Local government agencies are concerned by the lack of cybersecurity awareness among government employees and end users. This was a shocking discovery learned from a poll conducted by the Public Technology Institute back in September 2017. The poll found that there were two major factors that were working as obstacles to better cybersecurity. The number one issue was training employees and end users. The number two problem was financial constraints. The survey targeted Public Technology Institute’s city and county government membership as respondents.
The quick poll which was titled, How Secure is Your Local Government?[1] found that:
- 42% of the respondents have not performed a network security audit within the past 12 months.
- 62% do not have a formal breach response policy.
48% do not provide comprehensive security and awareness training to end users/government employees. - 54% of the responding organizations do not have cyber liability or data breach insurance.
- Only 55% have an enterprise-wide cybersecurity plan.
- 71% have a staff person responsible for managing their cybersecurity efforts.
Good news and bad news
Though some of these statistics are alarming, some do show that the government is beginning to take cybersecurity seriously. They understand the importance of protecting the personal information of the public.
The topic of cybersecurity has been ranking as a top of priority in other forums, such as the National Association of State Chief Information Officers (NASCIO). In their “State CIO Ten Priorities for 2017” report[2], security and risk issues were ranked as major concerns.
Nick Wilding, head of cyber resilience and best practice at AXELOS, argued that “Staff should be a business’ most effective security control, but are typically one of their greatest vulnerabilities.”
He warned that “Organizations need to be more certain that they are engaging their people effectively.” He went on to say that the person or entity with the most to lose in case of a security breach should bear the majority of the responsibility for sound security procedures. This can be achieved by training and equipping the stakeholders with important knowledge and the tools they need to deal with the threats that loom on the horizon.
Relevance of training
Cybersecurity is dynamic in the sense that it can be likened to a deadly virus that keeps changing in form and improving its own composition against attacks from antidotes. As soon as the cure is found, it has already changed itself and the new cure is no longer sufficient to kill it completely. That is why employees and end users must be better equipped with the ability to anticipate the ever-changing methods used by hackers. Training employees and end users must be completed at regular intervals. It will not work if it’s only conducted once or twice. This is the most effective way to ensure that cyber breaches will end someday.
Best practices
The awareness training provided should be directly related to the job description of the recipient trainee with consideration to the information security risks they face. Users should be aware of threats such as phishing and social engineering. They should also be taught the importance of having strong password protection. Too many people still use easy-to-discern passwords and/or the same passwords across multiple accounts. They must be taught new techniques for creating passwords that are difficult to crack. This can only be achieved by conducting the training periodically.
Financial Resources
Most local governments have adopted their cybersecurity framework from the National Institute of Standards and Technology and that of the FBI’S Criminal Justice Information Services. These agencies offer important security guidelines.
However, local and federal governments have suffered massive data breaches in the past, which have led to the erosion of public trust. Though government agencies have learned a great deal from these experiences, the general public may still not trust that the government has it all together when it comes to cyber threats. In their defense, the government is working continuously on programs and procedures that will anticipate attacks in advance. They’re using the best technology to find and close loopholes in their security grid. And lastly, they are starting to train employees on cyber security best practices.
Conclusion
Human error has been responsible for some the worst data breaches, but local governments are still seen as the culprit when it comes to the mishandling of important data. The public has a right to expect its government to work harder and do more to protect the personal information of citizens. Consumers believe that the government has unlimited resources when it comes to solving problems like this, so there’s no excuse for them to stumble. Of course, the issues are much more complicated than that, but the sooner every organization has the best cyber security available on the planet, the sooner we can all go back to buying and selling online without worry.
[1] http://www.pti.org/news/
[2] https://www.nascio.org/Publications/ArtMID/485/ArticleID/441/State-CIO-Top-Ten-Policy-and-Technology-Priorities-for-2017