Still, many contractors feel they remain vulnerable to cybercrime, and some could benefit from implementing further steps to protect themselves. CONCERNED YOUR ORGANIZATION IS VULNERABLE TO APTs? 38% Yes 62% No IT managers at defense contractors by and large are satisfied with government guidance on how to protect sensitive data, even though many feel their companies remain vulnerable to advanced malware attacks. For the most part, however, this vulnerability is related to the relentless character of today’s cyber-attacks and the complexity of malware, as opposed to whether IT managers believe sufficient security budget or technologies are in place. A ThreatTrack Security study of 100 IT/security managers at U.S. defense contractors found that 88% believe “the government provides adequate guidance and support to contractors to ensure sensitive data is secure and protected against cyber-attacks.” The finding is significant – even surprising – in light of the ongoing Edward Snowden saga, which has resulted in the leaking of 1.7 million U.S. government secret records, raised serious questions about citizens’ privacy and eroded confidence in the government’s ability to keep secrets. The survey uncovered sharp differences in security attitudes and practices between defense contractors and the overall enterprise community. For instance, senior leaders within defense contractors far less frequently engage in risky behavior, such as opening phishing emails, lending work computers to family members or using company-owned PCs to visit pornographic websites harboring malware. And though their level of anxiety over vulnerability to cybercrimes isn’t too different – 62% among contractors and 68.5% in the enterprise – their reasons differ. Enterprise executives said they fear they lack adequate protection (based on a June 2013 ThreatTrack Security survey), while contractors worry more about the frequency and complexity of malware attacks. The survey also found contractors take more precautions against cyberattacks than their general enterprise counterparts, which is a positive discovery considering the nature of their work. And though the Snowden leaks have forced contractors to become more attuned to suspicious employee behavior, some contractor practices warrant further review. Those include re-evaluating employee access to confidential information that may be stored or access via their organization’s network. Despite 88% of defense contractors supporting government guidance on cybersecurity, many are still concerned about vulnerability to advanced threats. +1-855-885-5566 •
  2. 2. Highest Security Levels The ThreatTrack Security defense contractor survey focused on a unique population of IT managers and staffers responsible for securing networks for organizations fulfilling U.S. government defense contracts. One quarter of those polled work for organizations with IT security budgets of $1 million to $10 million, and another 23% for organizations with budgets exceeding $10 million. 63% indicated they have some level of security clearance, with 18% classifying it as “top secret” (the same as Snowden), 19% as “secret” and 26% as “confidential.” 11% did not specify, and 19% could not/refused to divulge their security clearance level. Other clearance levels cited included SCI, L clearance and Q clearance. 44% of respondents said they have access to networks and databases that store confidential information. Of those, 27.3% have no security clearance at all, which raises a red flag. This means that like Snowden, they may have broad IT administrative privileges but without the proper security clearance. Regardless of what security clearances you have, access to privileged information ultimately may be the greatest risk for defense contractors looking to avoid another Snowden-like event. Further review of IT access privileges, therefore, may be in order. Relentless Fire Despite the high level of confidence regarding the government’s security guidance, almost two-thirds (62%) of IT managers polled worry that their companies are vulnerable to targeted malware attacks, Advanced Persistent Threats (APTs) and other sophisticated cybercrime and cyber-espionage tactics. The level of anxiety seems higher among those with access/store confidential information privileges. Of those respondents, 63.6% are concerned about their ability to fend off advanced threats, presumably because they have a higher level of accountability for the information they are defending. Conversely, of those who claimed they are not concerned about advanced malware, a third (34.6%) said their network stores or accesses confidential data. Vulnerability fears are highest at contractors with large IT security budgets. Of the respondents with budgets of more than $10 million, 60.9% said they feel vulnerable. In companies with a budget of $5 million to $10 million, 66.7% said so, as did 76.9% at contractors with budgets of $1 million to $5 million. This implies that spending alone doesn’t equate to cybersecurity confidence, and perhaps that organizations with stronger awareness of the threats targeting them are more acutely aware of the risks they face. Asked about the most difficult aspects of defending their organizations from advanced malware, 61% of respondents cited the volume of attacks and 59% pointed to malware complexity. The number of people concerned about other aspects drops dramatically, with 34% blaming the ineffectiveness of anti-malware tools and 29% saying they don’t have enough budget for the right tools. 22% said they have no access to dynamic malware analysis solutions, which considering the sensitivity of the information these contractors handle, is a notable omission. Also notable: More than a quarter of respondents (26%) said their staffs don’t have enough highly skilled IT security experts, including malware analysts. SPENDING DOESN’T EQUATE TO PEACE OF MIND $1 - $5 million $5 - $10 million More than $10 million 0 20 40 60 80 Despite big security budgets, defense contractors still express concern over their vulnerability to APTs. +1-855-885-5566 •
