By Omar Rafik, SolarWinds Senior Manager, Federal Sales Engineering
Here’s an interesting article by my colleague Jim Hansen with ideas for engaging agency staff to be part of the solution to security challenges. Insider threats have been a leading cause of breaches for as long as I can remember, and I like Jim’s approach of making everyone a security advocate.
The rising numbers of data breaches should come as no surprise to federal IT security pros who work every day to ensure agency information is secure. However, these breaches may not be something a federal IT team can prevent on its own.
According to the most recent SolarWinds Federal Cybersecurity Survey, more than 50% of respondents say careless or untrained users are the leading cause of data breaches across the federal government. Spam, malware, and social engineering are far and away the greatest threats; oftentimes end users unknowingly take actions that go against agency security policy or harm the network.
Three Steps to Stronger Security
While technology is generally the most solid defense against security threats, federal IT security pros should also take the following steps to improve agency security.
1. Start from the top. In any organization, leadership sets the tone. If all agency heads become security advocates, it will send a clear message on prioritizing security initiatives. Consider hosting a town-hall type meeting, or a “lunch and learn,” where leaders explain what’s at stake to encourage employees to take a more personal approach to security. Leadership can explain what they do to protect agency data while discussing the importance of agency policies and enforcement.
2. Provide solid user education. Security breach statistics consistently show that most attacks originate inside the organization, stemming from things like an employee falling victim to a phishing scheme or simple end-user errors that leave them, their identities, and their systems exposed. Provide simple, easy-to-follow education, direction, and training. Educate staffers on the implications of not following the training in a way specific to the agency. Give examples of the types of things to look for in phishing or socially engineered attacks. Flag security vulnerabilities that could be exacerbated by end-user activities, such as using agency email on a smartphone OS that requires a security patch or accessing a social media profile with a password that may have been part of a larger breach. The more the end user knows, the better.
3. Ensure security policies are fluid. Security threats change every day; policies that stay the same year after year are inherently outdated. Reassess policies every six to nine months to ensure the policies align with the changing threat landscape and risks to the agency so they’re as effective as possible. To encourage more end-user advocacy, establish two different security policies: one for the IT and security team, and one specifically for staff. And, be sure to update both often. This not only shows end-users the agency’s level of commitment, it will provide an opportunity for ongoing and continued education.
Remember, to enhance the agency’s security posture, security initiatives must be a priority for everyone—not just the IT team. More education and more participation will often lead to enhanced end-user engagement, and that’s the ultimate goal.
Find the full article on our partner DLT’s blog Technically Speaking.
The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates. All other trademarks are the property of their respective owners.