Survey: 75% of Defense Contractors Say Leaks by Edward Snowden Have Made Them Change Their Security Practices
According to the results of a survey conducted by ThreatTrack Security, the leaking of classified NSA documents by Edward Snowden has resulted in defense contractors changing their companies’ cybersecurity practices.
ThreatTrack Security published the study looking to shed light on the attitudes of IT and security managers working at U.S. defense contractors in the wake of the Edward Snowden’s leaking of classified documents related to some the NSA’s spying tactics.
According to the results of the survey, 75% of respondents said that the Edward Snowden incident has changed their companies’ cybersecurity practices in one of the following ways:
• 55% say their employees now receive more cybersecurity awareness training
• 52% have reviewed or re-evaluated employee data access privileges
• 47% are on higher alert for anomalous network activity by employees
• 41% have implemented stricter hiring practices
• 39% say their own IT administrative rights have been restricted
In terms of access to sensitive data, 63% of the survey respondents hold either secret, top secret or confidential clearances, ThreatTrack said. However, of those who have access to or store confidential information, 27% said they do not hold such clearances. “This represents a potential privileged access problem wherein contractor employees without such clearances may have easy access to sensitive government data,” ThreatTrack warned.
“In addition to revealing how their security practices have changed in light of the Edward Snowden incident, the survey also explored subjects such as whether data breaches are being reported, what the most difficult aspects of cyber defense are, whether senior leaders at contractor organizations are being infected by malware due to risky online behavior, whether the government is providing proper guidance and support for cyber defense, and whether contractors are concerned that their organization may be vulnerable to sophisticated cyber threats.
Cyber-Attack Volume and Complexity Still a Problem
The survey found that 88% of respondents felt that they “get what they need in terms of support” from government guidance on how to protect sensitive data. However, 62% still reported that they are concerned their organization is vulnerable to APTs, targeted malware attacks and sophisticated cybercrime and cyber-espionage tactics. The two most difficult aspects of defending against advanced malware, the survey showed, were the volume of malware attacks (61%) and the complexity of that malware (59%).
An additional 29% said there is not enough budget for the right tools, and 22% indicated they don’t have access to an automated malware analysis solution, according to ThreatTrack Security, which sells malware analysis tools.
“It’s interesting to note that while defense contractors seem to have better security practices in place and are more transparent than many companies in the private sector, they are finding the current cyber threat onslaught just as difficult to deal with,” said ThreatTrack Security President and CEO Julian Waits, Sr. “Well over half are concerned that they are vulnerable to targeted attacks and cyber-espionage, and given the type of data they are handling and storing, we think that number needs to get a lot smaller – and fast.”
Not surprisingly, the Snowden leaks have had a stronger impact on companies with smaller IT security budgets, while contractors with budgets of $1 million or more reported fewer changes, the survey showed. According to ThreatTrack, this is likely because companies with bigger budgets and more resources may already feel they have the tools and policies they need.
Additionally, the study revealed that 8% said they were aware of a data breach at their company that had not been reported to customers, partners or government agencies with which they contract. This compared to nearly 6 in 10 malware analysts at U.S. enterprises who said they were aware of breaches that were unreported.
The independent blind survey of 100 IT/security managers or staff within defense contractor organizations that handle data for the US government was conducted by Opinion Matters on behalf of ThreatTrack Security from November 2013 to January 2014.
“It is clear the Edward Snowden affair has had a profound impact on U.S. defense contractors, especially among smaller companies, forcing them to re-evaluate policies and get more stringent with hiring and data access privileges,” the report concluded. “Nevertheless, contractors believe government guidance on security practices is adequate, though they still feel vulnerable to cybercrime.”
Additional details from the survey can be found here (PDF).