SolarWinds Federal Cybersecurity Survey 2015

© 2015 Market Connections, Inc.
SolarWinds®
Federal Cybersecurity Survey
Summary Report
2015
© 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
Background and Objectives
2
SolarWinds contracted Market Connections to design and conduct an online survey
among 200 federal government IT decision makers and influencers in December
2014. SolarWinds was not revealed as the sponsor of the survey.
The main objectives of the survey were to:
• Determine challenges faced by IT professionals to prevent insider and external IT
security threats
• Gauge confidence levels of combating insider and external IT security threats
• Measure change in concern and investment of resources in addressing threats
• Determine the most important IT security tools used to mitigate risk associated
with insider and external threats
• Quantify common causes of IT security breaches caused by the careless employee
Throughout the report, notable significant differences are reported.
Due to rounding, graphs may not add up to 100%.
BACKGROUND AND OBJECTIVES

3
Organizations Represented
RESPONDENT CLASSIFICATIONS
• If a respondent did not work for any of the specific organization types noted below, the survey
was terminated.
Which of the following best describes your current employer?
What agency do you work for?
2%
3%
3%
39%
54%
0% 10% 20% 30% 40% 50% 60%
Federal Legislature
Intelligence Agency
Federal Judicial Branch
Department of Defense or
Military Service
Federal, Civilian or Independent
Government Agency
Organizations Represented
Sample Organizations Represented
(In Alphabetical Order)
Air Force Department of the Interior (DOI)
Army
Department of Transportation
(DOT)
Department of Agriculture (USDA) Department of Treasury (TREAS)
Department of Commerce (DOC)
Department of Veteran Affairs
(VA)
Department of Defense (DOD)
Environmental Protection Agency
(EPA)
Department of Energy (DOE) Judicial/Courts
Department of Health and Human
Services (HHS)
Marine Corps
Department of Homeland Security
(DHS)
National Aeronautics and Space
Administration (NASA)
Department of Labor (DOL) Navy
Department of Justice (DOJ)
Social Security
Administration (SSA)
Department of State (DOS) US Postal Service (USPS)
N=200

8%
17%
40%
41%
43%
50%
0% 10% 20% 30% 40% 50% 60%
Other involvement in IT security and/or IT
operations and management solutions
Make the final decision regarding IT security and/or
IT operations and management solutions or
contractors
Manage or implement security and/or IT operations
and management solutions
Develop technical requirements for IT security
and/or IT operations and management solutions
Evaluate or recommend firms offering IT security
and/or IT operations and management solutions
On a team that makes decisions regarding IT
security and/or IT operations and management
solutions
4
Decision Making Involvement
RESPONDENT CLASSIFICATIONS
How are you involved in your organization’s decisions or recommendations regarding IT operations and management and IT security solutions and services? (select all
that apply)
• All respondents are knowledgeable or involved in decisions and recommendations regarding IT
operations and management and IT security solutions and services.
Note: Multiple responses allowed
N=200

4%
13%
22%
13%
14%
36%
0% 10% 20% 30% 40%
1-2 Years
3-4 Years
5-9 Years
10-14 Years
15-20 Years
20+ Years
Tenure
12%
1%
7%
7%
10%
32%
33%
0% 5% 10% 15% 20% 25% 30% 35%
Other
CSO/CISO
Security/IA director or
manager
CIO/CTO
Security/IA staff
IT/IS staff
IT director/manager
Job Function
RESPONDENT CLASSIFICATIONS 5
Which of the following best describes your current job title/function?
How long have you been working at your current agency?
Job Function and Tenure
• A variety of job functions and tenures is represented in the sample, with most being IT
management and working at their agency for over 20 years.
Examples
Include:
• Program
Manager
• Engineer
• Director
Operations
N=200

4%
4%
6%
6%
7%
8%
9%
13%
17%
29%
0% 5% 10% 15% 20% 25% 30% 35%
Other
Lack of clear standards
Lack of manpower
Lack of technical solutions available at my agency
Inadequate collaboration with other internal
teams or departments
Lack of training for personnel
Lack of top-level direction and leadership
Competing priorities and other initiatives
Complexity of internal environment
Budget constraints
6
IT Security Obstacles
IT SECURITY OBSTACLES, THREATS AND BREACHES
• Budget constraints top the list of significant obstacles to maintaining or improving agency IT
security. This has decreased from 40% in the SolarWinds CyberSecurity Survey conducted Q1
2014.
What is the most significant high-level obstacle to maintaining or improving IT security at your agency?
N=200 = statistically significant difference
January 2014:
Budget
constraints
40%

