- All 24 agencies of the CFO Act showed continued weakness in access control and security management, according to the Government Accountability Office's (GAO) September report on federal information security. Between $3 million and $1.3 billion were spent on IT security practices, which ranged between 1% and 22% of organizations' overall IT budget.
- Information security incidents increased from 5,503 in 2006 to 77,183 in 2015. However, reported incidents dropped by 60% to 30,899 in 2016. Reporting guidelines changed in 2016, which removed reporting on non-cyber incidents or attempted accesses.
- Lost or stolen devices accounted for 18% of threat factors, followed by web-based application attacks at 16%, improper organization authorization at 13% and email and phishing schemes at 11%.
The federal government is constantly criticized for its outdated technical infrastructure. Many agencies are facing turmoil in technical leadership, which can lead to inefficiencies in modernization, cybersecurity and overall IT strategy. U.S. government currently ranks 16th out of 18 industries for overall cybersecurity.
GAO reports are typically unforgiving of federal IT practices and federal agencies accountable for their failings. After the July 2015 data breach at the Office of Personnel Management (OPM), the agency was issued 19 security tasks by the GAO. In August, the GAO granted OPM completion of only 11 of the 19 requirements.
OPM's data breach remains a lesson in cybersecurity, but other agencies have become high profile examples too. The U.S. Securities and Exchange Commission (SEC) is currently in the midst of its own security review following a breach, which was the result of a software vulnerability.
Still, about 90% of cyber risks are a result of human error, and the GAO's information security report highlights the matter. Access controls, which include boundary protection, authorization, identity authentication, auditing and monitoring and physical security, were weak in all 24 agencies. Security management, particularly in the establishment of a security management program, was also wide-ranging.
Organizations, including federal agencies, are accountable for employee actions, and a lack of proper identification protocols or companywide security training can result in expensive and humiliating breaches.