The government sector lags behind others in implementing modern cybersecurity defenses, according to a new report from security firm Netwrix. This failure to update has led to an increase in breaches: 72% of government entities worldwide had their security compromised in 2016, the report found. And only 14% of government organizations consider themselves to be well-protected against cyber threats.

Government agencies are targeted by hackers due to the sensitive information they store, including citizens’ data (such as addresses, driver’s license numbers, Social Security numbers, financial data, and healthcare records). They also house information critical to local or national security. Other hackers are interested in gaining access to important infrastructure to damage control systems or disrupt public services, the report noted.

However, the main threat is less nefarious than you may expect: Employees. A whopping 100% of IT specialists working for government agencies worldwide said they see employees as the biggest threat to security. In 2016, human error caused security incidents in 57% of government entities, and system downtime for 14% of them. Additionally, 43% of government IT professionals said they investigated security incidents that involved insider misuse.

SEE: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (free PDF)

“All government entities surveyed consider their own employees to pose the biggest threat,” wrote Ryan Brooks, product evangelist at Netwrix, in a blog post about the findings. “It is interesting how the loudest headlines (state-sponsored attacks carried out by hackers, for example) don’t always correspond with the respondents’ perceptions and priorities.”

Still, the majority of government organizations have not implemented security governance or risk management within their IT infrastructures, the report found. And 75% of respondents said there were no dedicated security personnel in their agencies, leaving compliance and security to be shouldered by IT operations teams alone. As a result, junior and middle IT staff reported a lack of time (57%) and lack of budget (54%) as the main factors preventing them from taking a stronger security approach. The growing complexity of IT infrastructure (43%) and data assets (43%) were also factors.

Governments are doing little to modernize cybersecurity practices, the report found: They continue to focus on protecting endpoints (57%), corporate mobile devices (50%), and on-premises systems (43%), even as the threat landscape and modern IT infrastructure has changed. For example 75% of government entities do not have any visibility into BYOD, 67% lack insight into shadow IT, and 60% have no visibility into their cloud infrastructures, according to the report.

“The general conclusion we can draw is that government agencies need to start approaching IT risk from the top down: Senior management must get more deeply involved and fund cyber-security initiatives,” Brooks wrote. “Otherwise, their IT teams will not have the visibility required to maintain stable IT operations, comply with regulatory requirements and identify ongoing security threats, let alone proactive risk mitigation.”

Want to use this data in your next business presentation? Feel free to copy and paste these top takeaways into your next slideshow.

  • 72% of government entities worldwide had their security compromised in 2016. -Netwrix, 2017
  • Only 14% of government organizations consider themselves to be well-protected against cyber threats. -Netwrix, 2017
  • 100% of IT specialists working for government agencies worldwide said employees are the biggest threat to security. -Netwrix, 2017