Data breaches a top concern of federal IT managers

Exposure of private employee information ranks as the biggest security concern of federal information technology managers, according to a recent survey.

Comment on this article in The Forum.Forty-four percent of decision-makers canvassed by technology services provider Cisco in October identified loss of employee data due to a breach as one of their top worries, while 41 percent pointed to the loss of citizens' private data and the same percentage cited inadequately trained or unconcerned users. The survey covered 200 federal managers.

"[Agencies] know their systems and processes are not 100 percent where they need to be, and given that, what's the biggest risk? It's loss of data," said Gerald Charles, director of the Internet Business Solutions Group at Cisco.

When asked about collaborative Web 2.0 services, 65 percent of respondents said file sharing was risky, while 60 percent cited concerns about remote access to secure data and 52 percent mentioned social networking. A smaller portion of respondents -- less than 30 percent -- pointed to Web browser compatibility, blogging and wikis as the Web 2.0 services that introduce the greatest vulnerabilities.

Concern about collaborative Web services is not a surprise, Charles said, given that it's a relatively new concept in most agencies.

"But the fact is that some Web 2.0 technologies are more secure than other technologies were when they first entered the market," he said. "Agencies need to look at each service, understand how it's being implemented into the business model, and apply the same sound security strategies integrated into other [applications]. Just because a technology is new doesn't mean it can't be managed."

One key strategy for ensuring that new technologies don't introduce unexpected risk is to embed or "bake in" safeguards in IT infrastructure, rather than layer on software tools that address individual threats. Eighty-two percent of survey respondents said this was critical.

Despite concerns, 60 percent of respondents reported feeling more confident in their agency's security than they did four years ago, and a slightly higher portion -- 64 percent -- reported spending more time following security mandates than they did in 2007. Compliance with the 2002 Federal Information Security Management Act and President Bush's largely classified Comprehensive National Cyber Security Initiative were named as the top priorities.

IT managers were less concerned than in previous years about spyware, which gathers information about computer users, and botnets, which infiltrate computers to use them for spam and denial-of-service attacks. This could mean steps are being taken to protect networks against those threats, Charles said.

"Agencies are starting to look at security as a more holistic process," he said. "It's not just about technology; it's about policies and procedures, people, places and things that all need to be managed systematically. They're starting to do this, but most are just not quite there yet."