May 24 2023
Security

How to Foster a Security Culture

Government IT teams can help make information security a shared responsibility through education and preparedness exercises and by leveraging technology.
by

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

An agency’s workers play an essential role in its cybersecurity strategy. As frontline staff, they are perfectly positioned to notice anything unusual going on with IT systems.

At the same time, end users can be the weak link in information security if they don’t have the proper training and don’t understand how important their contribution can be.

Government IT teams can take specific steps to foster a culture of information security through education and preparedness exercises and by leveraging technology. 

Have a Broad-Spectrum Training Program

Workplace security culture begins with education and awareness, but it’s very easy to let annual security training become an obligatory box to check, rather than an opportunity to raise the level of security knowledge.

Effective training programs use multiple channels to tailor training to different learning styles. What works for one type of employee won’t necessarily be right for everyone.

Click the banner below to get Insider access to exclusive security articles.

Cyberattack Visual CTA Cyberattack Visual CTA

Consider mixing traditional training media, such as computer-based learning modules and videos, with other techniques, such as short newsletters, posters and interactive training sessions that include role-playing exercises and group discussions. This combination is more likely to deliver the message and reinforce it across the agency.

Gamification techniques such as quizzes, puzzles and interactive scenarios can be helpful, as can incentives, such as prizes or recognition for completing training. However, the most effective way to make people pay attention is with real-world examples, especially those that within the agency itself. 

Having an executive fall victim to a phishing attack may seem horrible when it happens. Yet, telling that story — using the executive’s name to really drive the example home — is an outstanding way to make a dramatic impact, which is the best way for people to remember something they’ve learned.

Engaging executive team members in information security education isn’t done to embarrass them but to emphasize that security breaches can happen at any level.  Leading by example — even by bad example — makes it clear to staff that cybersecurity is everyone’s business.

Incorporating a variety of methods and techniques makes information security training more interesting and engaging for employees. By doing so, agency IT and information security teams can increase staff engagement and improve the effectiveness of their training programs while making everyone more aware of cybersecurity issues and more alert to potential attacks.

LEARN MORE: How agencies can adhere to GSA standards and protect email backups.

Agencies Should Conduct Preparedness Exercises

Avoiding information security breaches is obviously the No. 1 goal, but having a security culture also means being prepared when a real problem occurs. The IT and information security teams will be the primary responders in such a case. However, involving staff in periodic exercises will help keep everyone’s mind on information security. Reporting suspicious activity is in everyone’s job description, so testing these reporting channels regularly is important.

One common method is to conduct a covert phishing exercise. Running a phishing simulation, in which agency staff are sent fake phishing messages, delivers three benefits: 

  1. Seeing phishing messages pop up in their email will help staff members recognize these types of scams. It’s one thing to be told “be on the lookout” and quite another to find a phishing message in your inbox.
  2. A phishing exercise tests the agency’s alerting systems. Did staff bring these messages to IT’s attention? How much time passed between the phishing attempt and a response by the security operations center or network management team?
  3. The exercise will identify which employees need additional training or help in identifying phishing messages.

Other preparedness exercises include tabletop or red/blue team exercises, which simulate security incidents and walk staff through identifying and responding to the threat. Most staff will assume that the bulk of the response should fall to the IT team, and perhaps it does — but when a security incident occurs, everyone in the agency has a role to play.

These types of exercises can complement the information security equivalent of a fire drill — a test of the agency’s incident response plan. An IR drill helps everyone, from senior management to client-facing staff, understand what they need to do and how they will continue their work if a serious incident occurs.

EXPLORE: Establishing a unified zero trust approach begins with existing technologies.

Existing Technology Agencies Can Lean On

Agencies already have tools such as firewalls, anti-malware and intrusion prevention systems to help block intrusions and detect suspicious activity. Using the information from these tools to deliver feedback to staff will help everyone understand that security breaches can come from the most innocuous of actions.

For example, if the desktop anti-malware identifies a user who has had a number of viruses defanged, that is a signal for someone in IT to sit down with that staffer and try to understand why this is happening.

Engaging with the user in a non-confrontational and cooperative way is key. Rather than making it a “Big Brother is watching you” moment, when IT staff bring users into the event analysis and response, the incident becomes another successful piece of information security training. By gaining an understanding of how the user contracted the viruses, IT teams can adapt training programs and reconfigure security tools. In response, users will understand the real consequences of their actions and be more alert.

Changing user habits and awareness is critical, because the next time around, the desktop anti-malware might not catch the attack.

Fostering a culture of information security and cybersecurity in government agencies brings everyone in the agency onto the same team, with the same goal: protecting client information and systems from cyberthreats. By being proactive with everyone from the top down, agencies can cut their information security risk and maintain public trust.

DISCOVER: Why zero-trust architectures should include data protection and cyber recovery. 

Why Government Agencies Need to Engage in Policy

Most organizations, including government agencies, treat their information security policies as obscure documents that no one reads or understands. That’s a mistake that can cost an agency dearly. Asking every staff member to sign off on the policy is standard practice, but what’s much more valuable is asking staff members to participate in building the information security policy itself.

Creating a culture of openness and transparency around policy development gets staff thinking about how the policy affects them, and how their actions affect security. Hold regular forums and focus groups to discuss information security and to share ideas and concerns. Most important, pay attention to feedback from staff and use it to craft better policy.

By using information security policies to engage with staff in a positive way, you’ll keep people thinking about cybersecurity and you may end up with a better policy in return.

Dan Page/Theispot

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now