Last month, the Office of Personnel Management revealed the true extent of it’s mega data breach - 21.4 million Americans. This means that around 7% of all Americans are affected by this breach. Lawmakers are beginning to debate how the federal government can implement twenty-first century policies to counter growing cyber threats. A recent study from the US GAO noted that there was a 32.5% increase in cyber incidents at federal agencies from 2012 to 2013. As lawmakers begin to look internally at policies and processes to combat these threats, it is important that they also look externally. Primarily this means taking note of third party risks and emulating models of success found in other industries.
While Bitsight never publicly discloses individual company ratings, we do provide aggregate analysis on industry-specific trends. In the past, we have published Bitsight Insight reports on industries that are lagging behind others when it comes to cybersecurity, notably healthcare and education. In light of the latest government hack, Bitsight has analyzed the Government sector along with the Defense Contractors sector to see where they stand in relation to other industries. Defense Contractors are a key third party for the federal government. As the manufacturers of everything from planes to computers, these companies are given access to sensitive and confidential information - some of it crucial to national security.
To understand the cybersecurity posture of these two industries, Bitsight has compared their performance to industries we have previously analyzed: Finance, Retail, Healthcare and Education. Bitsight rates over 27,000 organizations daily on their security performance by aggregating publicly accessible information and assigning this to specific entities. With these ratings, customers are enabled to benchmark their security performance against industry averages and peers, monitor third party vendors risks, underwrite cyber insurance and conduct due diligence.
As you can see in the table below, both the Government and Defense Contractors fall into the middle of the pack among industry sectors1. They perform better than Healthcare and Education - two industries that have experienced high profile breaches and major security issues over the past year. Nevertheless, they also fall slightly behind retail, which was grabbing headlines throughout 2014 for major breaches affecting some of the US’s largest retail giants.
As lawmakers continue debating how to overhaul the government’s outdated technology regulations and processes to address major security threats, it would be wise for them to take a look at their third party vendors as well - starting with defense contractors and other high-risk vendors. While these companies are by no means the lowest performers, third party risks have been a major source of known vulnerabilities and these companies hold incredibly sensitive information. Jacob Olcott, VP of Business Development, notes that in many government agencies, teams are still struggling with the basics of third party risk management and focusing on items like contractual updates. Meanwhile, agencies are still being breached and clear risks are being ignored. “It’s time the government starts embracing more of the practices that its regulators are pushing for private industry to adopt. Their guidance has included continuous performance monitoring, more frequent risk assessments and clearly defined terms for breach liability.”
As Washington begins to look internally to tackle cybersecurity, lawmakers should also look outward to emulate the example of financial services and manage third party risk before another major breach occurs.
1 Note: The Defense Contractor industry comprises 80 companies with a range of ratings from 390-790. Average Ratings do not provide an indication of any one company’s security performance.