News Details

Cyber Security in the Workplace is Everyone's Business

By Dr. Alan R. Shark, Executive Director, Public Technology Institute

October has been designated Cyber Security Awareness month and the US Department of Homeland Security has issued a series of 5 weekly topical themes. This week's theme is "Cyber Security in the Workplace is Everyone's Business." PTI is developing a series useful checklists and commentary created for city and county officials.

This article focuses on what an organization can and must do to be cyber secure.

Cyber security breaches have grown some 26 percent over last year with ransomware continuing to rise. County governments have always been particularly attractive targets because they collect and store such massive amounts of personal information (tax records, payment information, etc.). With the growth in the use of mobile devices and social media apps, there are now more entry points for mischief than ever before.

The weakest link continues to be our employees. One misguided click on a targeted phishing email can compromise an entire organization. To make matters worse, many phishing emails tend to come from employees whose names we know and whose email address has become compromised in an earlier attack.

Recommendations that effect individuals are largely the same however, with the added emphasis of the potential impact on an entire organization. One careless staff person can bring down an entire city or county operation.

Many local governments require cyber security awareness training while others simply provide optional training. Our experience shows that many programs are inadequate for several reasons, which include:

  • Training is only required once a year
  • Training can be too technical
  • Training can scare some staff and can create an environment of resentment and/or fear of punishment
  • Training can lack real-world examples, and is often out-of-date

While much of the actual protection of the digital infrastructure resides with the technical experts, there are two paramount roles elected leaders and appointed officials can and should play. The first one is for public officials to set the proper example themselves. This means following the rules like having and changing complex passwords, etc.

The second role is to ensure a safe and secure cyber environment. The key component of this is to have a robust Cyber Security Awareness Program. Many programs offered today online or in person vary in quality and approach. Many public officials ask, what should I be looking for and what are the elements of a sound Cyber Security Awareness Plan/Program? Here is a list to consider.

  1. Assign a senior staff member to be in charge. This person might be the Chief Information Officer, the Chief Information Security Officer, or other designee who is both technical and people-oriented. A high-level administrator or HR professional can also fill this role.
  2. The best plans are on-going and not just an annual event of a few hours of training.
  3. Practice the elements of the plan and conduct drills to make sure everyone understands and complies.
  4. Make sure there are stated consequences for careless behavior, depending on the levels of any violation.
  5. While making sure you hold to your stated policies and procedures, you also want to make sure that you create a positive environment that encourages staff to report things at once if they believe they may have come across something wrong. In fact, there should be punishments for anyone not reporting an incident immediately.
  6. Conduct regular, focused sessions aimed at exploring various types of cyberattacks. This will help demonstrate your organization's commitment to keeping systems safe as well as to keep the topic front and center with employees.
  7. Consider role playing to help demonstrate how criminal elements use the phone, or social media to manipulate staff into providing valuable data that get into the wrong hands.
  8. Employees should be trained to recognize an attack; to know not only what it looks like, but who to call and when to report the attack.
  9. Always encourage employees to come forward with anything that they feel does not look or feel right. There have been many cases where an alert employee reported something as it was unfolding and as a result was able to minimize damage and loss.
  10. Overall, training must be relevant and should be fun – like playing detective or guarding the "palace" as in a video game.

There are many digital destinations one can turn to for more information and assistance. The listing below list some very useful resources. Some are a bit more technical – so if you think it is useful simply pass it on to your technical staff – it shows you interest. Remember Cyber Security Awareness is about awareness!

Resources

Multi-State Information Sharing and Analysis Center. MS-ISAC is a PTI partner and membership is free.

Department of Homeland Security: "Stop.Think.Connect" Toolkit

FBI National Cyber Security Awareness Month 2017: Protecting Yourself Online in an Interconnected World

National Institute for Standards and Technology (NIST): Framework for Improving Critical Infrastructure Cybersecurity

National Institute for Standards and Technology (NIST): The Cybersecurity Framework

Center for Internet Security: CIS Controls and Benchmarks

CIS SecureSuite Membership