A panel of chief information security officers discussed how they make employees part of the agency’s cybersecurity defense.
Cybersecurity is about more than just protecting systems, especially when phishing is the hacker’s tool of choice for gaining access to networks. For public and private sector security executives, the emphasis increasingly is on making sure their employees aren’t taking the bait on attacks.
That makes it important for government agencies to constantly train both new and current employees on risk factors and actions that could open the door to an attack. Companies and agencies must create a culture for employees to make the right decisions, according to retired Maj. Gen. Earl Matthews, the vice president of enterprise security solutions with Hewlett Packard Enterprise’s U.S. public sector group.
“It’s about culture,” Matthews said at the FireEye Insider Threat Summit on April 12 in Washington. Every organization has a different approach to cybersecurity, he noted, and a cyber-savvy culture “starts with leadership and how that leadership is being used from the top down.”
Since the breach at the Office of Personnel Management showed how serious the damages could be, government security officers have raised the alert level regarding attacks through social engineering. Last year, for example, the Postal Service’s inspector general sent phishing emails of its own to 3,125 USPS employees. One in four recipients clicked on the link, and 90 percent of those who did so failed to report the potential security breach. Ninety-five percent of employees who received the email had not taken USPS’s annual information security awareness training, because only new hires and office employees were required to complete it.
Matthews said HP keeps its staff up to date on potential attacks through cybersecurity training and a reward system where employees can win credits towards buying items at the company store.
In the public sector, Maj. Gen. Sarah Zabel, the vice director of the Defense Information Systems Agency said DISA employees take the equivalent of a pop quiz every week.
“We have an exercise once a week. When people log in, a menu comes up that asks a cybersecurity question,” Zabel said. “We hit phishing hard. but we also hit other topics. It’s a constant reminder telling people that they’re on a mission system. They have to protect it by being alert and being aware.”
Part of changing the culture is not only being aware of how to protect your systems, but also knowing when attacks are most likely to come, said Rod Turk, the director of the Office of Cybersecurity and CISO at the Commerce Department.
“Cybersecurity culture is making sure that users -- top to bottom, right to left – [are] keeping cybersecurity in their thought process no matter what they’re doing in the IT world,” Turk said. “It applies to management; it applies to development and systems. Keeping cybersecurity in mind also means looking down the road and identifying when you may be ripe for a phishing attack.”
The average time between a system being compromised and the breach being detected is 146 days, FireEye CTO Tony Cole said. He asked the panelists if their agencies were beating that timeframe.
“We’re going to lag -- in government and in the organizations I’ve been in -- we’re going to be on the other end of that,” Zabel said. “We have a very complex network. Every day we have 22,000 changes on our network,” which makes it difficult to “fight inside of that timeframe.”
Turk agreed that securing government enterprise networks is complex, but added that his agency and many others are prepared to handle breaches. However, he said that the day when agency systems are fully protected may never come.
“Are we prepared? Yes we are,” Turk said. “We’ve developed a security operations center and … our bureaus have their own operations center. We take feeds from them, we have tools in place as well.
"But are we ready, have we done everything that’s perfect?” he asked. “No, I don’t believe perfection in the cybersecurity space is possible.”
NEXT STORY: GAO takes IRS to task over security weaknesses