[BreachExchange] Promoting a Workplace Cybersecurity Culture

[Audrey McNeil]

https://www.govloop.com/community/blog/promoting-workplace-cybersecurity-
culture/

Cybersecurity awareness ranks high on the federal government’s agenda and
rightly so. Data breaches at federal agencies affect not only the entity in
question, but potentially countless U.S. citizens whose private information
it might possess.

Earlier this year, a hack of the FBI and Department of Homeland Security
resulted in the contact information of nearly 30,000 employees being posted
to Twitter. How? Further investigation determined that the breach
originated when a hacker gained access to a Department of Justice employee.

In another notable data breach, hackers penetrated the IRS’ “Get
Transcript” program—which allows users to check their personal tax history
online—and proceeded to steal an estimated 700,000 social security numbers
and other sensitive information. Meanwhile, CNN reported last June that the
Federal Reserve has experienced near-constant attacks for years—including
incidents that were determined to be attempted espionage.

With relentlessly malicious attempts by increasingly industrious cyber
criminals, it’s no surprise that federal agencies are adamant about
educating employees about cybersecurity issues through webinars, videos and
occasional training sessions.

But developing a truly effective cybersecurity culture, however, requires
that agencies take a deeper look at how they promote and enforce
cybersecurity policies among their employees. With that in mind, here are
five tips we’ve found beneficial for fostering a cyber-aware professional
culture:

1. Personalize the message for your audience

While certain ideas and policies apply across an entire organization,
others might only apply to a smaller subset. To ensure each group is
adequately prepared for potential risks, it’s important that training and
policies be personalized on a sub-agency level.

The USDA, for instance, has 30 sub-agencies with widely differing
activities. A message about for the Forest Service might not apply to the
Agricultural Research Service (ARS).

2. Take a proactive, not reactive approach

Too often, cybersecurity policies are taught and enforced with a more
reactive approach, instead of a proactive one. But cybercrime prevention
isn’t about what you do after a breach occurs—it’s about what you do to
avoid the breach in the first place. And that requires a positive,
proactive approach.

In other words, instead of focusing on what happens if cyber criminals
strike, federal agencies need to promote the benefits of establishing and
respecting cyber security policies. For example, focus on the benefits of
gaining a competitive advantage for the ARS by keeping proprietary research
away from competitors and adversaries.

3. Diversify your communications channels

Email is not effective. Federal employees already receive throngs of emails
every day. Consequently mass emails become like static—not the most
effective means of communicating critical messages.

Larger agencies should take advantage of smart, interactive training
programs tailored to their specific needs. Conversely, agencies with
smaller budgets can use their existing tools, such as a five-minute video
messages from their under-secretary or security director about how to guard
against cyber criminals and the benefits of doing so.

4. Tap into employees’ sense of public service

Government work requires a sense of mission—and a mindset that prioritizes
it. Federal agencies should draw on this to explain the role of
cybersecurity in protecting and achieving the overall mission, from the
risks that cyber threats pose to the potential gains offered by employees
who successfully adopt and adhere to the organization’s cyber strategy.

Use every opportunity, from team meetings to human resources materials to
lunch-and-learns, to explain how employee vigilance—particularly
surrounding public data—directly affects American citizens, from health to
national security.

5. Capitalize on the cloud

Telecommuting is an expected norm in today’s professional world, including
in the federal realm. As such, agencies need to explore cloud and
virtualization solutions that ensure their employees can work remotely and
in a safe, secure way.

Currently, many federal agencies cannot regulate BYOD. Consequently,
employees often remove files from secure environments to work from home or
on the road—with or without agency approval.

Investing in the cloud would allow government agencies to track the
movement and modifications to files wherever they’re accessed—and also
allow employees to access these files remotely and securely.

In short: While everyone from individual employees to top-level leaders
plays a role in cybersecurity awareness, developing and reinforcing a
meaningful strategy starts at the top and requires a culture that coincides
with and embraces cybersecurity throughout. Fostering that kind of culture
will set agencies up for success.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161024/b2a4d5a0/attachment.html>