Securing networks in the sharing age

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Greg Kushto
 

Connecting state and local government leaders

By Greg Kushto

|

Thanks to social media, employees are offering up personal information that can put agencies security at risk.

In 2004, a young Mark Zuckerberg founded Facebook from his Harvard dorm room. Twitter arrived on  the scene two years later, and in 2010 Instagram debuted. Indeed, a large portion of today’s workforce has lived most of their lives in the "Facebook Age," when posting daily status updates and selfies is the norm.

Information security professionals should be reeling from the wide-reaching implications of this cohort’s approach to technology use and its potential to permeate the workforce. For example, a recent report highlighted that half of millennials spend an average of three hours per day on their mobile devices -- 70 minutes of that on non-work activities during work hours.

From 2015 to 2016, we saw a 15 percent increase in the number of federal employees under age 25, and, unless we quickly react to these trends, it could spell out disaster for federal agencies, particularly in terms of insider threats.

How can we shift our approach to IT security to compensate for the insider threats caused by the rise of the sharing age?

Why insider threats?

You may hear insider threats and think only of ill-intentioned employees leaking agency secrets, such as Chelsea Manning and Edward Snowden. Realistically, however, these kinds of employees account for only a portion of breaches. The most common insider threats actually stem from individuals who are either unaware or negligent.

Hackers attach themselves to employees they deem particularly vulnerable and use them to penetrate an agency’s network, giving  them access to valuable and classified data.

In the past, criminals would take a subtle, human approach to this. They would stalk employees at cafes where they would strike up a conversation to coax vital information out of them.

But with social media, employees are already offering up large amounts of information through their personal profiles and posts. This information can be used to hack an employee’s work or personal devices, which may regularly connect to an agency’s network.

This practice means additional layers of security and awareness are needed to ensure agency workers play an active role in safeguarding data. Agencies must be more vigilant and proactive in addressing human vulnerabilities.

Recruitment

So where to begin? Good internal security begins with hiring. A proactive recruitment process can spot  security problems that could cause complications down the line. Recruiters should go beyond thorough background checks and incorporate security into the interview process by asking meaningful, security-minded questions.

Knowing candidates’ attitudes toward data security related to their personal social media can reveal much about their ability to protect agency data. If they’re not aware of the federal Standards of Ethical Conduct that apply to social media use, for example, recruiters should let them know that federal employees are responsible for how they present an agency’s name, seal and uniform online. Infractions can lead to penalties and termination.

Training

Once agencies are in a position to hire only low-risk employees, they can refine their training process to include updated, ongoing training modules that address relevant and contemporary issues such as social media security. Reliance on boilerplate training videos prevents an agency from fortifying itself against insider threats. Focusing on scenario training and working on employee awareness will help agencies beat back threats.

Remember: Constant sharing is now ingrained in our culture. Managers must educate employees about the potential risks. Doing so requires a sincere, consistent and concerted effort.

BYOD policy

Humans are hardwired as problem solvers -- particularly today’s tech-savvy millennials. With millennials making up much of today’s workforce, agencies will struggle to maintain secure networks without an effective bring-your-own-device policy.

If an agency bans all personal smartphones or lacks an effective BYOD policy that facilitates work from mobile devices, employees will find workarounds or rely on back channels that IT managers can’t see or control. With a BYOD policy in place, agencies can get ahead of the problem and promote the transparency they need to maintain network safety.

Insider threat protections will only become more diluted as social media gets more ingrained in daily life. We must prepare now by framing IT security as foundational instead of responsive. Of course, we can never fully eliminate human risk, but we can greatly reduce that risk by making data security an integral part of agency culture.  By keeping the conversation open, engaging everyone in the process and collaborating with HR to ensure the screening process is done correctly, agencies can catch problems before they have a chance to grow.

NEXT STORY: Is it time for a Cyber Peace Corps?

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.