Nearly 6 percent of defense contractors reported one or more data breaches since 2016, and about one in five users at technology and defense contractors has an outdated internet browser, according to a report released Feb. 15 by BitSight, a cybersecurity company.
Compounding the potential harm from contractor breaches is the damage caused to government agencies by security lapses at other companies. For example, the Federal Emergency Management Agency says 200,000 possibly fraudulent 2017 disaster aid claims may be linked to a breach last year at one of the three U.S. credit monitoring firms.
More than 8 percent of healthcare contractors disclosed a breach since 2016, BitSight found in a survey comparing the cyber performance of more than 1,200 federal contractors to that of more than 120 federal agencies.
The company operates a proprietary infrastructure to identify botnets — networks of private computers infected with malicious software and controlled as a group without the owners’ knowledge. The data it collects “reveals that the U.S. federal government and its contractor base have pervasive botnet infections on their networks.”
It also shows that healthcare, manufacturing and engineering suppliers’ problems are worse than those of federal agencies, according to BitSight.
Federal agencies should bolster attention to contractors’ cyber risks and security, BitSight recommended. They should perform “cybersecurity diligence on contractors and subcontractors” before contracting with them, and should continuously monitor supplier security efforts. Agencies also should require prime contractors to monitor cyber hygiene throughout their supply chains, the company said.
Data breaches at companies that don’t work for the government can damage federal agencies, too, as FEMA is learning.
Hurricanes, wildfires drought and freezes made 2017 the most expensive year ever for natural disasters in the United States, according to the National Centers for Environmental Information at the National Oceanic and Atmospheric Administration. The disasters caused 362 deaths and cost more than $300 billion.
As a result, 4.7 million Americans filed claims for federal aid, the Economist reported Feb. 8 — among them, 200,000 suspected of being fraudulent, FEMA spokesman David Passey told the publication. A data breach at U.S. credit reporting agency Equifax may have been the source of some stolen identities used by the fraudsters, Business Insider reported Feb. 12.
In September 2017, Equifax announced it had suffered a breach between May and June 2017 that may have exposed the Social Security numbers, credit card numbers and other information of up to 145.5 million people.