A new report from the Government Accountability Office (GAO) released on September 29 highlights the challenges that 24 federal agencies still face when it comes to applying information security policies and practices, despite throwing billions of dollars at the problem.

"Federal agencies' information and systems remain at a high risk of unauthorized access, use, disclosure modification and disruption," Gregory Wilshusen, information security issues director at GAO, says in the report.

The Ashley Madison attack has received a lot of attention in the past few months since the attack on the private Canadian firm, Avid Life Media who owns the affair website. So why is it of interest to federal agencies? A lot of email addresses revealed in the database were government email addresses and military email addresses. Although it doesn’t look good, just because these names and email addresses were released, doesn’t prove they were having an affair. Although there are reportedly a lot of .mil and .gov addresses that created accounts, it’s hard to say who was using it.

The growth of BYOD programs is exploding in the private sector. Indeed Gartner expects half of all companies to establish mandatory BYOD policies by 2017. After all, the economics make sense, according to Cisco, the predicted savings per employee amounts to a staggering $3,150.

So how is the federal government responding to the BYOD boom? Not well according to all reports.

In the few months since the data breach at OPM was announced, IT leaders and agencies have been assessing and scrambling to manage the fall-out (with some even finding positives in the wake of the breach).

So where has all this introspection got us? This month, a discussion brought together military leaders to share some of the lessons learned at the DoD.

Writing for Federal Computer Week, Zach Noble, summarized some of the key takeaways:

Thought your agency’s endpoint protection was up to snuff? Think again.

According to DLT partner, Symantec, legacy endpoint practices, processes, and technologies are no longer sufficient to block attacks.

Data breaches. Not a day seems to pass by without concerns about new vulnerabilities, a successful hack, or a scramble to respond.

Without an incident response plan, the impact can be catastrophic as we’ve seen at OPM, IRS, and the list goes on. It makes the difference between a hacker simply getting in the front door without fruitful results and one that sneaks in, lays low for months and compromises or steals vast amounts of sensitive data. It also creates a huge PR headache and compromises employee trust.

The Internet of Things (IoT) just got a lot more secure. DLT partner, Symantec, announced in late August that it is securing more than one billion IoT devices – including everything from ATMs to vehicles to critical infrastructure.

The number of IoT devices is expected to reach 25 billion by 2020, and from a security perspective remain particularly vulnerable to attacks because of their always-on nature.

According to the latest monthly intelligence threat report from DLT partner, Symantec, spam has dropped below 50% for the first time since September 2003.

During June 2015, of the 25 billion email messages monitored by Symantec only 46.4% were junk.

So what’s behind the downward trend?

Security breaches are on the rise and government systems are goldmines for would-be intruders. If 2015 has taught us anything it’s that it’s no longer a case of if or when a significant security incident will occur, but how well your processes and controls address detection, analysis and response.