If you work for the federal government – or just about any other employer – you probably have to complete some kind of mandatory, annual cybersecurity awareness training. Such training is designed to teach you the importance of keeping data safe and secure. It turns out it might not be working.
A recently released report “Uncovering the Gaps: Security Perceptions and Behaviors of Today’s Government Employees,” sheds light on most employees’ apathetic approach to cybersecurity. It turns out that when it comes to cybersecurity, the average employee might not really care. Published by security service firm Dtex Systems, the survey is based on responses from 1,000 employees in the public sector with government security clearances, actively working within the local, state, and federal levels. The results of those surveyed show a general lack of personal responsibility to securing work-related information.
The survey found that only 13% of respondents felt as though they had a responsibility for the cybersecurity of their employer’s information or work devices. Even more alarming, is that of the people surveyed, 48% felt they held no obligation at all. Employees indicated cybersecurity was the sole responsibility of the IT community. Almost half of those surveyed felt that no matter which safeguards they took, a cyberattack was unavoidable. However, the other 43% felt as though they couldn’t be hacked at all. One in three people reported that they thought they were more likely to be struck by lightning than to have their professional data hacked.
While nearly 14% reported being afraid of information theft, a far greater number suggested a “government collapse” was more likely. Also ranking the fear of data theft, “just three percentage points higher than alien invasion.” The report also found a lack of understanding between risk perception and identification. Simply put, government employees do not how to identify what qualifies as risky behavior. Only 31% “believe that accessing company files or a work email account on their personal devices poses a security risk – and less than half see emailing confidential data or bypassing security protocols as potentially dangerous activities.”
Cyberattacks are not a new occurrence, nor are they likely to go away any time soon. Just last year, Symantec, a software firm, stated that one in 131 emails contained malware. The lack of knowledge of safe cyber practices reveals how susceptible individuals are to accidentally compromising information. Survey results show how employees are not aware, prepared, or even afraid of a cyberattack on their employers. Government institutions are failing to convey the importance of cybersecurity and how everyone is essential to the safeguarding of information in the digital age.
What Can Be Done?
Dtex suggests that more education and accountability is key when it comes to cybersecurity. Jeff Miller, Director of U.S. Public Sector at Dtex explains, “With complete visibility into user behavior, it’s possible to spot the inconsistencies that equate to potential risks, improve employee education by identifying teachable moments, and minimize the chances of a catastrophic cyberattack.” Miller also suggests that insider threats are what’s plaguing government organizations. Most government employees fail to understand their important role as an insider. “While 42 % of respondents say insider threats pose the greatest risk to the security of their organization, nearly the same number (40 %) – less than half – were able to correctly identify ‘insider threat’ as an IT term.”
Cybersecurity is now vital in protecting information for both the public and private sectors. The U.S. government spends billions on cybersecurity, and that figure continues to rise each year. As an individual with a security clearance, it is imperative to maintain the highest quality of personal accountability when dealing with work devices and emails. Being up to date on cybersecurity techniques and threats is not only important to avoid potential pitfalls in security for your employers, but is also a personal responsibility as a professional with a security clearance.