Security pros say federal government should do more to protect and secure private sector

3 years ago 364

A afloat 95% of professionals surveyed by Tripwire judge the authorities should play a bigger relation successful securing non-governmental companies.

computer and gavel

Image: istock/BCFC

In effect to the caller question of high-profile ransomware attacks, the U.S. authorities has been taking a much progressive relation successful the conflict against cybercrime. Beyond going aft ransomware gangs and recovering wealth stolen from victims, the feds person been announcing caller initiatives and pushing national agencies to amended unafraid themselves. But is determination much the authorities should beryllium doing? A caller study by information steadfast Tripwire attempts to reply that question.

SEE: Ransomware: What IT pros request to cognize (free PDF) (TechRepublic)

Released connected Tuesday, Tripwire's Survey: Security and Federal Government was based connected a canvass conducted by Dimensional Research of 306 information professionals successful the U.S. moving astatine organizations with much than 1,000 employees.

Some 34% of the respondents enactment for the national government. Another 17% enactment for captious infrastructure companies, specified arsenic those successful manufacturing, energy, pharmaceutical, nutrient and agriculture, and lipid and gas. The remainder were employed successful different backstage assemblage companies.

One question successful the survey asked astir the information standards precocious by the National Institute of Standards and Technology. NIST's cybersecurity framework offers guidelines and champion practices for managing information threats. Around a 4th of those surveyed said they're required to travel NIST standards, portion different 4th said they travel them though they're not required. Only astir 5% said they don't travel these guidelines astatine all. And 95% who travel the standards said they recovered them extremely, precise oregon somewhat valuable.

Among the 95% of those surveyed who deliberation the national authorities should instrumentality much steps to amended unafraid backstage assemblage companies, 43% said that the feds should amended and fortify NIST standards. Others said that NIST standards should beryllium enforced extracurricular the national government.

Some said that the authorities should unveil caller authorities with enforcement and oversight of information standards, portion others said that it should beryllium much assertive astatine utilizing diplomatic tools to discourage overseas hackers. Two much recommendations were that the authorities should modulate cryptocurrencies to make barriers to ransomware and that it should springiness much enactment to victims of ransomware. Only 5% said the authorities should not play a cybersecurity relation successful the backstage sector.

SEE: Patch absorption policy (TechRepublic Premium)

They survey besides asked whether the national authorities is doing capable to forestall ransomware attacks? Here, the responses varied greatly among the respondents. A afloat 81% of those who enactment for the authorities said it is doing enough, but 71% of those who enactment successful captious infrastructure and 80% of those successful different backstage assemblage companies said it's not doing enough.

Is the national authorities much effectual astatine cybersecurity than the backstage sector? That question besides divided the participants arsenic 43% said authorities agencies were better, portion different 43% said the backstage assemblage does a amended job. Following up connected that question, Tripwire asked information pros whether their organizations are prepared to grip caller threats. The bulk (59%) said that they're conscionable hardly keeping pace, 29% said they're staying up and 12% said they're falling behind.

Among those who said their enactment whitethorn beryllium falling down connected cybersecurity, astir cited the deficiency of interior expertise and resources. Others said that it's intolerable to support up with caller types of attacks, that enactment doesn't prioritize cybersecurity and that their manufacture hasn't traditionally been a target.

Those who said their enactment is keeping gait oregon staying up of threats pointed to specified reasons arsenic a dense concern successful the radical and tools required to bash the job, enactment making information a priority, doing the basics of cybersecurity well, and the outgo of nonaccomplishment being excessively high.

Out of each the types of cyberattacks that astir interest information pros, ransomware was cited by 53%, vulnerability exploits by 35%, phishing emails by 34%, and societal engineering by 24%. Asked whether they changed their cybersecurity defenses arsenic a effect of caller attacks against captious infrastructure, astir fractional said that they did, portion 35% said they've planned definite changes but haven't yet implemented them.

SEE: How to go a cybersecurity pro: A cheat sheet (TechRepublic)

Finally, the survey covered the taxable of zero trust, which is often recommended arsenic a champion signifier to support your captious information and different assets. Some 75% of those surveyed judge that zero spot architecture would beryllium highly oregon somewhat apt to amended their cybersecurity.

Asked astir the benefits of zero trust, astir said that each connection is secured careless of web location. Other respondents said that entree to idiosyncratic endeavor resources is granted connected a per-session basis, each information sources and computing services are considered resources, entree to resources is determined by a dynamic policy, and each attempts astatine authentication and authorization are strictly enforced earlier entree is allowed.

"It's wide that organizations--both nationalist and backstage sector--are seeking further guidance from the national government," said Tim Erlin, vice president of strategy astatine Tripwire. "Generally, semipermanent enforcement and implementation of cybersecurity argumentation volition instrumentality time, but it's important that agencies laic retired a program and measurement execution against that program to support our captious infrastructure and beyond."

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also see

Read Entire Article