One important element may be remembering that employees and system users are real, three-dimensional people.
For one, that means acknowledging their personal lives.
Governments aren’t officially responsible for their employees’ personal devices. But remote and hybrid work means that employees’ home networks and devices are part of organizations’ attack surfaces, Colorado CISO Ray Yepes said during a recent webinar hosted by Government Technology.
“It’s important that you protect their personal devices as well, even though you're not responsible for those,” Yepes said. “Provide additional tips to help them out.”
Recent news underscores that point: Password manager LastPass suffered a breach of sensitive data, after a hacker targeted an employee’s home computer to steal their work master password, the company said. Organizations looking to reduce their risks of similar crises should provide employees with personal device safety tips, Yepes said.
And events like holidays and tax season also present good opportunities for governments to intervene and remind employees about the kinds of scams to watch out for, said Yepes.
An inclusive and welcoming culture is also part of good cyber best practices. Creating a workplace environment that supports diversity, equity and inclusion can make employees feel safe and supported, which in turn makes everyone feel more comfortable reporting incidents, said Glenn Marchi, CIO for Dutchess County, N.Y., during the webinar.
“Trust can create an environment where employees feel comfortable about reporting incidents that they may not have reported in the past,” Marchi said.
Diversity, equity and inclusion efforts can also help reduce unconscious biases before they turn into insider threats, he said.
Effective cyber awareness training goes beyond asking employees to passively read a few informational slides once a year, Marchi said. It needs to truly shift employees’ thinking and create a culture where cyber secure behaviors are the norm.
MOTIVATING CHANGE
Sometimes the training challenge is that employees don’t yet understand the cyber secure practices, and other times that they don’t understand the stakes or relevance.
“One of the most significant challenges that we face in addressing the human factor of cybersecurity [is] just the lack of employee awareness, or they're just overwhelmed with their current job,” Marchi said. “They kind of see this as an additional task and not a part of their daily tasks. Cybersecurity really has to be ingrained in every employee[’s job] … this has to be built into your daily work tasks.”
Getting employees engaged in trainings can mean showing its importance to governments’ service-focused mission, said Yepes. Public-sector employees aren’t getting big salaries or the latest snazzy tools, after all — instead, they’ve chosen government work for its sense of purpose. Engaging and retaining employees means speaking to that drive.
“We need to remind them that they're making a difference,” Yepes said. “And we as leaders, it’s important to remember that we’re dealing with other human beings. So, we need to lead with heart as well. We can’t be just job-driven. We need to have a human culture when interacting and maintaining this individual with us.”
Healthy competition can also be motivating — something Yepes has found from phishing training efforts.
Rather than holding one enterprisewide phishing campaign, the state runs separate, staggered campaigns with each business unit.
“When we get users involved individually or in a smaller group, we tend to get their attention a lot better,” Yepes said.
The unit-by-unit approach also means the HR team can see how it stacked up against the IT or finance departments, for example. That’s spurred some business units to request extra trainings to boost their scores.
Trying to create friendly, motivating competition like this “has worked beautifully in the past,” Yepes said.
LEARNING FROM MISTAKES
It takes time for employees to learn new mindsets. Marchi said sometimes this requires meeting individually with employees that are struggling to grasp it and talking through the clues that should tip them off that a phishing training email is suspicious.
Mistakes are a teaching opportunity. After a mock-phishing campaign, Yepes said business units can get follow-up training sessions that review the exact emails that staff had clicked on and explain the elements that should’ve been red flags.
DELIBERATE AND MINDFUL
Organizations can get the most out of their employee cyber trainings by setting clear strategic objectives that shape the cyber awareness efforts for the year, as well as outlining key performance indicators (KPIs) to use to assess their training’s effectiveness, Marchi said.
“How do you know that your program is successful? You can't unless you measure it,” he said.
And, of course, people are only one element of cybersecurity.
Other defensive measures help reduce the potential damage of an insider threat. For one, Marchi advocated for access control restrictions so that only authorized personnel can touch sensitive data and systems. This would protect key assets should hackers take over a lower-privilege account, for example. Multifactor authentication can help, too, because attackers can no longer seize control of an account just by stealing its password.