Contractors pose cyber risk to government agencies
While US government agencies are continuing to improve their security performance over time, the contractors they employ are failing to meet the same standards according to a new report.
The study by security rankings specialist BitSight sampled over 1,200 federal contractors and finds that the security rating for federal agencies was 15 or more points higher than the mean of any contractor sector.
It finds more than eight percent of healthcare and wellness contractors have disclosed a data breach since January 2016. Aerospace and defense firms have the next highest breach disclosure rate at 5.6 percent.
While government has made a concerted effort to fight botnets in recent months, botnet infections are still prevalent among the government contractor base, particularly for healthcare and manufacturing contractors.
The study also shows many contractors are not following best practices for network encryption and email security. Nearly 50 percent of contractors have a BitSight grade below C for the Protective Technology subcategory of the NIST Cybersecurity Framework.
Also worrying is that almost one in five users at technology and aerospace/defense contractors have an outdated internet browser, making these employees and their organizations highly susceptible to new variants of malware.
"Tens of thousands of government contractors hold sensitive data or perform services on behalf of federal agencies. The US government must be focused on evaluating, monitoring and improving the cyber hygiene of these contractors," says Jacob Olcott, VP of strategic partnerships at BitSight. "Recent contractor regulations, like the new DOD requirements, are a start, but are too focused on check-the-box compliance. Cyber is a dynamic risk. By leveraging objective data and continuously monitoring the supply chain, the federal government will better comprehend the danger within its own ecosystem and begin to meaningfully mitigate this risk."
You can read more of the findings along with recommendations to reduce the risk in the full report available on the BitSight website.