Image: istock/BCFC

In response to the recent wave of high-profile ransomware attacks, the U.S. government has been taking a more active role in the battle against cybercrime. Beyond going after ransomware gangs and recovering money stolen from victims, the feds have been announcing new initiatives and pushing federal agencies to better secure themselves. But is there more the government should be doing? A new report by security firm Tripwire attempts to answer that question.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

Released on Tuesday, Tripwire’s Survey: Security and Federal Government was based on a poll conducted by Dimensional Research of 306 security professionals in the U.S. working at organizations with more than 1,000 employees.

Some 34% of the respondents work for the federal government. Another 17% work for critical infrastructure companies, such as those in manufacturing, energy, pharmaceutical, food and agriculture, and oil and gas. The rest were employed in other private sector companies.

One question in the survey asked about the security standards advanced by the National Institute of Standards and Technology. NIST’s cybersecurity framework offers guidelines and best practices for managing security threats. Around a quarter of those surveyed said they’re required to follow NIST standards, while another quarter said they follow them although they’re not required. Only around 5% said they don’t follow these guidelines at all. And 95% who follow the standards said they found them extremely, very or somewhat valuable.

Among the 95% of those surveyed who think the federal government should take more steps to better secure private sector companies, 43% said that the feds should improve and strengthen NIST standards. Others said that NIST standards should be enforced outside the federal government.

Some said that the government should unveil new legislation with enforcement and oversight of security standards, while others said that it should be more aggressive at using diplomatic tools to discourage foreign hackers. Two more recommendations were that the government should regulate cryptocurrencies to create barriers to ransomware and that it should give more support to victims of ransomware. Only 5% said the government should not play a cybersecurity role in the private sector.

SEE: Patch management policy (TechRepublic Premium)

They survey also asked whether the federal government is doing enough to prevent ransomware attacks? Here, the responses varied greatly among the respondents. A full 81% of those who work for the government said it is doing enough, but 71% of those who work in critical infrastructure and 80% of those in other private sector companies said it’s not doing enough.

Is the federal government more effective at cybersecurity than the private sector? That question also divided the participants as 43% said government agencies were better, while another 43% said the private sector does a better job. Following up on that question, Tripwire asked security pros whether their organizations are prepared to handle new threats. The majority (59%) said that they’re just barely keeping pace, 29% said they’re staying ahead and 12% said they’re falling behind.

Among those who said their organization may be falling behind on cybersecurity, most cited the lack of internal expertise and resources. Others said that it’s impossible to keep up with new types of attacks, that leadership doesn’t prioritize cybersecurity and that their industry hasn’t traditionally been a target.

Those who said their organization is keeping pace or staying ahead of threats pointed to such reasons as a heavy investment in the people and tools required to do the job, leadership making security a priority, doing the basics of cybersecurity well, and the cost of failure being too high.

Out of all the types of cyberattacks that most concern security pros, ransomware was cited by 53%, vulnerability exploits by 35%, phishing emails by 34%, and social engineering by 24%. Asked whether they changed their cybersecurity defenses as a result of recent attacks against critical infrastructure, almost half said that they did, while 35% said they’ve planned certain changes but haven’t yet implemented them.

SEE: How to become a cybersecurity pro: A cheat sheet (TechRepublic)

Finally, the survey covered the topic of zero trust, which is frequently recommended as a best practice to protect your critical data and other assets. Some 75% of those surveyed believe that zero trust architecture would be highly or somewhat likely to improve their cybersecurity.

Asked about the benefits of zero trust, most said that all communication is secured regardless of network location. Other respondents said that access to individual enterprise resources is granted on a per-session basis, all data sources and computing services are considered resources, access to resources is determined by a dynamic policy, and all attempts at authentication and authorization are strictly enforced before access is allowed.

“It’s clear that organizations–both public and private sector–are seeking further guidance from the federal government,” said Tim Erlin, vice president of strategy at Tripwire. “Generally, long-term enforcement and implementation of cybersecurity policy will take time, but it’s important that agencies lay out a plan and measure execution against that plan to protect our critical infrastructure and beyond.”