A newly released survey by the cybersecurity firm BitSight shows at least one data breach has been reported by around 5% of some industries contracted to agencies. The survey was conducted of more than 1,200 federal contractors. Since 2016, a significant number of firms have suffered data breaches.
"Not only can these breaches often affect government and private sector employees, they may expose data that is fundamental to national security," the authors warn.
Here are the key findings from the survey:
A security performance gap exists between U.S. federal government and its contractor base: the mean BitSight Security Rating for federal agencies was at least 15 or more points higher than the mean of any contractor sector.
Over 8% of Healthcare/Wellness contractors have disclosed a data breach since January 2016; Aerospace/Defense firms had the next highest breach disclosure rate at 5.6%.
While the U.S. federal government has made a concerted effort to fight botnets in recent months, botnet infections are prevalent amongst the government contractor base, particularly for Healthcare/Wellness and Manufacturing contractors.
Many contractors are not following best practices for network encryption and email security: nearly 50% of contractors have a BitSight grade below C for the Protective Technology subcategory of the NIST Cybersecurity Framework.
Nearly one in five users at Technology and Aerospace/Defense contractors have an outdated internet browser, making these employees and their organizations highly susceptible to new variants of malware.
Agencies revising data breach policies
Contractors will have tighter breach reporting time frames, as more government agencies are currently updating their policies. For instance, GSA contractors will be required to report any security incident "that could potentially affect GSA or its customer agencies." This along with other rules pending from the General Services Administration for their registered contractors that deal with unclassified systems across the federal government.
Committees marching towards stronger data security regulations
The survey parades along the front of a full press from house committees in response to the 2017 onslaught of cybersecurity attacks. This week alone, the Transportation and Infrastructure Committee approved and voted on 2 bipartisan railroad data and information security bills (H.R. 4921 and H.R. 4925). The legislation, HR 4921, directs the Surface Transportation Board to implement an improvement plan for its information security system. H.R. 4925 is legislation to ensure greater accuracy and quality of data collected and reported by the Federal Railroad Administration.