Insider threats persist at federal agencies, report finds

May 31, 2017
Despite paying greater attention to the issue, feds continue to be targeted at the same rate

When it comes to protecting government networks against cyber-attacks, much of the focus remains on preventing  a laundry list of external bad actors from being able to access them and rightfully so. However, one of the biggest, if not the greatest, threats facing federal agencies today is the potential of insiders – employees, contractors, etc. – either willfully or unintentionally engaging in conduct that could expose classified information.

One has to look no further than the treasure trove of information that has been published online about various National Security Agency programs over the past several years, be it the disclosures by infamous leaker Edward Snowden or, more recently, the "Vault 7" documents, to see the kinds of damage that can be wreaked by a disillusioned or disgruntled insider.

Perhaps jolted by these and other leaks, federal agencies have definitely taken note of the problem. According to a new study from MeriTalk dubbed, “Inside Job: The Sequel – The 2017 Federal Insider Threat Report,” 85 percent of the 150 federal IT cybersecurity professionals surveyed said their agency is more focused on combatting insider threats today than one year ago, up from 76 percent in 2015. In addition, 86 percent of respondents also reported that they have a formal insider threat prevention program in place, which is up from just 55 percent in 2015.

However, while the majority of agencies are committed to tackling the problem, they haven’t had much luck in putting a dent in it. The study, which was underwritten by cybersecurity firm Symantec, found that the rate of cyber incidents perpetrated by insiders remained stagnant as 42 percent of agencies reported being the target of such an incident (either malicious or unintentional) in 2017 compared to 45 percent in 2015. Also, 75 percent of respondents said that insider threats are just as or more challenging to identify and mitigate today than one year ago, and nearly a quarter (23 percent) reported losing data to an insider threat incident  in the past year, which is just down slightly from 29 percent in 2015.

Chris Townsend, vice president, federal, Symantec, says they were surprised that the increased focus by these agencies on clamping down on insider threats hasn’t correlated in a larger decrease in actual incidents; however, he believes there are several factors that may be contributing to the problem.

“I think the challenge is while focus has increased, so has the complexity of the insider environment. More and more of our customers are adopting cloud technologies which scatter their data,” Townsend explains. “Right now, their data isn’t locked up in a data center, it’s out in the cloud sitting in the Microsoft Office 365 environment or in Amazon or Azure or a non-governmental mobile device. Now that the data is spread around it is more susceptible. Furthermore, we’re seeing this whole problem around shadow IT where insiders don’t necessarily have malicious intent but they are using cloud applications to post their internal sensitive data and exposing it outside the government network.”

Federal IT managers admit that the introduction of cloud technologies have made it harder to mitigate insider threats. According to the study, 53 percent of those surveyed reported that cloud adoption has increased the complexity/number of systems they have to manage and 48 percent say the cloud has made it difficult for them to monitor all endpoints. Another 41 percent said that the adoption of cloud technology has resulted in a lack of preventative measures and also made it increasingly difficult to implement and enforce identity and access management policies.

Because the majority of insider incidents are not the result of malicious actors looking to take advantage of an agency but rather employees that want to increase their productivity by using unapproved applications, Townsend says that educating the workforce about the threats these behaviors pose can go a long way in preventing data loss and opening a network up to prying eyes. Beyond that, implementing strong security controls and other measures are also recommended.

“Once you get everybody trained and you encourage a culture of cybersecurity, that’s the next step to implement strong security controls,” Townsend says. “Certainly, data loss prevention is a technology that our customers need to deploy. If you look across the federal government, whether it is the intelligence community, Department of Defense or civilian agencies, really none of those areas have adopted and standardized on a data loss prevention platform.”

Indeed, according to the study, only 31 percent of those surveyed said their agency had implemented data loss prevention solutions to ensure that cloud adoption did not jeopardize insider threat protection. When asked how their agencies could minimize data loss moving forward when faced with an insider threat, 60 percent of federal IT managers said they could limit access points, 50 percent recommended adopting multi-factor authentication, and 49 percent said they should adopt/expand real-time activity monitoring. Another 45 percent of those surveyed said they could also accomplish this by classifying data and implementing data loss prevention capability.

Additionally, 83 percent of those surveyed said they believe it is likely the new presidential administration will implement/enforce policies that help agencies combat insider threats. Townsend says that President Donald Trump’s recent cybersecurity executive order, which requires federal agencies to follow the National Institute of Standards and Technology (NIST) Cybersecurity Framework, should also help agencies address the issue better moving forward.

Click here for more information or to download a full copy of the report. 

About the Author

Joel Griffin | Editor-in-Chief, SecurityInfoWatch.com

Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com, a business-to-business news website published by Endeavor Business Media that covers all aspects of the physical security industry. Joel has covered the security industry since May 2008 when he first joined the site as assistant editor. Prior to SecurityInfoWatch, Joel worked as a staff reporter for two years at the Newton Citizen, a daily newspaper located in the suburban Atlanta city of Covington, Ga.