Of the incidents in which the sources are known, approximately 22 percent were caused by improper use of computers by authorized users, the report states. Eighteen percent of the compromises were caused by unauthorized access, and 14 percent were caused by malicious code. About 12 percent of the breaches were caused by scans, probes, or attempted access by external attackers, the report says.
Of the 24 agencies reviewed, 13 reported "significant deficiencies" in information security, the GAO says. Seven agencies reported "material weaknesses" that still have not been repaired. Only four agencies reported "no significant weakness," the report states.
Directly from the GAO findings, Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses:
According to our reports and those of agency inspectors general, persistent weaknesses appear in the five major categories of information system controls: (1) access controls, which ensure that only authorized individuals can read, alter, or delete data; (2) configuration management controls, which provide assurance that only authorized software programs are implemented; (3) segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection; (4) continuity of operations planning, which provides for the prevention of significant disruptions of computer-dependent operations; and (5) an agencywide information security program, which provides the framework for ensuring that risks are understood and that effective controls are selected and properly implemented.
Those issues, while challenging, aren't esoteric IT security issues. They're the basic blocking and tackling of good provisioning and identity management, configuration management, and risk management. And more agencies should have a better handle on their risks by now.
To follow my mobile security and technology observations, consider following me on Twitter.