(This post originally appeared on GovTechReview)
Security is everyone’s responsibly — not just the IT team. This sentiment is especially timely in today’s landscape, where cyberattacks are becoming more frequent, all-encompassing, and sophisticated.
Case in point, the latest SolarWinds Public Sector Cybersecurity Survey found untrained or careless insiders accounted for the most significant source (52%) of security threats. Sadly, this trend has continued for more than five years. This underscores the importance of shared responsibility when it comes to security and that the biggest threat could come from within.
A robust security strategy for government bodies should include changes at the organisational and individual levels. And to be clear, this is not to unduly scrutinise employees, but — given their level of access and privilege — to protect them and the organisation from attackers.
Here are three ways government employees can brush up on their cybersecurity skills, protecting the wider organisation in the process.
1. Take stock and assess
We all fall victim to this one — how often do we forget we have access to systems or applications we no longer use? Whether you’ve finished working on a project, changed your role, or moved departments, you could still have access to sensitive information that could be used if your access is compromised. Luckily, this should be an easy fix.
Take stock of everything you have access to and make a list of things you no longer need to do your job right now (remember, you can always get access again later if need be). Then work with your IT team to restrict your access to only what you need. Understanding and proactively managing your digital footprint is one of the easiest ways to limit risk exposure from attack.
2. Get privileges right
As mentioned above, users pose one of the biggest threats to government bodies, so agencies are increasingly adopting tools to verify user identity. This helps IT teams manage what systems each user should — and shouldn’t — have access to.
The SolarWinds survey found identity and access management tools are heavily adopted (97%) and rated as the second-most-effective tool for application and network security behind endpoint protection software.
The same survey found over half of federal, state, and local government bodies use network segmentation and a zero-trust approach to manage user access. But achieving effective segmentation utilising this approach is more elusive than ever due to the growing number of systems, devices, and users. Implementing and maintaining zero-trust is also fraught with issues, mainly escalating costs and a lack of expertise.
Users can play their part by working with their manager to ensure they have access to only the necessary privileges to get their work done. If users need additional access, it can be granted on a temporary basis and should expire after a certain time (or when the task is complete, whichever comes first).
3. Separate work and home
Most of us have taken work home this past year, adopting a fully remote or hybrid setup as COVID-19 impacted business as usual. Although work may be done at home, keeping work and home data separate is critical.
Think of home like a remote site when assessing security parameters. For example, employees should ensure their router’s firmware is up to date and they’re using the WPA3 Wi-Fi protocol (which is more secure than the previous WPA2 standard). Then check firewall settings and turn off any open ports. Be sure to choose a complex network password that’s long, unique, and uses a combination of letters, numbers, and special characters. If your organisation uses a VPN, employees should connect this way when at home. Lastly, avoid — at all costs — transferring work files to home devices or using email for sharing sensitive information.
Time for users to step up
Cyberattacks are on the rise and becoming more targeted. Individual users can play their part in the collective effort to beef up security by taking stock of their permissions, managing privileges, and keeping work and home separate (at least in a digital sense). These small steps and behaviour changes can go a long way to improving the government’s security preparedness.