OMB Releases Cybersecurity Report

April 6, 2016

pic-tech-computerOn March 22, the Office of Management and Budget (OMB) published its annual cybersecurity report for Congress. The report on the effectiveness of information security policies and practices during the preceding year is required by the Federal Information Modernization Act of 2014. The report covers Oct. 1, 2014 through Sep. 30, 2015.

The U.S. government is forced to fend off millions of cybersecurity threats each year from smaller threats such as emails containing malware to larger data breaches of personal information such as that which happened at the Office of Personnel Management in 2014.

During the time period covered by the report, government agencies reported 77,000 cybersecurity incidents. That number is a 10 percent increase from the 70,000 incidents that were reported in 2014. Approximately sixteen percent of the cybersecurity incidents covered by this report where non-technical issues including thing like employees losing data storage devices containing personally identifiable information. Another 14 percent of those 77,000 incidents were policy violations rather than outright data breaches.

The report noted that almost all federal agencies are challenged in keeping information safe by a lack of information security and IT personnel. The report identifies phishing as one of the most prominent types of attack techniques recorded by the government. In response to this threat OMB established goals for phishing-defense. The agency-wide goal of 90 percent coverage was not met, in large part, because scores under 10 percent by the Environmental Protection Agency (EPA), the Small Business Administration (SBA) and the National Aeronautics and Space Administration (NASA) brought the agency average to 74 percent.

Data security is incredibly important to small businesses. In a recent NSBA survey, 42 percent of small businesses indicated that they have been the victim of a cyber-attack. Because small businesses often lack the IT resources of larger companies, they face increased cyber risks and longer issue resolution times. Given, the amount of sensitive information that must be reported to SBA, NSBA supports further action to ensure the safety of that sensitive information while it is with SBA or any other government agency.