If the last six months since the first leaks from Edward Snowden have proved nothing else, they have shown that nobody is immune from being spied upon, and everyone needs to be better prepared to ward of the activities of bad actors.  And, while you might think that defense contractors of all companies would be vigilant about protecting their data, and have peace of mind that their defenses were adequate, a new study by Clearwater, FL-based ThreatTrack Security tells a different tale.

The high-level findings of the report are in a word “sobering.” They include that 75 percent of survey respondents indicated that the Edward Snowden incident has changed their companies’ cybersecurity practices in one of the following ways:

• 55 percent say their employees now receive more cybersecurity awareness training
• 52 percent have reviewed or re-evaluated employee data access privileges
• 47 percent are on higher alert for anomalous network activity by employees
• 41 percent have implemented stricter hiring practices
• 39 percent say their own IT administrative rights have been restricted

This is a report that you need to download. ThreatTrack had research firm Opinion Matters conduct a blind survey of 100 IT/security managers or staff within defense contractor organizations that handle data for the US government during the period November 2013 to January 2014.  It should be noted that 63 percent of the survey respondents hold either secret, top secret or confidential clearances. This means 27 percent do not hold such clearances. In fact, a key finding of the survey is that so many people without clearances may have easy access to sensitive government data. 

In addition to revealing how their security practices have changed in light of the Edward Snowden revelations, the survey also explored subjects such as:

• Whether data breaches are being reported
• What the most difficult aspects of cyber defense are
• Whether senior leaders at contractor organizations are being infected by malware due to risky online behaviour
• Whether the government is providing proper guidance and support for cyber defense, and whether contractors are concerned that their organization may be vulnerable to sophisticated cyber threats.

Government guidance good, but cyber-attack volume and complexity are challenging

The good news, what there is of it, is that the survey found a high level of confidence in government guidance on how to protect sensitive data. 88 percent of respondents said they get what they need in terms of support, but 62 percent reported they are concerned their organization is vulnerable to APTs, targeted malware attacks and sophisticated cybercrime and cyber-espionage tactics.

The two most difficult aspects of defending against advanced malware were reported to be the volume of malware attacks (61 percent said this was the case) and the complexity of that malware (59 percent). An additional 29 percent said there is not enough budget for the right tools, and 22 percent indicated they just don’t have access to an automated malware analysis solution that can detect and remediate the most sophisticated threats in real-time.

As a teaser to get readers to download this report and its detailed analysis, a few charts from it hopefully whet your appetite.

Actions taken in light of the Snowden revelations are also instructive. They might even be a leading indicator as to where the crowds will be in a few weeks at the annual RSA security event in San Francisco.

“It’s interesting to note that while defense contractors seem to have better security practices in place and are more transparent than many companies in the private sector, they are finding the current cyber threat onslaught just as difficult to deal with,” said ThreatTrack Security President and CEO Julian Waits, Sr. “Well over half are concerned that they are vulnerable to targeted attacks and cyber-espionage, and given the type of data they are handling and storing, we think that number needs to get a lot smaller – and fast.”

Lots of concerns, including infections of senior managers

A few other tidbits are worth citing.  For example, 26 percent of respondents reported that there is a shortage of highly-skilled security personnel (malware analysts) on staff. ThreatTrack makes an interesting observation that, “Past studies have shown that this shortage is compounded by the fact that IT security staff is routinely multi-tasking between new malware sample analysis – which typically takes more than 2 hours per sample – and cleaning malware off executives’ devices.

Yes defense contractors overall are more vigilant in their security practices than typical enterprises however, at the following rates, defense contractor IT managers revealed a device used by a member of their senior leadership team had become infected with malware due to executives:

• Visiting a pornographic website (13 percent) – compared to 40 percent of other enterprises
• Clicking on a malicious link in a phishing email (40 percent) – compared to 56 percent in other enterprises
• Allowing a family member to use a company-owned device (14 percent) – compared to 45 percent in other enterprises

Yikes!

The study also revealed much more transparency about data breaches in defense contractor organizations than in the general enterprise community. Only 8% said they were aware of a data breach at their company that had not been reported to customers, partners or government agencies with which they contract. This compared to 57 percent of malware analysts in enterprise environments who said they were aware of breaches that were unreported.

The lessons learned portion of the report may be the most important. As the chart above shows defense contractors, who as highly visible targets are always on high alert, nevertheless have taken actions to tighten their security practices. Education about safe practices has been increased, and by doing such things as restricting administrative rights and being much more aware of misbehavior of employees including that of senior management, are just some of the steps.

One lesson we have all learned is the dangers within can be as lethal as those from the outside. Any IT security professional will tell you there is no fail safe cure from being compromised. The trick is to have enough knowledge and protection to dissuade attackers from continuing their exploits.

Peace of mind in security is thus a moving target. As the survey notes, when it comes to the government interestingly defense contractors seem to feel, based on the confidence they have in the guidance they are provided on protecting data, that the government is friend and not foe.  In the face of the Snowden revelations and subsequent ripple effects around the world and across private enterprises in just the past few weeks one wonders where peace of mind in general would be if the survey were taken now.