Security breaches of enterprises such as Target and Experian are big news. But every day, there are security incidents and breaches of smaller companies and organizations all over the planet. The U.S. government itself is certainly not immune. In 2016 alone, “government agencies reported 30,899 information-security incidents, 16 of which met the threshold of being a major incident.
2017 was not an exception, and there were a number of significant incidents.
In March and April, WikiLeaks released what it claimed to be a list of CIA hacking tools. According to investigation reports, it was able to get what it called “Vault 7” while this information passed from government employees to outside contractors in a way that was “unauthorized.”
A study conducted by PricewaterhouseCoopers showed that most breaches, corporate or government, occur not by overt attempts of hackers and nation states, but, rather, because of current or former employees not following very basic rules of cybersecurity. They are either not aware of the key threats or they choose to ignore them.
This is a matter of education and training and keeping a much closer eye on what employees are doing on their work computers and devices that create risk.
For both IT and regular employees, here are six basic rules of cybersecurity that should be followed:
The solution lies in a couple of steps. First, IT administrators must set up monitoring systems, so that they are alerted when the policy is broken by any employee. Consequences must be swift and tough, including termination. Examples must be set. Second, each agency has a specific browser and email server. All others should be blocked, so that employees cannot access their personal email accounts. This preventive measure takes any temptation away, and then no one has to deal with the aftermath of breaches.
Solutions are really no-brainers. All social media platforms should be blocked on work computers and devices. And employees must be instructed regarding how they list their employment on their personal social media accounts. Again, breaches of this policy must come with severe consequences.
We have all, in our personal use of the internet, social media and email, come across activity that just seems suspicious. We are asked to click links, to provide personal information and are even presented with websites and logos that appear to be the “real thing.” While consumers are continually warned about this type of activity, some still fail to be vigilant. Federal employees are no different than most consumers.
When employees receive communications via their work or personal computers — communications that appear legitimate but that have requests for sensitive information — they must be trained to question everything. If it doesn’t “feel” right, then it probably is not. It is time to check with a supervisor who can determine the legitimacy of such a communication. Far better to be slow in responding than to respond and cause a security breach.
Most cybersecurity threats rely on human error or ignorance. When employees do not take cyber threats seriously, they are lax about their online activity, particularly using work computers for personal activities or for communicating sensitive information with contractors and other agencies via unsecured means.
The challenge for IT administrators is to monitor the online activities of employees while they are on work computers and devices. While this may seem to be an “invasion of privacy,” it really is not. Work computers are for job-related tasks only, and federal agencies have been far too lax about the use of PCs for personal activity. This is something that must be driven home with employees, and there can be no tolerance for personal use.
As for mobile devices that are government issued for government business, there should be a no-tolerance policy as well, and all non-work sites/browsers must be blocked. Any employee using such a device for personal purposes must be disciplined quickly and severely. This is not an era in which potential security hacks can be tolerated.
Employees must be trained to question any activity that seems out of the ordinary. If this means inconveniencing any number of people, so be it. Security has to trump everything else.
No research activity, data gathering, or scientific reports should ever be saved or shared via unsecure means. These all belong to the agency for which these activities are commissioned and conducted, not to the individuals conducting such activities. Work product from work time is not personally owned.
A tightening of rules is imperative, given the sophisticated measures that hackers now use to infiltrate government agency computer systems. And employees need to understand their liability when breaches occur. Following the “rules” will go a long way in the prevention of attacks.
Amanda Sparks is a writer, researcher and blogger from Atlanta, Georgia.