The past year hasn’t been kind to federal cybersecurity initiatives. Even with increased funding and attention in this area, the threat of cyberattacks still looms large for government agencies across the world, putting sensitive public systems and terabytes of citizenry data at serious risk. To counter the increased spending on cybersecurity measures, criminals have begun focusing on a vulnerability across most agencies: its employees.
According to the SolarWinds® Public Sector Cybersecurity Survey, employees within an agency, vendor, or contractor are common risk vectors for any government security posture. And almost always, they aren’t to blame; cybercriminals use extremely ruthless and nefarious ways to “trick” employees into providing access or sharing sensitive data. Not every insider threat is malicious by nature.
However, government employees still hold the responsibility and mandate to protect the security of public systems, funding, and citizenry data with which they and their agencies have been entrusted. Here are several practical steps today’s public servants can be mindful of to improve their cyber hygiene—and better secure today’s rapidly digitising governments.
Know Your Internal Cybersecurity Response Team
Imagine while busy at work, you accidentally click a suspicious link or file from an unknown source. Your system begins to act strangely before locking you out. As you begin to panic, do you know who or where to go for help? The first thing I find most government employees do is contact the IT help desk, which isn’t the most efficient way of alerting the agency about a possible cyberattack.
Just like the act of memorising public service numbers, government employees should get to know and remember the individuals with a direct purview over cybersecurity matters in their organisation. And because this roster of individuals may vary according to the size or jurisdiction of an agency, agency leaders must ensure the information is properly and consistently disseminated to all employees.
How any organisation responds in the first few minutes or hours of a cyberattack is critical. Government employees must know to notify the right individuals, who in turn will ensure the appropriate reporting, disaster control, or recovery protocols are initiated to bring the situation under control.
Never Neglect IT’s “Inconvenient” Measures
I understand it’s troublesome to connect to IT-sanctioned virtual private networks (VPNs) every time you need to access sensitive files or data on your agency network, but these measures were put in place to encrypt your connection and protect you from being used in “man-in-the-middle” attacks.
Similarly, never connect to the public Wi-Fi connections of coffee shops or airports, as they’re usually unsecured and hence exposed to eavesdropping and remote hacking activities. And never share your access credentials over public clouds, communication apps, or personal email if it hasn’t been screened or approved by IT security first.
These measures are especially relevant with more government agencies allowing employees to work remotely, away from their digitally secure perimeter. In these cases, the onus of securing every online interaction falls on the employees themselves—and failure to comply with security measures can result in serious consequences for the agency, citizens, and even the country itself. As a public servant, it’s critical for you to understand and obey these security measures, no matter how inconvenient or elaborate they may be.
Adopt a Zero-Trust Approach to All Interactions
The term “zero trust” means exactly what it sounds like: a mentality assuming anything—whether it’s communications, files, or users—is untrustworthy unless proven otherwise. In most IT security teams, it’s the default approach to any internal or external digital interaction, and government employees would be wise to take a leaf out of their book.
In fact, the zero-trust approach has been proven to be effective in combatting phishing or insider threat attacks. Never assume an email from a colleague asking for help to access a file is genuine. Never think an urgent message from your boss asking you to “lend” them your credentials is real. And never click any pop-up or notification telling you a file was compromised. Always check, double-check, and check again with IT security teams about any suspicious activity you encounter on your agency networks.
Above All, Remember Who You Represent—And Serve
Admittedly, maintaining a constantly vigilant and attentive attitude toward any possible threats can be exhausting and can distract from the real, meaningful work of public service. But with the uptick in cyberattacks targeting governments, public sector employees must do their part to protect the agencies—and by extension, the people—they serve.
To do any less, or do nothing at all, is to allow cyber criminals to have their way, even if it comes at the expense of the public, taxpayer dollars, and national security. For government employees, being a good cyber citizen translates to being a good citizen—one who acts in the interest of the country.