2021 Survey of Evolving Cyber Threats in the Public Sector: Key Takeaways | BeyondTrust

Public sector IT teams are leaning into digital transformation and increasing their reliance on automation (such as robotic processing automation), artificial intelligence, machine learning, and cloud services to support more agile, productive, and cost-effective operations, while better serving constituents. The pandemic accelerated the work from-home movement and many organizations intend to maintain a hybrid, or even fully remote workforce, as their permanent operating model.

These modernization initiatives have propelled leaps in productivity, while also kicking down the last vestiges of the traditional computing perimeter—creating substantive challenges for cybersecurity teams. New security risks are being introduced, expanding the attack surface, and creating new planes of privileges and vulnerabilities for adversaries to exploit.

To better grasp the top threats and cybersecurity trends seen as impacting public sector agencies now and over the next three years, BeyondTrust surveyed 200 senior IT and security professionals across the public sector. Survey respondents shed some fascinating insights on public sector security trends, concerns, threat actors, and technology priorities. Last week, we published the results and analysis in our 2021 Cybersecurity Trends in Government Report.

While public sector security professionals are highly concerned about the threat landscape, their responses indicate cautious optimism for the future of cybersecurity.

Continue reading for a brief rundown of some key themes across the report. You may also download the report at any time here.

Top Public Sector Cyber Threats

According to survey respondents, today’s top threats (shown in the figure below) are remote worker or contractor vulnerabilities, ransomware, phishing/social engineering, disinformation, and fileless attacks. None of these are surprises. While the list is reshuffled when looking ahead 1-3 years, with fileless attacks at the top followed by DDoS, what is most interesting to us is that concern for each of the top-5 future threats is roughly half that of the amount of concern shown for today’s threats.

A similar pattern emerged with survey responses to the top threat actors. While malicious insiders (67% of respondents)) and external bad actors (57%), accidental insiders (55%), nation-state bad actors (52%), and organized crime (52%) rank as the most concerning threats today, nation-state bad actors (36%) and organized crime (32%) are the top 2 most concerning threat actors 1-3 years from now. However, again, the amount of concern for any time of threat actor 1-3 years from now is much less than for today’s threat actors. Overall, agencies seem confident they will be able to effectively address these threats, albeit progress will be uneven across different type of threat actor.

4 Reasons for Optimism about the State of Government Cybersecurity

Across the 2021 Cybersecurity Trends in Government Report, four key themes emerged which seem to support why public sector IT security professionals are optimistic about the state of cybersecurity over the next 1 -3 years.

1. The Right Security Technologies have been Identified and are being Implemented

The survey asked respondents about the importance of 21 cybersecurity controls, which are roughly aligned with The Center for Internet Security (CIS) Top 20 Critical Security Controls. Organizations are correctly recognizing the technologies that most effectively address today’s threats. At the forefront is Privileged Access Management (PAM), not only ranked one of the most important security measures today (61% of respondents), but also expected to increase in importance far more than any of the other security measures over the next 1-3 years.

Technology partners are working together (private-to-private) and with our government partners (private-to-government) to identify holistic security stacks that ultimately enable agencies to meet “Zero Trust Architecture” security goals.

2. Government Initiatives are Taking Aim at Attackers.

New government policies, like the Presidential Cybersecurity Executive Order (EO) and 2021 American Rescue Plan (ARP), pave a concrete path for cyber improvements and are buoying confidence in the ability to address agency cyber risks. That 82% of survey respondents indicate the ARP plan will improve cybersecurity (and 34% assert the improvement will be significant), demonstrates a strong vote of confidence.

The May 12, 2021 Presidential Executive Order on Cybersecurity put a top-down focus on cybersecurity and it’s been extraordinary to see the level of progress we’ve made on shoring up our Nation’s cyber defenses since that time.

Advancing the U.S. government towards zero trust principles is well on its way as OMB and CISA look to launch a Federal Zero Trust Strategy and a Zero Trust Maturity Model Strategy in alignment with the Executive Order. We’ve also seen major progress take shape in the form of associations or academic working groups. The Advanced Technology Academic Research Center (ATARC) Zero Trust Working Group comprised of government and industry security leaders meets on a weekly basis to address specific zero trust use cases and scenarios as defined by CISA.

