Cybersecurity attacks are getting increasingly sophisticated. According to Symantec's 2018 Internet Security Threat Report, the number and complexity of major hacks are growing. Hacks on internet-connected devices increased 600 percent, while crypotjacking (hacking a device to mine digital currency without the owner's knowledge or consent) grew a whopping 8,500 percent. Even mobile devices aren't safe, as targeted malware more than doubled.
This means that organizations of all types need to take cybersecurity seriously if they haven't done so already. The consequences can be dire, especially for government contractors.
Risks are on the rise
To understand how much damage could occur from a single hack – as well as the most likely threats – consider the recent news that hackers connected to the Chinese government stole 614 gigabytes of data from a private contractor.
As The Washington Post first reported, the target was a contractor working for the Naval Undersea Warfare Center, an organization that researches and develops underwater materials such as weapons and submarines. The contractor was not identified, but among the data stolen were plans for a supersonic anti-ship missile that would be added to U.S. submarines by 2020. Hackers also stole radio information, data from signals and sensors.
These details are bad enough, but what makes the situation most upsetting is the fact that the data stolen, when collected as a unit, could be considered classified but was stored on the contractor's unclassified network.
Unfortunately, this hack is not an isolated incident. A report from BitSight, a cybersecurity firm, found that a number of government contractors suffered data breaches between Jan. 1, 2016 and Feb. 1, 2018. While the actual percentages of contractors that disclosed one or more breaches are technically small – healthcare/wellness was the largest at 8.2 percent – even a small number of contractors could hold highly sensitive data that could be detrimental to the U.S. if it ends up in the wrong hands.
The report also noted that contractors fall far behind government agencies in terms of security. Interestingly, those in manufacturing, engineering and technology did worse than companies in business services, aerospace/defense and healthcare/wellness.
Protecting against security threats
Per The Washington Post, Defense Secretary Jim Mattis asked the Pentagon's inspector general's office to focus on cybersecurity issues affecting government contractors. Given these recent events, it's also a good idea for contractors to make sure they adhere to data security best practices.
BitSight identified several areas where contractors fail in that regard. For example, almost 20 percent of aerospace/defense and technology contractors use outdated internet browsers, which leaves them vulnerable to a number of different hacking strategies.
Here are a few simple ways contractors can start improving their security.
- Keep internet browsers and software updated: Developers constantly release new versions that protect against known security issues. Using outdated browsers and software leaves contractors unprotected against the latest threats.
- Train employees on common cybersecurity risks: Contracting staff should know never to give their credentials to an unauthorized party. They should also be trained to spot hackers pretending to be reputable organizations in order to access sensitive information, a technique known as phishing.
- Limit access to sensitive data: Only a handful of people should be able to view classified data.
- Terminate user sessions after a set period of inactivity: This way, unauthorized users are less likely to see classified information.
- Secure wireless access with encryption and authentication: This can prevent unauthorized users from spying on contractor networks.
- Encrypt data: If hackers manage to access a network, encrypting any data transmitted makes it harder for them to decipher information.
For more information, government contractors should visit the National Institute of Standards and Technology's page on cybersecurity.