Critical Infrastructure Security, Network Security, Vulnerability Management

Nearly half of fed endpoints remain unprotected, study finds

A just released report surveying endpoint security across the federal government highlighted some alarming lapses.

The study from MeriTalk, “Endpoint Epidemic,” underwritten by Palo Alto Networks, found that 44 percent of endpoints are unknown or unprotected and barely half of federal government employees have taken critical steps to secure endpoints, such as scanning for vulnerable/infected endpoints.

As more and more smart devices connect to federal networks, more entry points are opened up for malicious access. As a consequence, one-third of federal IT managers say they have experienced a breach due to APT or zero-day attacks. And, survey respondents estimated that nearly a third of their network-connected devices have been infected with malware.

Just over half of federal IT managers (54 percent) responded that their current policies and standards are very effective, practical or enforceable. Further, less than half said their agency's endpoint security policies and standards are very well integrated into their overall IT security strategy. And, half said their agency isn't taking key steps to validate users and apps.

The takeaway? Agencies are not prepared, the study concluded.

“Endpoints are an increasingly important vector to secure in the cyberattack lifecycle,” Pamela Warren, director, government and industry initiatives, Palo Alto Networks, said in a statement. “Unfortunately, these study results indicate that trust and visibility are much too often absent on this frontier."

Perhaps nowhere is this more evident than in results looking at BYOD implementations. Nearly half of federal employees surveyed who use personal devices for work purposes have either not reviewed their agency's BYOD policy or don't believe one exists, the study found.

It could be lack of oversight or lack of awareness, but it is clear that federal employees are not protecting agency information, the study found: 61 percent of agencies do not apply their network security policies to mobile devices, 52 percent do not enroll devices with the IT department, and 50 percent do not prohibit the use of public Wi-Fi.

Further, 61 percent of federal employees who use personal mobile phones for work have downloaded personal apps to that phone, and half admit to risky behavior with personal mobile devices used for work.

However, some positive developments emerged as well. Nearly three-quarters of respondents said that the $1.6 billion invested in technology – such as laptops and secure remote connections – as part of the Digital Government Strategy (a directive issued by President Obama aimed at "delivering better digital services to the American people") have proven effective in advancing cyberstrategies, while 60 percent said management investments – such as mobile device management and mobile email management – have proven effective.

And, federal employees indicated they are not averse to cooperating with stricter BYOD guidelines. In fact, 79 percent would be willing to have their device inspected for malware and 78 percent went so far as to suggest removing telework privileges for employees that do not comply with policies.

The “Endpoint Epidemic” report was based on an online survey given in September 2015 querying 100 U.S. federal IT managers and 100 federal employees.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.