  3. 3. Another 24% of all respondents, however, answered they don’t think “there are any difficult aspects” in defending their organizations against advanced malware. Meanwhile, nearly a third of respondents within organizations that store or access sensitive information felt there were no difficulties in defending their organization from advanced malware, raising concerns about overconfidence among those responsible for securing data that is a potential target for cyber-espionage. VOLUME, COMPLEXITY OF MALWARE ATTACKS ARE MOST DIFFICULT Volume of malware attacks Complexity of malware Ineffectiveness of anti-malware solutions Not enough budget Not enough skilled staff No access to dynamic malware attacks 0 10 20 30 40 50 70 60 Respondents cite the most difficult aspects of defending their organizations from advanced malware. Lessons Learned Based on the survey’s findings, the Snowden affair has had a profound impact on how defense contractors hire and train employees who handle sensitive information. Snowden’s leaks have caused contractors to restrict IT administrative rights and be more alert to any potential misbehavior by employees regarding data access. 55% of respondents said employees now get more cybersecurity-awareness training, 52% said they have reviewed and/ or re-evaluated employee data-access privileges, and 47% said they are on higher alert for “potential misbehavior or anomalous network activity.” In addition, 41% said they have implemented stricter hiring practices, and 39% have curtailed IT administrative rights. Respondents who said nothing has changed were in the minority, though they still amounted to nearly one quarter (23%) of participants. DEFENSE CONTRACTORS TAKE ACTION AFTER SNOWDEN More cybersecurity-awareness training for employees Reviewed and/or re-evaluated employee data-access privileges On higher alert for potential misbehavior Implemented stricter hiring practices Curtailed IT administrative rights 0 10 20 30 Only 23% of respondents say that the Edward Snowden incident has not changed anything about their company’s security practices. +1-855-885-5566 • 40 50 60
  4. 4. The Snowden leaks have had a stronger impact on companies with smaller IT security budgets, while contractors with budgets of $1 million or more reported fewer changes. This is likely because companies with bigger budgets, and therefore more resources, may already feel they have the tools and policies they need, notwithstanding their fears about malware volume and complexity. Breach Disclosure The survey found that only 8% of respondents said their company has failed to disclose a security breach to customers, partners and government agencies with which they have contracts. This is a welcome finding, and dramatically different from the results of an October 2013 survey of enterprise malware analysts, 57% of whom said they knew of data breaches their company did not disclose. The difference in disclosure indicates defense contractors, compared to general enterprise organizations, are more attuned to security and the importance of breach disclosure, as well as the potential risk and/or penalties associated with non-disclosure. Of the respondents who said their companies have failed to disclose breaches, 13.6% have access/store confidential information privileges. 5% of poll participants said they don’t know whether their company has failed to disclose a security breach, while another 5% refused to – or could not – answer. Risky Behaviors In another encouraging sign, as compared to general enterprises, more than half (54%) of respondents in the defense contractor survey said they have never been asked to remove malware from an executive’s computer or mobile device following a cybersecurity incident. This compares with 56% of enterprise malware analysts who said they had. Still, some risky practices persist among defense contractor executives. For instance, 40% of respondents said they’ve had to remove malware after executives clicked on malicious links in a phishing email, 33% as a result of attaching an infected device such as a USB driver or smartphone to a PC, and 16% because a malicious app had been installed. In addition, 14% said they’ve had to remove malware after an executive let a family member use a company-owned device, and 13% removed malware caused by an infected pornographic website. REMOVING MALWARE FROM SENIOR LEADERSHIP’S PC Clicking on malicious links phishing emails Attatching infected devices to PCs Installing malicious apps 0 5 10 15 20 25 30 35 40 45 Defense contractors demonstrate far less risky behavior than their general enterprise counterparts, but opportunity still remains to improve practices. These numbers are all much lower than those discovered by the survey of enterprise malware analysts. In that study, 56% said they had removed malware from clicking a malicious link or a phishing email, 47% because of an infected device attached to a PC, 45% because of a family member’s use of a computer, 40% as a result of a porn site visit, and 33% because of a malicious app. +1-855-885-5566 •
  5. 5. Conclusion It is clear the Edward Snowden affair has had a profound impact on U.S. defense contractors, especially among smaller companies, forcing them to re-evaluate policies and get more stringent with hiring and data access privileges. Nevertheless, contractors believe government guidance on security practices is adequate, though they still feel vulnerable to cybercrime. It’s unlikely that vulnerability can ever be eradicated, considering the frequency of attacks involving malware that grows more complex and elusive by the day. But there are some concrete steps contractors should take to mitigate security risks: implement dynamic malware analysis tools and advanced threat defenses; strengthen their ranks of highly skilled cybersecurity professionals; further review data-access privileges; and reduce risky employee behavior – including senior leadership – such as opening phishing emails, visiting high-risk websites and attaching infected devices to PCs. Study Methodology This independent, blind survey of 100 IT/security managers at U.S.-based defense contractors was conducted by Opinion Matters on behalf of ThreatTrack Security in January of 2014. About ThreatTrack Security Inc. ThreatTrack Security specializes in helping organizations identify and stop Advanced Persistent Threats (APTs), targeted attacks and other sophisticated malware that are designed to evade the traditional cyber defenses deployed by enterprises and government agencies around the world. The company develops advanced cybersecurity solutions that analyze, detect and remediate the latest malicious threats, including its ThreatAnalyzer malware behavioral analysis sandbox, VIPRE business and consumer antivirus software, and ThreatIQ real-time threat intelligence service. To learn more visit © 2014 ThreatTrack Security, Inc. – Windows 7/2008/Vista/2003/XP/2000/NT are trademarks of Microsoft Corporation. VIPRE is a registered trademark, and ThreatTrack Security and the ThreatTrack Security logo are trademarks of ThreatTrack Security, Inc. in Germany, USA, the United Kingdom and other countries. All product and company names herein may be trademarks of their respective owners. Features are subject to change without notice.