The Threat Within – Is it you?

This blog post is a recap from GovLoop’s Government Cybersecurity Virtual Summit. To see more blog posts about the summit, click here.

Cybersecurity threats come in a variety many forms. You have the hackers, the breachers, the purposeful infiltrators and then you have the employee who simply made a mistake.

Whether they know it or not, the biggest risk to any agency’s security is lapses in judgment by their own employees. A failure to change a password or securely log a computer off the network can causes major endpoint vulnerabilities for government.

On today’s online training, “The Threat Within – Is it YOU?,” nearly 32 percent of participants said they don’t think their organization handles insider threat challenges well.

To understand how agencies can better tackle potential insider threats, we heard from Jay White, Director of the Security Services Division for the Mississippi Dept. of Information Technology Services, and David Geick, Director of IT Security Services DAS/BEST for the state of Connecticut. They suggested four tactics for increasing agency security from intentional or malicious insider threats.

Tactic #1: Consistent Education

“First of all, it’s about helping the users understand that their actions are very important,” White said. “They have to know that mistakes and errors are costly.”

This education is usually delivered via formal trainings, but they aren’t always effective.

Geick emphasized the need for that training to be digestible and consistent.   In Connectictut, he said they had always required government personnel to take cybersecurity training. However, those presentations were usually only slide-based and were only held once a year.

“What we were finding is that people were taking the training and then a few months later they were falling for a phishing campaign,” Geick said. To increase retention and application of that cyber education, the state decided to move to a new model. Now they host 15-minute modules, once every other month to provide “ongoing refreshers” to cybersecurity topics. They also accompany those trainings with constant reminders and security tips.

Similarly, Mississippi assigns 5-15 minute, interactive trainings to employees once a month to increase retention.

Tactic #2: Encourage participation

Both White and Geick said it’s critical that this education component encourage employees to take a more active role in cybersecurity. Specifically, they said employees should be taught the best practices for daily cybersecurity, commonly called “cyber hygiene.”

“Government workers operate complex systems and organizations, and there are a lot of information that can be used against us to execute social engineering,” Geick siad. “The best password in the world doesn’t work if that person is willing to click on a link and access a website they aren’t supposed to.”

Geick said management and leadership are vital to ensuring lower-level employees deploy cyber hygiene tactics. White agreed: “We tell our employees to be vigilant,” he said. “Don’t be afraid to ask who people are… don’t assume everyone in your building is someone who should be there. And if you see someone in the organization who is clearly doing something wrong, don’t be afraid to address that with your organization.”

In Mississippi, government cybersecurity training is actually informed by the employees themselves. The Security Services Division is in charge of providing education, but they rely on an advisory committee with stakeholders from various departments to inform the curriculum. That setup ensures the real needs of government employees are incorporated into cybersecurity programs. 

Tactic #3: Automate where you can

However even the best policies and education can go awry. Geick pointed out that often the reason we see insider threats occur is because employees use complex systems that may outpace their IT understanding. In those instances, automated solutions that can quickly detect and stop misuse are necessary to safeguard the systems they use.

“Take as much out of the hands of your users that you can,” advised Geick. Using tactics like multifactor authentication or automatically shutting down personal systems at night can minimize the burden on employers to secure their information.

“You can follow up with people who make mistakes and offer constructive help but you really have to balance that with tools to automate the process of prevention when you can,” agreed White.

Tactic #4: Monitor behavior

Finally, our experts suggested leveraging analytics to monitor government networks. This helps solve the biggest challenges of insider threats: identification and reaction. “We do a good job of knowing what behavior should be but we aren’t as good at identifying and reacting to behavior when it changes, or when it’s wrong,” said White.

The first step to monitoring behavior is understanding both the assets that comprise your network and how your users interact with them.

White said you specifically need to understand your users, how they could damage your systems, and why they might compromise your systems. Then choose solutions that monitor those potential pathways. This is especially important as it relates to IT administrators and other privileged users. “For those people who have keys to the kingdom, you need to know how they’re using what they have access to,” Geick said.

Robust analytics solutions can help monitor – and react to ­– abnormal user behavior that could indicate an insider threat.

However, technical solutions are only one piece to the insider threat security puzzle. White and Geick concluded by reminding us that you can’t just pick one tactic to combat these issues. “With ongoing resource constraints, you are always trying to choose between building a program or building a technology. If you don’t have a program, the technology might not do you much good, after all,” Geick said

To effectively combat insider threats at your agency, make sure to deploy a range of education, cultural and technical solutions.

Did you enjoy GovLoop’s Government Cybersecurity Virtual Summit? Don’t miss our next virtual summit, all about government innovation, on May 10. Sign up here.