Insider threats (alternatively known as careless or untrained insiders) continue to be a problem for the public sector. According to SolarWinds 2023 Public Sector Cybersecurity Survey, 68% of respondents cited careless or untrained employees as one of the highest sources of security threats, second only to foreign governments.
Insider threats have continued to increase over the past few years. Mobile work has become commonplace, and more employees have begun using unsanctioned applications, leading to incidents of shadow IT. Meanwhile, hackers have become adept at targeting government employees through phishing and ransomware attacks, which succeed due to human error.
Educating your employees about the dangers of these attacks and putting in proper safeguards to prevent them is critical. Here are three strategies to help employees become more aware of threats and build a better security posture from the inside.
Understand while not everyone is a trained security expert, everyone can play their part
Some organizations tend to say, “Everyone is responsible for cybersecurity,” which is not entirely true. An employee in charge of processing applications for social security benefits is in charge of processing applications for social security benefits, not protecting the agency from a cyber attack.
However, there are little things everyone can do to prevent threats–they just need to know what those things are. It’s more than not opening emails from unknown senders or clicking on suspicious-looking attachments. It’s being vigilant, even when someone is feeling overworked. It’s also knowing who to report these incidents to if and when they occur and how and when to share information with colleagues about potentially suspicious activity.
Other things you can do to help employees protect your agency include:
- Implementing company-wide password protocols, including two-factor authentication
- Mandating employees to change their passwords every few months
- Adding context to communications around cybersecurity to help employees understand the ramifications of cybersecurity incidents (for example, illustrating how a breach could impact employees’ jobs)
While rigorous training isn’t necessary, you can aim to make safe security practices a part of your day-to-day efforts. For example, periodic email reminders, replete with simple and easy-to-follow best practices and sent from the CIO or security team, can help improve your organization’s security posture.
Conduct simulations to help employees understand how to respond to possible threats
Email reminders are important, but nothing beats practicing what to do in the event of a threat. Which is where Breach and Attack Simulations (BAS) come in.
BASs can be used to simulate just about any type of attack your employees might be exposed to, including phishing, malware, and more. Employees are asked to spot, respond to, and prevent an attack in a simulation. Managers can assess employees’ responses and reactions and discover where more education is needed.
Simulated attacks are also great for increasing employee vigilance and education. The more employees are exposed to simulated threats, the more knowledgeable they become about those threats–and the less likely they will be to fall prey to them.
Build a zero-trust foundation that is secure by design
While employees should always be your first line of defense against cyberattacks, no defense is ever foolproof, even those that have been adequately trained and prepared. Implementing a secure by design zero-trust cybersecurity environment can ensure weaknesses aren’t exploited.
In a secure-by-design environment, security is inherent in every aspect of the organization. Employees are aware of possible cybersecurity risks and know how to prevent them. Security is baked into the agency’s technology infrastructure and software development processes, and all technologies an agency procures have security as a standard feature, not an add-on.
Security by design goes hand-in-hand with zero trust. Zero-trust cybersecurity models are based on an “assume breach” mentality, where every request to access information could pose a threat. Therefore, all requests must be carefully verified, and all employees should only have access to the information they need.
Remember: while employees can be your agency’s best defenders, they’re also human. They can and will make mistakes. It’s essential to put in place safeguards to mitigate those mistakes. Education is important, but so is having a backup plan in case something fails. By covering all angles you’ll have a better chance of preventing the next employee-centric cyberattack.
For more guidance on how to better enhance your agency’s cybersecurity posture, visit SolarWinds’ Secure by Design resource center.
