Snowden fallout on contractors: It’s not all bad

The Edward Snowden leaks have led to changes in cybersecurity practices at U.S. defense contractors, though contractors continue to say that they remain vulnerable to cyber-attacks, according to a recent survey by ThreatTrack Security.

According to the study, 88 percent of defense contractors feel that the government provides an acceptable amount of guidance with regard to cybersecurity, but that they still feel vulnerable to cybercrime and would benefit from additional protective measures.

Within the target demographic of defense contractor IT/security managers, the study, in which Opinion Matters surveyed IT and security managers at defense contractors, found that:

• Twenty-seven percent of respondents that have access to networks and databases that store confidential information have no security clearances.
• More than half of IT managers, 62 percent, worry that their companies are vulnerable to targeted malware attacks, cyber crime, cyber-espionage and advanced persistent threats (APTs).
• Contractors with larger IT budgets are more likely to feel more vulnerable, indicating that they may be more aware of the risks that they face.
• Only 78 percent of IT managers have access to dynamic malware analysis solutions, which is important because of the sensitivity of the information involved with these contractors.
• More than a quarter of respondents said that they are understaffed in terms of skilled IT experts and malware analysts.

Researchers also discovered that the Snowden affair has changed how contractors train employees who handle sensitive information. About half of the respondents say that there is now more cybersecurity training (55 percent); that they reviewed employee data access privileges (52 percent); are on higher alert for misbehavior (47 percent); have implemented stricter hiring practices (41 percent); or have curtailed IT administrative rights (39 percent).

One positive finding was that executives are less likely to engage in risky behavior compared with their general enterprise counterparts. Contractor executives are less likely to get malware from visiting pornographic websites, click on malicious links in phishing emails, or allow family members to use a company-owned device.

IT contractors also are more transparent about data breaches – 8 percent said that they were aware of data breaches that were unreported to their customers, compared with 57 percent of analysts in enterprise environments, according to a study conducted in October 2013.

"It's interesting to note that while defense contractors seem to have better security practices in place and are more transparent than many companies in the private sector, they are finding the current cyber threat onslaught just as difficult to deal with," said ThreatTrack Security President and CEO Julian Waits, Sr. "Well over half are concerned that they are vulnerable to targeted attacks and cyber-espionage, and given the type of data they are handling and storing, we think that number needs to get a lot smaller – and fast."