Aug 02 2018

Train All Employees at Your Agency to Take Security Seriously

Protecting the network is every user's responsibility, not just the technical staff.

Agencies that comply with data protection standards and employ effective security ­solutions accomplish a great deal to keep government ­networks safe. However, ­neither method takes care of a softer target: users.

Phishing, emailed malware and malicious websites all work to lure unwitting users into opening a network to attack. This risk, however, can be greatly mitigated with proper training — especially for employees who aren’t IT staff.

The Pentagon alone blocks 36 million malicious emails per day, but gaps that allow attacks to slip by still exist throughout government. To avoid attacks, agencies are adopting a security feature known as Domain-based Message Authentication, Reporting and Conformance (DMARC), designed to prevent spoofed emails from penetrating their systems.

Agencies must first figure out what information and systems they’re trying to protect and then find the users most likely to trigger a breach. Don’t just look for people who struggle to handle their email, though. Attacks could be initiated by any user, whether that person is the newest intern or the most experienced leader.

To reach non-IT employees, it’s best to use an approach that is relatable and easy to understand, according to CDW’s “Cybersecurity Insight Report.”

Simple test scenarios can include emails that appear to come from logical senders, such as a request to send updated tax information to payroll, or they can appear to be part of the daily business flow, such as an acquisition form that doesn’t seem quite right.

The old trick of relying on grammar and spelling errors to pick out phishing emails is no longer guaranteed to work. Today’s cybercriminals have learned to make their work look more professional.

SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!

Best Practices for Agencies to Bolster Cybersecurity Training 

Online training tools that let users run through possible security breach scenarios can be useful, as are seminars, workshops and other education initiatives. These work best when they’re focused on the benefit to the employee.

Workers are most likely to adopt new and potentially intrusive security measures, such as regular patching or software updates, when they can see the positive impact on their own work.

IT staff must also work to get past the overconfidence nontechnical users may have in firewalls, anti-virus software and other technology to protect the network.


An IDG study published with CDW’s “Cybersecurity Insight Report” found that 62 percent of workers in non-IT roles were extremely confident in technology’s ability to mitigate risk, compared with just 34 percent of those who actually work in IT. Overconfident employees may include top executives with access to valuable financial, ­personal and ­confidential data.

All employees, no matter where they sit on the organizational chart, need to ­understand that their own personal information is a target as well as the agency’s data and networks.

“Most security resources are being concentrated on the network while fraud is happening on the phone, outside of the network,” CDW’s Ryan Kalember writes in the report. “With the nature of today’s connected world, there’s also more information available to target individuals. Just heading to someone’s LinkedIn profile can give a criminal a good amount of ammo.”

Compliance Actually Works to Secure Networks 

Employees often complain about change, but getting them used to strict new security policies is something best done sooner rather than later. Stronger passwords and multifactor authentication can stave off some email-based attacks.

Creating a habit of not clicking on attachments or links prevents even more. Learning to quickly report suspicious emails or activities further strengthens employee-based protection. The more communication and training that pass between technical and nontechnical employees, the more secure a network can become. The higher priority an agency places on information security awareness, the better protected it will be.

JanWillemKunnen/Getty Images

aaa 1