SolarWinds, a leading provider of powerful and affordable IT management software, today revealed the findings of its fifth Federal Cybersecurity Survey.

"This year's results demonstrate the challenges facing government IT security pros, but also the progress they've made in meeting those challenges," said Jim Hansen, VP of Products, Security and Cloud, SolarWinds. "The risk posed by careless untrained insiders and foreign governments is at an all-time high, yet for the most part, IT pros feel like their agencies are doing good jobs with their IT security. In particular, they believe that government mandates and investments in training are paying dividends."

2019 Key Findings for the Federal Sector

IT security threats posed by careless/untrained insiders and foreign governments have risen substantially over the last five years.

• Fifty six percent of respondents believe careless untrained insiders are a significant source of IT security threats in their agencies, while 52 percent of respondents pointed to foreign governments as primary threats. When asked the same question five years ago, only 42 percent said insiders and 34 percent said foreign governments were the greatest sources of IT security threats.

Contractors and temporary workers present unique IT security challenges to government agencies.

• Just over half of respondents believe IT security risks are greater with contractors (51 percent).
• The most frequently noted causes of breaches by contractors are: accidentally exposing, deleting, or modifying critical data (48 percent), accessing resources that are not necessary to do their job (46 percent), and using unsecured networks/Wi-Fi (42 percent).

Government IT pros rely on training, access control, and monitoring to manage contractor risk.

• About half of respondents rely on ongoing security training (53 percent), multifactor authentication (50 percent), onboarding security training (49 percent), restricted use of external devices (48 percent), and data/systems monitoring (48 percent) to reduce the risks posed by contractors.

Respondents that rate their organizations' IT training highly are more likely to indicate their ability to prevent and detect insider threats has improved or they have it under control.

• On average, respondents rate their IT security training efforts as acceptable. Forty percent of respondents view their security training efforts as better than average or superior.
• Defense respondents give higher ratings for the comprehensiveness and the effectiveness of their IT security training relative to those from civilian agencies.

IT security pros believe they are making progress managing risk due to government mandates, security tools, and best practices.

• When asked about their ability to detect and prevent insider threats, 66 percent of respondents said things have improved or are under control when it comes to malicious threats. When asked about accidental or careless insiders, this number decreased to 58 percent.
• When asked about the benefits of security frameworks or mandates, a majority of respondents felt that, with the exception of HIPAA, all the mandates they were asked about contributed to their ability to manage risk. This is an improvement over last year, when over half of respondents indicated that regulations and mandates posed more of a challenge.
• Respondents believe that their organization's tools, policies, and practices are effective at reducing risk based on Center for Internet Security^® (CIS) framework controls.
• Improved strategy, a concerted effort to apply security best practices, end user security awareness training, and intrusion detection and prevention tools all contributed to the successful risk management of threats posed by careless insiders.
• Key contributors to risk management of threats posed by malicious insiders include employee background checks, patching, and network traffic encryption.

"The results of this year's survey are encouraging, but there's certainly more work to do," said Mav Turner, VP of Product Strategy, SolarWinds. "In particular, agency IT professionals must continue to identify ways to improve security around contractors and temporary workers, who comprise a large population of the federal workforce, and insider and foreign threats continue to loom. Overall, agencies appear to be on the right track, with the right tools and policies in place-a trend we hope will continue into next year."

There is redundant and inefficient security on endpoints-specially desktops and notebooks. Traditional antivirus and scanning is not keeping up. It also adds tremendous processing overhead and degrades user experience. New ways of delivering security, such as network analytics and threat detection via AI, must be considered soon. -- IT Director, Army

Interest in IT security occurs only after an incident. Then after the dust settles (investigations, reviews, numerous warning and alert memos), it's back to the same business as usual. No true concrete steps are taken, in my opinion. -- Directorate Executive, ATF

Security guidance needs to be produced internally much faster-how to take external direction and policy and provide guidance to program managers, operators, and developers. Now the solutions are being implemented with a best guess and the guidance comes next, leading to either compliance failures or the need to redo everything. -- IT Director, DOD