• United States



Contributing Writer

Government agencies are more vulnerable to confidential data breaches from lost or stolen IT assets

Oct 22, 20092 mins
Cisco SystemsData and Information SecurityData Breach

Why is this the case and what are government agencies doing about it?

In a 2009 ESG Research survey, 47% of security professionals working at enterprise-class organizations (i.e. those with 1,000 employees or more) said that their organization was vulnerable to a confidential data breach as a result of “a lost or stolen IT asset.” Looking at this data on an industry-by-industry basis, the government sector stood out. Sixty-six percent of security professionals working at government organizations said that their organization was vulnerable to a confidential data breach as a result of “a lost or stolen IT asset” — this is significantly higher than the general population. This begs the question: Why is the government sector so much more vulnerable here? Based on additional ESG data, I believe that this distinction may be the result of issues like:1. Bureaucracy: When the CEO mandates that all laptops are encrypted, CIOs and purchasing managers jump. Not so in the government sector. For example, the Federal Office of Management and Budget released a memo to the heads of executive departments and agencies (M-07-16) in May 2007 calling for agencies to use, “encryption . . .and other security controls to make information unusable by unauthorized individuals.” In spite of this memo, and a SmartBuy program to make it easy for agencies to acquire full-disk encryption technology (SafeBuy, Data at Rest Tiger Team (DARTT), a large number of Federal government laptops remain unencrypted (author’s note: The last report I read a few months ago mentioned 40% of Federal laptop remain unencrypted but I couldn’t find any more recent data). It certainly seems like government procurement and IT processes are creating a bottleneck.2. Training. Sixty-eight percent of government organizations believe that “communicating and training employees on confidential data security policies,” is most important when it comes to confidential data security, yet more than one-third of respondents said that their government organization is either “fair” or “poor” in this area. Untrained employees can’t be blamed for violating policy.Clearly government organizations must improve in these areas. Let’s hope that FISMA 2.0 and the cybersecurity coordinator expedite a solution here.

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author