GovDefenders Wednesdays: Cybersecurity Starts at the Bottom of the Totem Pole

GovDefenders Wednesdays is a series exploring the world of public sector cybersecurity. We introduce concepts, offer opinions, provide resources, and identify ways to protect your agency. 

We frequently misquote the idea of the bottom of the totem pole. Many people associate it with negativity – “I’m stuck at the bottom of the totem pole.” However, the bottom is where you want to be because it's the most honorable position. It's those at the bottom who everyone relies on; it's they who hold up society. Cybersecurity is no different. Those at the bottom must now help hold those at the top.

Twenty years ago, cybersecurity, to most of us, could only be found in science fiction and on college campuses where predictions about networks seemed ions away. Ten years ago, cybersecurity consisted of ensuring your antivirus software was up-to-date and your coworkers didn’t click on links sent from Nigerian princes. Today, cybersecurity has to be a bottom to top strategy, focused not only on your IT department, but employees at the very bottom rung of your agency's ladder.

When computers and the internet went mainstream, security was an IT concern. They ensured everyone’s computer software was up to date; they found the best antivirus software and installed it; and they kept out as much spam as possible with tools that seem archaic by today’s standards. Cybersecurity only involved the top-level, and employees barely needed to lift a finger to ensure the computer in their cubicle was secure.

Times have changed. Cybersecurity now starts at the bottom. In The Heritage Foundation’s “The Alarming Trend of Cybersecurity Breaches and Failures in the U.S. Government Continues”, two of the incidents they highlight were caused by standard employees. One, involving the Commodity Futures Trading Commission, was the result of a simple phishing e-mail scam. A hacker gained access to “sensitive information, including social security numbers” because an employee clicked on an e-mail link. The other involved the U.S. Army Chief of Public Affairs and a contractor who accidentally uploaded a database to a public server, resulting in social security numbers and other personal records made publicly available.

Everyone is a Cybersecurity Threat

Here are three simple ways an employee is a potential cybersecurity risk:

  1. Bring Your Own Device (BYOD) – Many employees are bringing their own smart devices to work. Sometimes they are encouraged to by agencies trying to reduce their budget. However, smartphones, tablets, and personal laptops are largely unaccounted for by IT departments. Without a standard BYOD policy, these devices usually don’t have the cybersecurity software installed to protect your agency’s information.
  2. Phishing – As noted above, simple email phishing scams are still causing agencies stress ten years after everyone became aware that the internet doesn't give away $1,000,000 for clicking a link. Today, however, phishing scams are, admittedly, becoming more advanced and harder to track. Now they involve attached PDFs or hackers pretending to be a company who's asking you to click on a fake link. Without careful consideration of where emails are coming from, it's extremely difficult to figure out what's real and what's a hack. And if you think phishing is only for small-time hackers, think again.
  3. Browser Exploits – One of the easiest ways for a hacker to enter your network is through browser vulnerabilities. Many agencies are still using Internet Explorer 7 and very few require employees to update common exposed add-ons such as Java and Flash. We discussed a specific browser exploit kit called the “Blackhole” which alone accounts for 28% of all web threats.

The New Cybersecurity Defense

Henry Sienkiewicz, Vice Chief Information Assurance Executive and the Designated Approving Authority for the Defense Information Systems Agency, recently spoke at an AFCEA luncheon about cybersecurity. One of his main points was the need to move away from agency employees simply checking cybersecurity boxes and assuming that by doing so they're now protected.

How can you adapt to this new cybersecurity paradigm shift? Start by working with your IT department to identify all the ways your employees’ actions can potentially weaken your cybersecurity strategy. Then write policies you and your co-workers understand and can abide by. Next, offer training to ensure that everyone not only understands the new policies, but also knows how to identify, report, and protect themselves from suspicious activities.

One last tip: Take the time to research emerging technologies catering to user weaknesses. For example, there are many products that will help your agency adjust to a BYOD policy. Symantec offers Management and Mobility products. And if an employee loses a device, SolarWinds offers a User Device Tracker.