According to a new study from ThreatTrack Security, based on responses from 100 IT/InfoSec managers working for defense contractors here in the U.S., security posture and general practices have changed in the defense community thanks to the actions of Edward Snowden.
Snowden, a former NSA contractor, leaked more than a million classified documents to the press last summer. The data he released has been eye opening, revealing the massive surveillance programs developed by the NSA and Britain's GCHQ. As a result, defense contractors have started running a tighter ship, but that doesn't mean things are better.
From the report:
"It is clear the Edward Snowden affair has had a profound impact on U.S. defense contractors, especially among smaller companies, forcing them to re-evaluate policies and get more stringent with hiring and data access privileges..."
According to the data, 88 percent of those questioned said that they support the InfoSec guidance handed down from the government, noting that it is adequate when it comes to their mandate to protect data and defend their networks from attack. However, 62 percent of them also said that despite this fact, they feel their respective organization is vulnerable to attack.
The study highlights the fact that 63 percent of those questioned had security clearance of some kind, such as confidential (11%), secret (19%), or top secret (18%). However, of those that confirmed access to networks and databases that store confidential information, nearly 30 percent of them had no clearance level at all, which the report notes "raises a red flag."
"This means that like Snowden, they may have broad IT administrative privileges but without the proper security clearance. Regardless of what security clearances you have, access to privileged information ultimately may be the greatest risk for defense contractors looking to avoid another Snowden-like event. Further review of IT access privileges, therefore, may be in order."
Another interesting data point from the study is the eight percent of respondents who admitted that their organization had failed to disclose a security breach to customers, partners, and government agencies with which they have contracts.
The report notes this as an encouraging metric, because it shows that defense contractors recognize the importance of breach disclosure. However, given what the firms deal with on a day-to-day basis, that eight percent is still a troubling number.
For the most part, those questioned by ThreatTrack confirmed that their executives are a rather cautious lot, limiting the organizations exposure due to risky behavior.
However, that isn't always the case:
"Still, some risky practices persist among defense contractor executives. For instance, 40% of respondents said they’ve had to remove malware after executives clicked on malicious links in a phishing email; 33% as a result of attaching an infected device such as a USB driver or smartphone to a PC; and 16% because a malicious app had been installed.
"In addition, 14% said they’ve had to remove malware after an executive let a family member use a company-owned device; and 13% removed malware caused by an infected pornographic website."
In a statement, ThreatTrack Security President and CEO, Julian Waits, Sr., said that it's interesting to note that while defense contractors seem to have better security practices in place, and are more transparent than many companies in the private sector, they are finding the current cyber threat onslaught just as difficult to deal with.
“Well over half are concerned that they are vulnerable to targeted attacks and cyber-espionage, and given the type of data they are handling and storing, we think that number needs to get a lot smaller – and fast.”
A copy of the full report is available here.