1%
3%
3%
10%
14%
18%
23%
30%
38%
46%
53%
0% 10% 20% 30% 40% 50% 60%
None of the above plague my agency
Unsure if these threats plague my agency
Other
Industrial spies
For-profit crime
Terrorists
Malicious insiders
Hacktivists
Foreign governments
General hacking community
Careless/untrained insiders
7
Sources of Security Threats
• Careless/untrained insiders are noted as the largest source of security threat at federal
agencies. This has increased from 42% in the SolarWinds CyberSecurity Survey conducted in Q1
2014.
What are the greatest sources of IT security threats to your agency? (select all that apply)
N=200
Defense Civilian
General hacking community 33% 55%
For-profit crime 8% 18%
= statistically significant difference
January 2014:
Careless
untrained
insiders 42%

5%
15%
20%
24%
29%
29%
33%
42%
47%
0% 10% 20% 30% 40% 50%
Other
Backup servers
File servers and storage arrays
In transit through the network
Employee or contractor owned mobile device (BYOD)
Cloud servers
Government owned mobile device
Removable storage media (USB drive, CDs, etc.)
Employee or contractor desktop/laptop
8
At-Risk Data Location
• About half of respondents indicate data on employee or contractor personal computers and
removable storage media is most at risk.
Where do you think your government agency’s data is most at risk?
N=200

9
Change in Concern and Resources
How has your organization’s concern changed over the last two years for the following types of IT security threats?
How has your organization’s investment in resources changed over the last two years for the following types of IT security threats?
• Federal agencies’ concern has increased in the last two years for internal and external threats,
but the investment in resources lags slightly.
N=200
1% 4% 3% 1% 2% 2%3%
7% 6% 2%
8% 7%
16%
38% 39%
28%
45% 48%
44%
29% 31%
46%
32% 33%
37%
23% 22% 23%
14% 11%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Malicious external
threats
Malicious insider
threats
Accidental/careless
insider threats
Malicious external
threats
Malicious insider
threats
Accidental/careless
insider threats
Investment in ResourcesConcern
Significantly
increased
Somewhat
increased
Remained the
same
Somewhat
decreased
Significantly
decreased

10
Source of Damaging Breaches
• Malicious external threats are considered more damaging than malicious internal threats, but
the majority believe malicious insider threats to be equally as damaging as malicious external
threats.
• Respondents indicate malicious insiders to be more damaging than careless insiders, but more
than one-third believe accidental insiders to be equally as damaging as malicious insiders.
Of the two, which source of breach would be more costly or damaging to your organization? Those perpetrated by:
37%
26%
38%
Most Damaging Breach Source
Malicious
external threats
Malicious
internal threats
Both are the
same
43%
22%
35%
Most Damaging Insider Breach
Malicious
insider
Accidental/
careless insider
Both are the
same
N=200

11
Organization Security Policies
ORGANIZATION IT SECURITY POLICIES
• The majority of respondents indicate having a formal IT security policy for end users that
supplements current federal security policies.
• Three-quarters of the respondents indicate that policy communication is done frequently and
regularly.
Does your organization have a formal IT security policy for end users that supplements current federal security policies such as DISA STIGs and NIST FISMA?
How are these IT security policies communicated to end users?
85%
7%
9%
Organization Has IT Security Policy
Yes
No
Not sure
4%
4%
48%
55%
56%
76%
0% 20% 40% 60% 80%
Other
They are not communicated
or reviewed
They are available for access via
an internal system/Intranet
Whenever there is an update in
policy
After initial hire
Frequently and regularly (i.e.,
via email reminders and tips)
How Policies Are Communicated
N=200 N= 170

12
Security Policy Confidence
ORGANIZATION IT SECURITY POLICIES
Please rate your confidence in your organization’s IT security policies and practices at combating the following types of security threats:
9%
14%
14%
52%
55%
56%
39%
31%
31%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Malicious external threats
Malicious insider threats
Accidental/careless insider threats
Not at all confident Somewhat confident Very confident
N=200
• Slightly more than half of respondents are somewhat confident in their security polices at
combating internal and external security threats. Only about one-third are very confident.