Since the Executive Order came into effect, CISA has released multiple memorandums to stay in line with the timelines set forth in the order:

Change is in effect and resources are being marshalled. It’s an exciting time to be in cybersecurity.

3. Appropriate Security Budgets Are (Finally!) Being Funded.

Survey respondents gave a strong vote of confidence in their cybersecurity budgets, with an astonishing 96% saying their cybersecurity budget has adequate funding. Most respondents (56%) said they received more cybersecurity budget than last year, with only 13% seeing a decrease.

The U.S Government 2022 Fiscal Budget requests $9.8 Billion in cybersecurity funding to secure federal civilian networks and protect the nation’s infrastructure, a $1.2B increase from 2021. The budget requests an additional $500 million for the Technology Modernization Fund (TMF), an additional $110 million for the Cybersecurity and Infrastructure Security Agency (CISA), and $750 million to recover from the SolarWinds supply chain attack.

All of these numbers add to up to public sector confidence in their ability to operationalize security to mitigate risks and securely enable digital transformation.

4. Return to “Normal” as the Pandemic Subsides

We believe it’s possible that the unique circumstances wrought by the pandemic have created an era of peak cyber risk. BUT, security adjustments will soon catch up. Three years from now, absent a global pandemic, IT and security teams can simplify their focus and benefit from a return to some measure of day-to-day predictability.

Of course, while these are certainly all reasons for optimism, its possible too that respondents are viewing the future through rose-colored glasses and do not yet fully grasp the cyber risk landscape of tomorrow.

Why Organizations are Maturing Privileged Access Security Controls to Reduce Cyber Risk

Almost every cyberattack today involves the exploitation of privileges/privileged access—either at the initial point of compromise, or to advance an attack. A robust PAM strategy is integral to secure adoption of today’s digital transformation and modernization initiatives across the government. The public sector IT security leaders surveyed expect PAM to grow in importance over the next few years more than any of the other top security controls.

Zero Trust: PAM is a necessary component for enabling zero trust architectures and can enforce context-based least privilege in alignment with just-in-time access models – meaning that privilege is limited both in scope and duration. PAM enforces segmentation and microsegmentation to further limit lateral movement and line-of sight to corporate resources. Every privileged session is monitored, managed, and audited – whether human, machine, employee, vendor, remote, or on-premises.

Application Modernization: PAM solutions discover and onboard all application accounts and privileges, while also replacing embedded credentials with API calls or dynamic secrets and enforcing rotation, complexity, and other robust password security requirements.

Cloud Adoption: PAM solutions continuously discover and onboard cloud and on-premises assets, instances, accounts, etc., and enforce credential security and session monitoring and management best practices—including for control planes.

DevOps: PAM protects tools, identities, and CI/CD workflows, while supporting peak DevOps agility. Some key capabilities of PAM include discovery and onboarding of DevOps assets and accounts, centralized secrets management, enforcement of least privilege, blocking and flagging of inappropriate scripts or commands, prevention of misconfigurations, and the segmentation of development, test, and production systems.

Edge Computing / IoT: PAM solutions can secure the remote access connections between edge devices, away from the centralized corporate network, while performing advanced session monitoring that includes, screen recordings, indexing of issued commands, and the ability to automatically identify and stop inappropriate activity.

Robotic process automation (RPA): PAM solutions continuously discover and onboard RPA assets, enforce credential and session management best practices, and enforce least privilege across processes, toolsets, and workflows.

NIST, CISA, NSA, and OMB, as well as the top industry analysts, have all highlighted Privileged Access Management as one of the most critical cybersecurity areas to get right.

Closing the Cybersecurity Gap over the Next Three Years

During a period of pandemic-induced tumult and hastily embarked upon digital transformation initiatives, threat actors besieged public sector agencies like never before.

Our U.S. government is resilient, strong, and ready to protect the American people from the threat of malicious cyberattacks, cyber criminals, and nation-state bad actors. Government officials have signaled a renewed willingness to aggressively take down cybercriminals. Public sector IT security professionals, while clearly beleaguered by many threats today, seem to have wind in their sails thanks to our government’s strong, recent responses.

For insights on the public sector risk landscape and to understand how agencies are evolving their security postures, download the full 2021 Cybersecurity Trends in Government Report now.