Insider threats (alternatively known as careless or untrained insiders) continue to be a problem for the public sector. According to 68% of respondents cited careless or untrained employees as one of the highest sources of security threats, second only to foreign governments.
Insider threats have continued to increase over the past few years. Mobile work has become commonplace, and more employees have begun using unsanctioned applications, leading to incidents of shadow IT. Meanwhile, hackers have become adept at targeting government employees through phishing and ransomware attacks, which succeed due to human error.
Educating your employees about the dangers of these attacks and putting in proper safeguards to prevent them is critical. Here are three strategies to help employees become more aware of threats and build a better security posture from the inside.
Understand while not everyone is a trained security expert, everyone can play their part
Some organizations tend to say, 鈥淓veryone is responsible for cybersecurity,鈥 which is not entirely true. An employee in charge of processing applications for social security benefits is in charge of processing applications for social security benefits, not protecting the agency from a cyber attack.
However, there are little things everyone can do to prevent threats鈥搕hey just need to know what those things are. It鈥檚 more than not opening emails from unknown senders or clicking on suspicious-looking attachments. It鈥檚 being vigilant, even when someone is feeling overworked. It鈥檚 also knowing who to report these incidents to if and when they occur and how and when to share information with colleagues about potentially suspicious activity.
Other things you can do to help employees protect your agency include:
- Implementing company-wide password protocols, including two-factor authentication
- Mandating employees to change their passwords every few months
- Adding context to communications around cybersecurity to help employees understand the ramifications of cybersecurity incidents (for example, illustrating how a breach could impact employees鈥 jobs)
While rigorous training isn鈥檛 necessary, you can aim to make safe security practices a part of your day-to-day efforts. For example, periodic email reminders, replete with simple and easy-to-follow best practices and sent from the CIO or security team, can help improve your organization鈥檚 security posture.
Conduct simulations to help employees understand how to respond to possible threats
Email reminders are important, but nothing beats practicing what to do in the event of a threat. Which is where Breach and Attack Simulations (BAS) come in.
BASs can be used to simulate just about any type of attack your employees might be exposed to, including phishing, malware, and more. Employees are asked to spot, respond to, and prevent an attack in a simulation. Managers can assess employees鈥 responses and reactions and discover where more education is needed.
Simulated attacks are also great for increasing employee vigilance and education. The more employees are exposed to simulated threats, the more knowledgeable they become about those threats鈥揳nd the less likely they will be to fall prey to them.
Build a zero-trust foundation that is secure by design
While employees should always be your first line of defense against cyberattacks, no defense is ever foolproof, even those that have been adequately trained and prepared. Implementing a secure by design zero-trust cybersecurity environment can ensure weaknesses aren鈥檛 exploited.
In a secure-by-design environment, security is inherent in every aspect of the organization. Employees are aware of possible cybersecurity risks and know how to prevent them. Security is baked into the agency鈥檚 technology infrastructure and software development processes, and all technologies an agency procures have security as a standard feature, not an add-on.
Security by design goes hand-in-hand with zero trust. Zero-trust cybersecurity models are based on an 鈥渁ssume breach鈥 mentality, where every request to access information could pose a threat. Therefore, all requests must be carefully verified, and all employees should only have access to the information they need.
Remember: while employees can be your agency鈥檚 best defenders, they鈥檙e also human. They can and will make mistakes. It鈥檚 essential to put in place safeguards to mitigate those mistakes. Education is important, but so is having a backup plan in case something fails. By covering all angles you鈥檒l have a better chance of preventing the next employee-centric cyberattack.
For more guidance on how to better enhance your agency鈥檚 cybersecurity posture, visit
