Agencies Need to Maintain a Sense of Cyber Urgency

The heightened cybersecurity risks included with remote and hybrid work could soon be compounded by another threat: security apathy and complacency.

The problem is, after 18-plus months of dealing with security challenges associated with remote work, security and IT professionals and end users might begin to feel over-confident and let their guard down.

Such an attitude can be costly, according to a new study released by SolarWinds, “IT Trends Report 2021: Building a Secure Future.”

“Apathy and complacency are surefire ways to reduce exposure to new technologies, better ways of working, or worse, a lack of awareness to other areas of risk within an organization that aren’t always obvious,” the report states.

Definitions

Security apathy is rooted in a mentality of “it won’t happen to me” or “it’s somebody else’s problem,” said Brandon Shopp, Group Vice President of Product Management at SolarWinds.

Security complacency, on the other hand, is a form of desensitization. Cyberattacks have become so common that some people cease to be alarmed.

In either case, people lose their sense of diligence, which puts them and their organizations at risk. For example, phishing attempts often contain a tell – a misspelling, an odd URL or other clues indicating illegitimacy. People who aren’t diligent might miss them. That is why agencies need to convince their employees, IT professionals or not, security is part of their job, Shopp said.

Make Security Personal

One way to get employees focused is to make it personal. For example, get employees to think about the personally identifiable information their agency has on them. This includes name, home mailing address, Social Security number, date of birth and other key ingredients for identity theft.

Once that sinks in, it’s easier to talk to employees about their responsibility to protect the information and operations critical to supporting an agency’s mission and protecting the well-being of constituents.

Agencies must make risk aversion the norm, so employees “see any level of risk as unacceptable,” the report states.

Key Areas of Focus

Security isn’t just the responsibility of individuals. Agencies also must ensure they treat security as a top priority. SolarWinds recommends two areas of focus:

Prioritize the development of cyber experts. Given the high demand for cyber experts, agencies should focus more energy on developing talent in house. Shopp said one approach is to convert IT professionals, who are already tech-savvy, into cyber professionals.

Prioritize collaboration between tech pros and leaders. Policies and strategies aimed at reducing risk should reflect both technical and organizational expertise and requirements.

Shopp said agencies also should collaborate more with trusted industry partners. SolarWinds, for example, isn’t just a technology vendor; it also has a large development shop, as many government agencies do, and can exchange ideas about cyber strategies, tools and best practices.

“When I think about collaboration, it really just comes down to transparency,” Shopp said.

This article is an excerpt from GovLoop’s guide, “Conversations With CXOs: Your Crash Course on the Future of Gov.” Download the full guide here.

Leave a Comment

Leave a comment

Leave a Reply