Promoting a Workplace Cybersecurity Culture

Cybersecurity awareness ranks high on the federal government’s agenda and rightly so. Data breaches at federal agencies affect not only the entity in question, but potentially countless U.S. citizens whose private information it might possess.

Earlier this year, a hack of the FBI and Department of Homeland Security resulted in the contact information of nearly 30,000 employees being posted to Twitter. How? Further investigation determined that the breach originated when a hacker gained access to a Department of Justice employee.

In another notable data breach, hackers penetrated the IRS’ “Get Transcript” program—which allows users to check their personal tax history online—and proceeded to steal an estimated 700,000 social security numbers and other sensitive information. Meanwhile, CNN reported last June that the Federal Reserve has experienced near-constant attacks for years—including incidents that were determined to be attempted espionage.

With relentlessly malicious attempts by increasingly industrious cyber criminals, it’s no surprise that federal agencies are adamant about educating employees about cybersecurity issues through webinars, videos and occasional training sessions.

But developing a truly effective cybersecurity culture, however, requires that agencies take a deeper look at how they promote and enforce cybersecurity policies among their employees. With that in mind, here are five tips we’ve found beneficial for fostering a cyber-aware professional culture:

1. Personalize the message for your audience

While certain ideas and policies apply across an entire organization, others might only apply to a smaller subset. To ensure each group is adequately prepared for potential risks, it’s important that training and policies be personalized on a sub-agency level.

The USDA, for instance, has 30 sub-agencies with widely differing activities. A message about for the Forest Service might not apply to the Agricultural Research Service (ARS).

2. Take a proactive, not reactive approach

Too often, cybersecurity policies are taught and enforced with a more reactive approach, instead of a proactive one. But cybercrime prevention isn’t about what you do after a breach occurs—it’s about what you do to avoid the breach in the first place. And that requires a positive, proactive approach.

In other words, instead of focusing on what happens if cyber criminals strike, federal agencies need to promote the benefits of establishing and respecting cyber security policies. For example, focus on the benefits of gaining a competitive advantage for the ARS by keeping proprietary research away from competitors and adversaries.

3. Diversify your communications channels

Email is not effective. Federal employees already receive throngs of emails every day. Consequently mass emails become like static—not the most effective means of communicating critical messages.

Larger agencies should take advantage of smart, interactive training programs tailored to their specific needs. Conversely, agencies with smaller budgets can use their existing tools, such as a five-minute video messages from their under-secretary or security director about how to guard against cyber criminals and the benefits of doing so.

4. Tap into employees’ sense of public service

Government work requires a sense of mission—and a mindset that prioritizes it. Federal agencies should draw on this to explain the role of cybersecurity in protecting and achieving the overall mission, from the risks that cyber threats pose to the potential gains offered by employees who successfully adopt and adhere to the organization’s cyber strategy.

Use every opportunity, from team meetings to human resources materials to lunch-and-learns, to explain how employee vigilance—particularly surrounding public data—directly affects American citizens, from health to national security.

5. Capitalize on the cloud

Telecommuting is an expected norm in today’s professional world, including in the federal realm. As such, agencies need to explore cloud and virtualization solutions that ensure their employees can work remotely and in a safe, secure way.

Currently, many federal agencies cannot regulate BYOD. Consequently, employees often remove files from secure environments to work from home or on the road—with or without agency approval.

Investing in the cloud would allow government agencies to track the movement and modifications to files wherever they’re accessed—and also allow employees to access these files remotely and securely.

In short: While everyone from individual employees to top-level leaders plays a role in cybersecurity awareness, developing and reinforcing a meaningful strategy starts at the top and requires a culture that coincides with and embraces cybersecurity throughout. Fostering that kind of culture will set agencies up for success.

Leave a Comment

Leave a comment

Leave a Reply