How to Make Every Agency Employee a Security Advocate

The rising numbers of data breaches should come as no surprise to federal IT security pros who work every day to ensure agency information is secure. However, these breaches may not be something a federal IT team can prevent on its own.

According to the most recent SolarWinds Federal Cybersecurity Survey, more than 50% of respondents say that careless or untrained users are the leading cause of data breaches across the federal government. SPAM, malware, and social engineering are far and away the greatest threats; oftentimes end-users unknowingly take actions that go against agency security policy or harm the network.

The takeaway here is that it’s everyone’s responsibility to keep data safe. It is critical that agency employees understand and follow security rules and requirements.

So, what’s the solution? Can today’s federal IT security pro ensure a tighter security posture with the help of agency employees? The answer is yes.

Three steps to stronger security

While technology is generally the most solid defense against security threats, federal IT security pros should also take the following steps to improve agency security.

Step one: Start from the top. In any organization, leadership sets the tone. If all agency heads become security advocates, it will send a clear message on prioritizing security initiatives.

Consider hosting a town-hall type meeting, or a “lunch and learn,” where agency leaders explain what’s at stake in order to encourage employees to take a more personal approach to security. This will go a long way toward conveying that everyone at the agency is in it together. Leadership can explain what they do to protect agency data while discussing the importance of agency policies and enforcement.

Step two: Provide solid user education. Security breach statistics consistently show that most attacks originate inside the organization, stemming from things like an employee falling victim to a phishing scheme or simple end-user errors that leave them, their identities, and their systems exposed.

Once the critical leadership stance is established, the next step is to provide simple, easy-to-follow education, direction, and training. Most agencies have training policies in place; the key here is to make it personal. Educate staffers on the implications of not following the training in a way that is specific to the agency. Give examples of the types of things to look for in phishing or socially engineered attacks. A personal connection can lead to greater staff engagement.

Flag security vulnerabilities that could be exacerbated by end-user activities, such as using agency email on a smartphone OS that requires a security patch or accessing a social media profile with a password that may have been part of a larger breach. The more the end-user knows, the better.

Step three: Ensure security policies are fluid. Security threats change every day; policies that stay the same year after year are inherently outdated. Agencies must revise security policies regularly. In fact, reassess policies every six to nine months to ensure the policies align with the changing threat landscape and risks to the agency so that they are as effective as possible.

To encourage more end-user advocacy, establish two different security policies: one for the IT and security team, and one specifically for staff. And, be sure to update both often. This not only shows end-users the agency’s level of commitment, it will provide an opportunity for ongoing and continued education.

Remember, to enhance the agency’s security posture security initiatives must be a priority for everyone—not just the IT team. More education and more participation will often lead to enhanced end-user engagement, and that’s the ultimate goal.

Article by Jim Hansen, Vice President of Security, SolarWinds