IT Complexity, Insider Threats, and an Abundance of Privileged Users Plague U.S. Public Sector Cyber Readiness

Survey points to lack of cyber confidence and organisational maturity across U.S. public sector

SolarWinds (NYSE:SWI), a leading provider of powerful and affordable IT management software, today announced the findings of its sixth annual U.S. Public Sector Cybersecurity Survey Report*. This year’s survey includes responses from 400 IT operations and security decision makers, including 200 federal, 100 state and local, and 100 education respondents. This is the first year the survey includes state, local, and education (SLED) respondents.

“Complexity is a big theme in this year’s survey,” said Brandon Shopp, vice president for product strategy at SolarWinds. “Led only by budget constraints, complexity of internal environments is one of the most significant high-level obstacles to maintaining or improving IT security, and respondents indicated it’s keeping them from easily segmenting users and adopting a zero-trust approach. Our data shows this complexity is getting worse, especially in federal environments. SolarWinds is committed to helping technology professionals across the spectrum, no matter the organisational size or budget, to ‘de-complicate’ security and solve the problems they need to solve, every day, like we do with all our tech solutions. This survey highlights the need for vendor partners who take this kind of approach.”

2020 Key Findings

For the fifth year in a row, careless and untrained insiders are the leading source of security threats for U.S. public sector organisations.

• Fifty-two percent of total respondents cited insiders as the top threat; this number is consistent for both federal and state and local respondents.
• In the education sector, respondents pointed to the general hacking community (54%) as the top threat.

Budget constraints, followed by complexity, top the list of significant obstacles to maintaining or improving organisational IT security. 

• Education respondents indicated more so than other public sector groups that budget constraints (44% in K-12, the equivalent of primary and secondary education in the U.K.) are obstacles to maintaining or improving IT security. State and local respondents indicated 27%, followed by federal respondents at 24%.
• Federal respondents indicated complexity of the internal environment (21%) is one of the most significant obstacles, surpassed only by budget constraints (24%).
• While budget constraints have declined since 2014 for the federal audience (40% in 2014; 24% in 2019), respondents also recognised the complexity of the internal environment as an obstacle that has increased (14% in 2014; 21% in 2019).

Cybersecurity maturity needs attention across U.S. public sector organisations; on average, respondents rated their agency’s maturity at a 3.5 on a scale of one to five.

• Respondents indicated that their capabilities are most mature in the following areas: endpoint protection (57%), continuity of operations (57%), and identity and access management (56%). However, there was not a single cybersecurity capability for which more than 57% of respondents claimed to be organisationally mature.

Less than half of U.S. public sector respondents are very confident in their team’s ability to keep up with evolving threats, regardless of whether the organisation outsources its security operations or not.

• Forty-seven percent of respondents who outsource at least part of their security operations to a managed service provider (MSP) (28% of total respondents), feel very confident in this ability.
• The vast majority of respondents (86%) rely on in-house staff as their primary security team. Only 41% of this pool feel very confident in their team’s ability to maintain the right skills.

Most U.S. public sector organisations measure the success of their IT security teams by evaluating metrics such as the number of detected incidents (58%) or their team’s ability to meet compliance goals (53%), which, as standalone metrics, may not accurately reflect an agency’s risk profile or the IT team’s success.

• State and local respondents were also likely to consider the number of threats that were averted (56%), while education respondents focused on level of device preparedness (46%).
• Seventy-five percent of respondents indicated compliance mandates or regulations such as GDPR, HIPAA, FISMA, RMF, DISA STIGs, etc., have had a significant or moderate impact on the evolution of their organisations’ IT security policies and practices.

U.S. public sector organisations struggle to segment users by risk level and manage the security threats posed by both privileged and non-privileged users. 

• Sixty-one percent of respondents formally segment users by risk level; however, the segmentation process is challenging because of the growing number of systems users need access to (48%), the increased number of devices (45%), and the growing number of users (43%).
• Forty-one percent of respondents claimed to have privileged users not in IT. Privileged users have admin-level access to IT systems, and the extension of too much privilege across an organisation can lead to increased risk.
• Nearly one-third of respondents (30%) have a formal zero-trust strategy in place; another 32% are modelling their approach based on zero trust but don’t have a formal strategy.

“These results clearly demonstrate the degree to which most public sector organisations are struggling to manage cyber risk,” said Tim Brown, vice president of security for SolarWinds. “While it’s heartening to see that almost two-thirds of respondents are formally segmenting users—a helpful step in managing risk—the data finds careless and untrained users to still be the weakest link. Additionally, we’re seeing a widespread lack of organisational maturity—even in technologies like endpoint protection that have been around forever. It’s therefore no surprise that only four in ten respondents feel very confident their security team can keep up with the evolving threats.”

Supporting Quotes

“Security is everyone’s job, but holding the team accountable is lacking. Until there are real individual accountability regimens in place, the network will remain at risk.”

–   Division Chief, Federal Civilian

“Our organisation operates in denial with a preference for reactionary behaviour instead of operating proactively. Government agencies tend to view IT spending as throwing money into a black hole until something occurs.”

–   Sr. IT Project Manager and Analyst, State Government

“Everything starts at the top. If C-level doesn’t put an emphasis on security, it puts us at risk.”

–   IT Manager, Local Government

“Meeting the online needs of 12,000 plus students always presents challenging security issues, but we have been able to manage without a major event so far.”

–   VP of Operations, Higher Education

“Not enough manpower, money, or resources. Waiting for a ticking bomb to go off.”

–   CTO, K-12

 *In December 2019 and January 2020, independent market research firm Market Connections, Inc. surveyed 400 IT security professionals in U.S. federal civilian and defense agencies, state and local government, and education. The survey was conducted on behalf of SolarWinds. Full survey results are available upon request.

Additional Resources

• SolarWinds 2020 Cybersecurity Survey Report
• SolarWinds Government Solutions
• Whitepaper: Top 7 Audit-Prep Reports
• Whitepaper: The Ultimate Guide to Federal IT Compliance
• SolarWinds 2019 Federal Cybersecurity Survey press release

Connect with SolarWinds

• Stop by the SolarWinds booth at the RSA Conference to learn more about SolarWinds security offerings – booth 1859

• THWACK^®

• Twitter^® 

• Facebook^®

• LinkedIn^®