Because employees can be an agency's weakest link or strongest cyber advocate, repeated emphasis on cyber risks and mitigation practices helps build a culture of cybersecurity.
Cybersecurity continues to be a nagging threat for state and local governments. We see varying headlines blare on almost a daily basis that state and local governments need to be on alert for heightened risk of cyberattacks.
Sadly, over the past few years, we have seen how devastating a cyberattack can be on both our physical and digital critical infrastructure systems. We have witnessed—too often—how a cyberattack has real-world implications that can lead to a wide variety of issues, from crippling hospitals to blackouts to water supply disruptions to traffic management system takedowns and worse.
Although the obstacles to combat cyberattacks seem daunting, they are surmountable. The best cyber defense is in your organizations: It is state and local government workers. While cybersecurity tools are vital, the “secret sauce” of the most cyber-secure organizations is their culture and their employees.
Employees can be your weakest link or your strongest cyber advocate. Every cybersecurity technology you deploy is only as strong as the people using it. Too often cybersecurity budgets are only focused on the investment in technologies and IT staff. It is time that we all make an investment in our people, our organizational culture and our cyber hygiene.
The weight of the cybersecurity burden should not just fall on the CIO, CSO and their teams because cybersecurity is every employee’s responsibility. It is imperative that every employee know that they have a critical role in the organization’s cybersecurity posture and fully understand what that means on a day-to-day basis.
What can governments do?
What can state and local governments do to build a culture of cybersecurity and empower everyone within their organizations to be part of the solution? At the Cyber Readiness Institute, we have identified four foundational pillars.
Create strong passwords and authentication. Weak passwords are the point of entry for far too many cyberattacks. Every employee should use a 15-character password or passphrase and every government organization should require multi-factor authentication or MFA, also known as two-factor authentication, on their critical systems. MFA offers a human-centered technical solution. With MFA, the employee’s password is no longer your organization’s only line of cyber defense.
Install updates and patches. If not automated at the enterprise level, all employees should understand the importance of installing operating system updates and security patches when they become available.
Check for phishing emails. Phishing attacks remain the oldest and most efficient way to infiltrate cyber defenses. Yet, it is one of the most preventable types of attacks. Employees should verify the source before clicking on links in emails. They can do this by checking the “from” email address, not just the name in the window. If an email appears questionable, it probably is.
Steer clear of removable media devices. Data isn’t meant to travel. USBs and other removable media devices can carry malware and viruses. Steer clear of them. If you can’t, set up a secure process for testing external media before using.
Cybersecurity begins with a clear and open dialogue that doesn’t begin and end at employee orientation. A workplace that takes cyber readiness seriously needs to reinforce the ramifications of cyber risks and the protections and good practices to mitigate them. That message must be shared repeatedly.
The attacks won’t stop coming so neither should your efforts to bolster your employee’s ability to prevent them.
Karen S. Evans is the managing director of the Cyber Readiness Institute. She has held cybersecurity leadership roles at the U.S. Department of Energy, U.S. Department of Homeland Security and the Office of Management and Budget.