[New Report] How vulnerable are federal contractors to a data breach?

 David Pumphrey, 16 February 2018

David Pumphrey, 16 February 2018

A newly released survey by the cybersecurity firm BitSight shows at least one data breach has been reported by around 5% of some industries contracted to agencies. The survey was conducted of more than 1,200 federal contractors. Since 2016, a significant number of firms have suffered data breaches.

"Not only can these breaches often affect government and private sector employees, they may expose data that is fundamental to national security," the authors warn.

 
 RELATED ARTICLE: Proposed Senate Bill to fine & jail execs for concealed data breach...

RELATED ARTICLE: Proposed Senate Bill to fine & jail execs for concealed data breach...

Here are the key findings from the survey:

  1. A security performance gap exists between U.S. federal government and its contractor base: the mean BitSight Security Rating for federal agencies was at least 15 or more points higher than the mean of any contractor sector.

  2. Over 8% of Healthcare/Wellness contractors have disclosed a data breach since January 2016; Aerospace/Defense firms had the next highest breach disclosure rate at 5.6%.

  3. While the U.S. federal government has made a concerted effort to fight botnets in recent months, botnet infections are prevalent amongst the government contractor base, particularly for Healthcare/Wellness and Manufacturing contractors.

  4. Many contractors are not following best practices for network encryption and email security: nearly 50% of contractors have a BitSight grade below C for the Protective Technology subcategory of the NIST Cybersecurity Framework.

  5. Nearly one in five users at Technology and Aerospace/Defense contractors have an outdated internet browser, making these employees and their organizations highly susceptible to new variants of malware.

Agencies revising data breach policies

Contractors will have tighter breach reporting time frames, as more government agencies are currently updating their policies. For instance, GSA contractors will be required to report any security incident "that could potentially affect GSA or its customer agencies." This along with other rules pending from the General Services Administration for their registered contractors that deal with unclassified systems across the federal government.

Related Article: Senators propose stronger fines for data breaches in the wake of Equifax leak

Committees marching towards stronger data security regulations

The survey parades along the front of a full press from house committees in response to the 2017 onslaught of cybersecurity attacks.  This week alone, the Transportation and Infrastructure Committee approved and voted on 2 bipartisan railroad data and information security bills (H.R. 4921 and H.R. 4925). The legislation, HR 4921, directs the Surface Transportation Board to implement an improvement plan for its information security system. H.R. 4925 is legislation to ensure greater accuracy and quality of data collected and reported by the Federal Railroad Administration.

Read more on the survey here.


Do you have policies and procedures in place for handling data residing on IT equipment that has reached the end of it's life cycle?

e-End is an expert in keeping companies compliant with securing and sanitizing end of life data and preventing costly data breaches.  Contact us...