Holding the door open for strangers may be polite in the physical world, but in the cyber world, it comes at a huge cost for state and local agencies.
Employees can inadvertently allow improper access to systems and data by sharing passwords, opening emails with phishing links, leaving laptops unlocked and more. If you aren’t careful, you can “walk the bad guys through the door, hand in hand,” said Solomon Adote, Chief Security Office for Delaware.
That’s why state and local cybersecurity experts want employees to better understand one thing: “All it takes is one click to open up an incident,” said Tanya Hannah, Director and Chief Information Officer for King County, Washington.
Every employee must be aware of and responsible for preventing security breaches. Managers and supervisors, particularly, should understand that each interaction with a computer system has a certain risk level, even something as mundane as email.
In 2019, organizations lost $1.7 billion due to compromised business emails, the FBI reported. Understanding how you use technology in your role, the related risks and the potential ways you could be targeted can make the difference between a successful breach and a failed one.
All of this is what cybersecurity training intends to achieve – but when training is tedious or punishing and another roadblock to people’s jobs, the intended outcome doesn’t occur. It’s a delicate and often thankless balance that cybersecurity teams handle.
- Delaware struck a balance by providing Netflix series-type episodes on cyber awareness for employees to watch, learn from and even enjoy. In addition to the yearly mandatory training, these brief monthly videos engage viewers to be vigilant about their cyber hygiene.
“From a cybersecurity perspective, you hardly get great feedback on what you do. You just created another obstacle for people to overcome to do their jobs,” Adote said. “But when they reach out and say, ‘I really enjoyed that series,’ or ‘[This character] is hilarious, I wouldn’t do what [they] did,’ you know you’re getting the message across.”
What’s the message? The message is that everyone plays a part in cybersecurity. Cyberattacks don’t just impact cyber teams, but the whole agency. It’s why risk management as a strategy can help.
- “Cyber incidents can have operational, financial and reputational impacts on our organizations,” Hannah said. “Cyber risk management is using a framework to understand the risks within the organization and the appetite for dealing with risk, whether you’re risk-averse — which a lot of government organizations are — or risk-seeking.”
Even small agencies should heed and conduct risk management. It’s not just for large agencies and the federal government, Hannah said.
- King County, Washington, partners with smaller counties to share cyber incident plans, best practices and lessons learned.
- “If you don’t have that available, reach out to us,” Hannah said. “It’s available to everyone.”
To begin to manage cyber risk, identity management is one place to start. It’s a central theme in the president’s recent cybersecurity executive order, Adote said.
- Identity, or ensuring that the right users have appropriate access to IT resources, is the new perimeter that agencies must secure.
- It is essential to carrying out zero trust, also highlighted in the executive order, which is the security philosophy that mandates continual verification of user identity and activity.
The Main Point: “It starts from the basics. Have a strong foundation,” Adote said. “Identity will be a great foundation to build your program on.” Hannah said, “And [it’s] something you can get funding for.”
This article is an excerpt from GovLoop’s resource, “What You Can Do Now to Prepare and Persevere Through the Next Cyberattack.” Download the full resource here.