13
Obstacles to Threat Prevention
PREVENTING AND MITIGATING THREATS
What would be the top obstacles or challenges when trying to prevent threats at your federal government agency?
N=200
Malicious
Insider Threat
Accidental/
Careless
Insider Threat
Malicious
External
Threat
Increased use of mobile technology 44% 56% 47%
Inadequate monitoring of user authentication activity and
failures
41% 39% 32%
Inadequate automation of IT asset management 38% 39% 34%
Inadequate log data analysis to indicate possible insider
threats
38% 36% 32%
Inadequate configuration management of IT infrastructure 35% 30% 32%
Legal or ethical issues that restrict efforts to profile or
identify insider/external threats
31% 27% 22%
Insufficient security training for government employees or
contractors
30% 46% 28%
Inadequate change management approval process 30% 35% 22%
Insufficient clearance process and background investigations 30% 22% 15%
Lack of executive buy-in for security strategy or resource
investment
30% 30% 19%
None of the above 9% 8% 9%
= statistically significant difference= top obstacle
• The increased use of mobile technology is noted as the top obstacle for preventing threats,
though there are multiple significant differences seen among the different types of threats.

14
Obstacles to Threat Prevention
What would be the top obstacles or challenges when trying to prevent threats at your federal government agency?
N=200
• Respondents with tenure of 20 years or more see the lack of executive buy-in as an obstacle to
preventing accidental insider threats. Civilian agency respondents see the lack of executive buy-
in more of an obstacle for malicious external threats.
• Respondents with tenure of 10 years or more see an inadequate change management approval
process as an obstacle to preventing malicious external threats.
• Relative to IT/Security staff, respondents at a manager or director level see inadequate
automation of IT asset management more as an obstacle preventing accidental insider threats.
11%
24%
0%
5%
10%
15%
20%
25%
30%
35%
Lack of executive buy-in for security strategy or
resource investment
Obstacle Preventing
Malicious External Threats by Agency
Type
Defense Civilian
Obstacle Preventing Accidental Insider Threat by Tenure
< 10 years 10-20 years > 20 years
Lack of executive buy-in
for security strategy or
resource investment
24% 23% 42%
Obstacle Preventing Malicious External Threat by Tenure
< 10 years 10-20 years > 20 years
Inadequate change
management approval process
13% 25% 30%
Obstacle Preventing Accidental Insider Threat by Job Level
IT/Security Staff
IT/Security Manager/
Director
Inadequate automation of
IT asset management
34% 51%

15
Tools to Prevent Threats
• IT security tools that are deemed most useful to mitigate risks differ whether the threat is
internal or external.
In your opinion, what are the most important IT security tools used to mitigate the risk associated with insider/external threats?
N=200
Top Tier Malicious
Insider Threat
Accidental/
Careless
Insider Threat
Malicious
External
Threat
Identity and access management tools 46% 39% 39%
Internal threat detection/intelligence 44% 36% 29%
Intrusion detection and prevention tools 43% 32% 50%
Security incident and event management or log management 42% 31% 37%
Advanced security/threat analytics 40% 23% 37%
Web security or web content filtering gateways 37% 29% 38%
File and disk encryption 35% 30% 41%
IT configuration management and reporting 34% 28% 26%
Patching 34% 27% 34%
Next-generation firewalls (NGFW) 34% 28% 42%
= statistically significant difference= Most important tool

16
Tools to Prevent Threats
• A greater proportion of respondents indicate web application firewalls as a useful tool to
mitigate malicious external threats relative to internal threats.
• A significantly greater proportion of respondents indicate internal security training is a useful
tool to prevent risk associated with careless insider threats.
In your opinion, what are the most important IT security tools used to mitigate the risk associated with insider threats?
N=200
Lower Tier Malicious
Insider Threat
Accidental/
Careless
Insider Threat
Malicious
External
Threat
Network Admission Control (NAC) 33% 31% 30%
Endpoint forensics 31% 27% 25%
Advanced endpoint protection 30% 27% 31%
Web Application Firewall (WAF) 29% 23% 38%
Mobile device management or mobile-specific security tools 28% 29% 27%
Endpoint and mobile security 27% 27% 28%
Internal security training 27% 50% 25%
Cloud application security management or auditing 26% 23% 24%
IT asset management and reporting 23% 26% 21%

