IT Complexity, Insider Threats, and an Abundance of Privileged Users Plague Public Sector Cyber Readiness

SolarWinds (NYSE:SWI), a leading provider of powerful and affordable IT management software, today announced the findings of its sixth annual Public Sector Cybersecurity Survey Report.* This year's survey includes responses from 400 IT operations and security decisionmakers, including 200 federal, 100 state and local, and 100 education respondents. This is the first year the survey includes state, local, and education (SLED) respondents.

"Complexity is a big theme in this year's survey," said Brandon Shopp, vice president for product strategy at SolarWinds. "Led only by budget constraints, complexity of internal environments is one of the most significant high-level obstacles to maintaining or improving IT security, and respondents indicated it's keeping them from easily segmenting users and adopting a zero-trust approach. Our data shows this complexity is getting worse, especially in federal environments. SolarWinds is committed to helping technology professionals across the spectrum, no matter the organizational size or budget, to ?de-complicate' security and solve the problems they need to solve, every day, like we do with all our tech solutions. This survey highlights the need for vendor partners who take this kind of approach."

2020 Key Findings

For the fifth year in a row, careless and untrained insiders are the leading source of security threats for public sector organizations.

• Fifty-two percent of total respondents cited insiders as the top threat; this number is consistent for both federal and state and local respondents.
• In the education sector, respondents pointed to the general hacking community (54%) as the top threat.

Budget constraints, followed by complexity, top the list of significant obstacles to maintaining or improving organizational IT security.

• Education respondents indicated more so than other public sector groups that budget constraints (44% in K-12) are obstacles to maintaining or improving IT security. State and local respondents indicated 27%, followed by federal respondents at 24%.
• Federal respondents indicated complexity of the internal environment (21%) is one of the most significant obstacles, surpassed only by budget constraints (24%).
• While budget constraints have declined since 2014 for the federal audience (40% in 2014; 24% in 2019), respondents also recognized the complexity of the internal environment as an obstacle that has increased (14% in 2014; 21% in 2019).

Cybersecurity maturity needs attention across public sector organizations; on average, respondents rated their agency's maturity at a 3.5 on a scale of one to five.

• Respondents indicated that their capabilities are most mature in the following areas: endpoint protection (57%), continuity of operations (57%), and identity and access management (56%). However, there was not a single cybersecurity capability for which more than 57% of respondents claimed to be organizationally mature.

Less than half of public sector respondents are very confident in their team's ability to keep up with evolving threats, regardless of whether the organization outsources its security operations or not.

• Forty-seven percent of respondents who outsource at least part of their security operations to a managed service provider (MSP) (28% of total respondents), feel very confident in this ability.
• The vast majority of respondents (86%) rely on in-house staff as their primary security team. Only 41% of this pool feel very confident in their team's ability to maintain the right skills.

Most public sector organizations measure the success of their IT security teams by evaluating metrics such as the number of detected incidents (58%) or their team's ability to meet compliance goals (53%), which, as standalone metrics, may not accurately reflect an agency's risk profile or the IT team's success.

• State and local respondents were also likely to consider the number of threats that were averted (56%), while education respondents focused on level of device preparedness (46%).
• Seventy-five percent of respondents indicated compliance mandates or regulations such as GDPR, HIPAA, FISMA, RMF, DISA STIGs, etc., have had a significant or moderate impact on the evolution of their organizations' IT security policies and practices.

Public sector organizations struggle to segment users by risk level and manage the security threats posed by both privileged and non-privileged users.

• Sixty-one percent of respondents formally segment users by risk level; however, the segmentation process is challenging because of the growing number of systems users need access to (48%), the increased number of devices (45%) and the growing number of users (43%).
• Forty-one percent of respondents claimed to have privileged users not in IT. Privileged users have admin-level access to IT systems, and the extension of too much privilege across an organization can lead to increased risk.
• Nearly one-third of respondents (30%) have a formal zero-trust strategy in place; another 32% are modeling their approach based on zero trust but don't have a formal strategy.

"These results clearly demonstrate the degree to which most public sector organizations are struggling to manage cyber risk," said Tim Brown, vice president of security for SolarWinds. "While it's heartening to see that almost two-thirds of respondents are formally segmenting users?a helpful step in managing risk?the data finds careless and untrained users to still be the weakest link. Additionally, we're seeing a widespread lack of organizational maturity?even in technologies like endpoint protection that have been around forever. It's therefore no surprise that only four in ten respondents feel very confident their security team can keep up with the evolving threats."

Supporting Quotes

"Security is everyone's job, but holding the team accountable is lacking. Until there are real individual accountability regimens in place, the network will remain at risk."

- Division Chief, Federal Civilian

"Our organization operates in denial with a preference for reactionary behavior instead of operating proactively. Government agencies tend to view IT spending as throwing money into a black hole until something occurs."

- Sr. IT Project Manager and Analyst, State Government

"Everything starts at the top. If C-level doesn't put an emphasis on security, it puts us at risk."

- IT Manager, Local Government

"Meeting the online needs of 12,000 plus students always presents challenging security issues, but we have been able to manage without a major event so far."

- VP of Operations, Higher Education

"Not enough manpower, money, or resources. Waiting for a ticking bomb to go off."

- CTO, K-12

*In December 2019 and January 2020, independent market research firm Market Connections, Inc. surveyed 400 IT security professionals in U.S. federal civilian and defense agencies, state and local government, and education. The survey was conducted on behalf of SolarWinds. Full survey results are available upon request.

Additional Resources

• SolarWinds 2020 Cybersecurity Survey Report
• SolarWinds Government Solutions
• Whitepaper: Top 7 Audit-Prep Reports
• Whitepaper: The Ultimate Guide to Federal IT Compliance
• SolarWinds 2019 Federal Cybersecurity Survey press release

Connect with SolarWinds

• Stop by the SolarWinds booth at the RSA Conference to learn more about SolarWinds security offerings ? booth 1859
• THWACK^®
• Twitter^®
• Facebook^®
• LinkedIn^®

#SWI
#SWIcorporate
#SWIsecurity

About SolarWinds

SolarWinds (NYSE:SWI) is a leading provider of powerful and affordable IT management software. Our products give organizations worldwide?regardless of type, size, or complexity?the power to monitor and manage their IT services, infrastructures, and applications; whether on-premises, in the cloud, or via hybrid models. We continuously engage with technology professionals?IT service and operations professionals, DevOps professionals, and managed services providers (MSPs)?to understand the challenges they face in maintaining high-performing and highly available IT infrastructures and applications. The insights we gain from them, in places like our THWACK community, allow us to solve well-understood IT management challenges in the ways technology professionals want them solved. Our focus on the user and commitment to excellence in end-to-end hybrid IT management has established SolarWinds as a worldwide leader in solutions for network and IT service management, application performance, and managed services. Learn more today at www.solarwinds.com.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks of) their respective companies.

© 2020 SolarWinds Worldwide, LLC. All rights reserved.