In our recent guide, The Future of Cybersecurity, we explore 15 trends transforming the way government safeguards its information and technology. One of our trends is “Cyber as everyone’s job.” In this blog post, we explore exactly what that means, why it’s important, and who is making it happen on the ground.
What is it? Empowering every system user, not only the IT team, to detect and protect against cyberthreats.
Why is it important? When asked during a congressional hearing who was responsible for the 2014-15 OPM hacks, former Director Katherine Archuleta responded, “This is an enterprise-wide problem and cybersecurity is the responsibility of all of us.”
Although it appears that the OPM breach resulted from an exploitation of a system vulnerability, Archuleta’s point was clear. We can no longer rely on one person or department to protect government information systems, because security is everyone’s job.
What’s more, she’s not the only government leader who thinks that. According to one survey, more than half of government IT professionals identified careless or untrained employees as their biggest security concern. That’s unsurprising when you consider that many hacks directly target untrained employees — the ones through whom it’s easier to gather credentials and infiltrate information systems. Furthermore, the unintentional loss or exposure of documents can be just as damaging to an agency as any intentional insider breach.
Agencies have a substantial opportunity to buffer cybersecurity simply by educating all their employees — not just IT professionals — to better handle sensitive information.
Who is doing it? Starting in fall 2013, Montana officials mandated annual cybersecurity training for all state executive employees. To provide that training, the Information Security Bureau (ISB) partnered with the SANS Institute, a provider of security training and certification. The resultant program, called Securing the Human, is a compilation of online cybersecurity courses that all state government employees can access.
Training programs are broken into three categories: general awareness, technical, and management. Each program correlates to an employee’s role and level of technical skill, with more senior employees having to take both basic and advanced instruction.
General training is required for every executive branch employee and covers basic cyber hygiene best practices, including Internet security, password protection, mobile device security, and privacy maintenance. Technical training offers more advanced skills such as encryption and cloud computing instruction. Finally, management training offers leadership guidance and lessons on red flag alerts within security systems.
In addition to these three programs, which total about five hours and cover more than 25 topics, employees may access additional training relevant to their specific job functions. The program is mandatory for all executive branch staff, but other employees and state contractors may also participate in training programs at no cost.
To extend cybersecurity training beyond the online classes, ISB also provides reference materials, monthly security newsletters, and tips of the week to continue employee education. The State Information Systems Security Office also promotes cybersecurity awareness with events, games, posters, and prizes during annual Cybersecurity Awareness Month.
Read about the other 14 trends taking government cybersecurity by storm in our guide, The Future of Cybersecurity.