author photo
By Clare O’Gara
Tue | Jul 30, 2019 | 11:11 AM PDT

Another day, another revealing cybersecurity investigation from the U.S. Government Accountability Office (GAO).

In this annual report for 2018, the GAO found agencies continue to fall short on implementing security policies.

And these high-risk programs could have significant consequences on government operations and assets.

How different departments measure up

Since 2015, the GAO has made over 1,400 security recommendations for government departments.

But according to the report, these agencies are having some trouble listening:

Many agencies continue to be challenged in safeguarding their information systems and information, in part, because they have not implemented many of these recommendations.

As of May 2019, approximately 500 of our prior recommendations had not been implemented.

This "challenge" to safeguard information systems is most visible in how these departments are using their IT budget.

When it comes to IT security, these agencies are struggling to put their money where their mouth is:


When you add up the total amount of IT spending across all departments, the percentage used for cybersecurity is only 14%.

In fact, it's rare for any agency to use even 20% of their spending for security.

Numbers that low demonstrate some shocking cybersecurity neglect.

What happens when policies fail... or no one follows them

With so little attention given to IT security, government agencies are leaving their doors wide open to cyber threats.

And the GAO report backs this up.

It found that these departments faced 31,107 security incidents in 2018. And 31% of these incidents were committed by authorized users—also known as insider threats.


If the federal government wants to avoid potentially dangerous consequences, they need to make security a higher priority.

Read the full GAO report here.