Why employee security training will ultimately fail
- By Morten Brøgger
- Apr 20, 2020
Government has not kept up with the rise of cyberattacks. In 2019, 966 government agencies, educational establishments and health care providers were victims of ransomware. As we moved into 2020, tensions with Iran, concerns over election security and the COVID-19 crisis have showcased the flaws in the nation’s cybersecurity capabilities.
This has led the federal government to step up initiatives around training and implementing security best practices. While these valiant steps may combat the ongoing cybercrime issue, they fail to address the root problems of outdated technology infrastructure that cybercriminals easily exploit. To truly strengthen cybersecurity defenses, government agencies must prioritize the modernization of their applications and systems.
Current cybersecurity initiatives are not enough
Ransomware has become the most prevalent cyberattack method on government organizations, with 113 state and municipal governments and agencies falling prey in 2019 as a result of employee inboxes becoming inundated with phishing scams bearing ransomware. To counteract these attacks, the government has tried mandating employee cybersecurity training, appointing statewide cybersecurity coordinators and banning the payment of ransomware demands. Unfortunately, when all it takes is one accidental click, these attacks will remain inevitable.
Initiatives set forth by the Department of Homeland Security and its Cybersecurity and Infrastructure Security Agency (CISA) are comprehensive, but they not been entirely successful, primarily because the systems government employees and contractors rely on are painfully outdated and vulnerable to exploitation. A 2019 study by the Senate Committee on Homeland Security and Governmental Affairs found that eight major government agencies were using “legacy systems or applications that are no longer supported by the vendor with security updates.”
Despite government data being a valuable commodity, the agencies that handle and store the data of over 325 million U.S. residents have so far failed to meet standards of the Federal Information Security Management Act or the CISA Supply Chain Risk Management Task Force. Failure to improve could result in another catastrophe akin to the 2015 breach at the Office of Personnel Management and further jeopardize national security.
Solving the underlying problem
Government agencies must put cybersecurity first by instituting a zero-trust framework. A zero-trust framework -- where no data or devices are automatically assumed safe and trustworthy -- should be the new baseline from which agencies approach tools, protocols and operations.
To implement zero trust, agencies must first review their current IT infrastructure to identify the connections, weak points and workflows and assess whether they should be overhauled, consolidated or maintained. To protect email users from ransomware, for example, agencies should review testing spam filters, updating operating systems, checking employee access to sensitive data and rooting out shadow IT.
Second, while some systems certainly require an overhaul, there will be other cases where it’s less about investing in new technologies and more about changing the agency’s broader technology mindset. Support for leveraging zero trust can help agencies mitigate the dangers of a data breach or ransomware attack. Whether it’s multifactor authentication, end-to-end encryption or endpoint security, zero-trust-based systems can help IT departments better monitor and detect attacks, while adding additional defenses. Zero-trust practices such as network segmentation, where the internal network is divided into smaller subnets, will help agencies prevent users from having unnecessary access to sensitive databases.
Unfortunately, COVID-19 and the rapidly changing work conditions are shining a light on organizational vulnerabilities caused by insecure communications, overwhelmed legacy systems and insufficient employee readiness. Only modern security infrastructure and tools can ensure government workers are properly trained, prepared and equipped to protect the nation’s data.
Morten Brøgger is CEO of Wire, which provides an enterprise-grade, end-to-end encrypted collaboration platform.