While cybersecurity is a top priority for government agencies, the cybersecurity professionals that defend government networks aren’t often recognized as top priorities, according to a new report by the by the IBM Center for the Business of Government.
The report — A Best Practices Guide to Information Security – notes that the greatest resource organizations have when it comes to IT security is their own staff. Because of this, it is of upmost importance for organizations to first recognize this, then motive and educate them to become “protective stewards of information,” the report states. This will make security more effective than the design and implementation of any new technology.
"Despite increased attention to cybersecurity, limited funding for employee training presents a major challenge to organizations, especially government organizations," the report states. "Much of the attention that is given to cybersecurity now focuses more on deterring detrimental actions by employees than on encouraging positive actions."
It is important organizations move away from a negative approach to cybersecurity that is rooted in media coverage of negative security events in both the public and private sectors, the authors suggest. Instead, a positive approach to security should be fostered.
The report notes that 46 percent of employees have never received education in security education, training and awareness (SETA) from their organization. Agencies are advised to develop a SETA curriculum that emphasizes the what, the how, and the why of security: what security dangers are inside and outside the organization, how to handle security threats, and the reasons why agencies are focusing on specific security efforts.
“SETA programs must encourage employees to expand their view on security issues by exploring the consequences and actions to events that could happen, but are not normally experienced within a particular employee’s office role,” the report states.
The report also points to a number of best practices related to logging in/out, workspace security, email and Internet protection, document protection, identification and reporting of security matters and electronic device security.