4%
24%
28%
31%
33%
36%
37%
37%
41%
44%
49%
0% 10% 20% 30% 40% 50% 60%
Other
Insecure configuration of IT assets
Incorrect disposal of hardware
Not applying security updates
Incorrect use of approved personal devices
Device loss
Poor password management
Using personal devices that are against company IT…
Accidentally deleting, corrupting or modifying critical…
Data copied to insecure device
Phishing attacks
17
Accidental Insider Breach Causes
INSIDER BREACH CAUSES AND DETECTION DIFFICULTIES
• The most common causes of accidental insider IT security breaches are phishing attacks,
followed by data copied to an insecure device and accidentally deleting, corrupting or
modifying critical data.
What are the most common causes of accidental insider IT security breaches caused by the untrained or careless employee?
N=200
Defense Civilian
Device loss 26% 43%
IT/ Security
Staff
IT/Security
Manager/
Director
Insecure
configuration
of IT assets
17% 36%

18
Insider Threat Detection Difficulties
INSIDER BREACH CAUSES AND DETECTION DIFFICULTIES
• The volume of network activity is noted most often as what makes insider threat detection and
prevention most difficult. One third also note the lack of IT staff training, the use of cloud
services and pressure to change configuration quickly versus securely.
In today’s environment, what makes insider threat detection and prevention more difficult?
3%
19%
22%
23%
24%
24%
26%
27%
27%
30%
34%
35%
35%
40%
0% 10% 20% 30% 40% 50%
Other
Functionality of and access to critical systems
Inadequate change control practices
Complexity of monitoring tools
Inadequate configuration management of IT assets
Inadequate visibility into users’ network activity
Inadequate monitoring of storage devices
Growing adoption of BYOD
Cost of sophisticated tools
Use of mobile devices
Pressure to change IT configurations quickly more so than…
Growing use of cloud services
Lack of IT staff training
Volume of network activity
Defense Civilian
Inadequate
configuration
management
of IT assets
17% 28%
Inadequate
monitoring of
storage
devices
18% 32%
N=200
IT/ Security
Staff
IT/Security
Manager/
Director
Volume of
network
activity
29% 44%

19
Select Comments
COMMENTS
Please feel free to share any other comments or concerns regarding your agency’s IT security challenges and success stories.
It is a huge priority to address them [security breaches] and we are doing our best within our allotted
funding. (IT Analyst, VA)
Security is a challenge, and the enemy is increasingly sophisticated, keeping ahead of technology advances
and ever increasingly attempting to break into our networks. (Chief Engineer, Army)
Interestingly we have positioned ourselves relatively strongly against external threats, but it is the accidental
or malicious insider threat which has caused us more problems. People do what they want to do and there
are so many people (particularly younger) who view security as interference and also have some skills to
successfully work around security protocols. (Director of Operations, DCMA)
The employees just need to get used to "The Suck" of security. It will take time to work in an environment
which is designed to protect the organization and the individual. (Defense Coordinating Officer, Army)
Our security holes begin at the top. [Senior managers] expect that they are protected and they are above
any security holes - to the effect, they insist on admin rights to network resources. The administration
supports this view and turn a "blind eye" to the risk. (Network Manager, Federal Agency)
“

Contact Information
RESEARCH TO INFORM YOUR BUSINESS DECISIONS
Laurie Morrow, Director of Research Services | Market Connections, Inc.
14555 Avion Parkway, Suite 125 | Chantilly, VA 20151 | 703.378.2025, ext. 101
LaurieM@marketconnectionsinc.com
Lisa M. Sherwin Wulf, Federal Marketing Leader | SolarWinds
703.234.5386
Lisa.SherwinWulf@solarwinds.com
www.solarwinds.com/federal
LinkedIn: SolarWinds Government
20

SolarWinds Federal Cybersecurity Survey 2015

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (7)

Similar to SolarWinds Federal Cybersecurity Survey 2015

Similar to SolarWinds Federal Cybersecurity Survey 2015 (20)

More from SolarWinds

More from SolarWinds (20)

Recently uploaded

Recently uploaded (20)

SolarWinds Federal Cybersecurity Survey 2015

Editor's Notes