Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Hackers' Little Helpers: Employees With Bad 'Cyber-Hygiene'

Governments are starting to realize that cybersecurity isn't just the responsibility of the IT department.

Hacker walking down a hallway of zeros and ones.
On this year’s list of top 10 policy and technology priorities, the National Association of State Chief Information Officers (NASCIO) named cybersecurity No. 1.

When people think about cybersecurity, they often focus on the vulnerabilities of hardware and software systems. For example, as Governing reported in late July, “several local governments across the U.S. are using a Russian brand of security software that the federal government fears could be leveraged by the foreign country for cyberespionage.” 

But, as Rajiv Das, chief security officer for the state of Michigan explains: “There are two aspects to cybersecurity: One is the systems side, and the other is the human side.” 

Agnes Kirk, chief information security officer for Washington state, agrees. “The human factor is critical. It’s been demonstrated as the weakest link in cybersecurity.”

When cities, counties and states don’t adequately train their workforces, experts warn that the entire entity is at heightened risk of cyberattack. Luckily, a growing number of governments are beginning to catch on and are working to improve their “cyber-hygiene.”

One important element of this is limiting technology access to people who genuinely need it and giving those people the necessary training to protect it. A study released in late April by Verizon reported that one of the most common reasons for a breach in the public sector is “misuse of privilege.” 

Washington state has been highly successful at avoiding serious breaches of its digital integrity. Why? Every state worker is required to undergo cybertraining.

First and foremost, the training expresses the idea that cybersecurity is everyone’s job -- not just the job of the IT department. Employees are shown the IT resources available to them, including an easy way to have an expert review a suspicious email before responding. Then, employees are taught how their specific jobs can turn them into targets.

“If they can’t relate it to their job, then it’s hard to care,” says Kirk.

Perhaps the biggest cyberthreat on the horizon is the prospect of "phishing," or disguising of malicious software inside harmless-looking links in emails or pop-ups. One employee's click on the harmful link can open the gates for people to steal privileged data, including Social Security numbers and birth dates. It can even give hackers the ability to lock data and charge governments to unlock it, using a type of malicious software referred to as "ransomware."

Bingham County, Idaho, for example, paid $3,500 in ransom to unlock encrypted data in February. But the true cost of the attack was far greater -- nearly $100,000, which was needed to cover the conversion to manual processes during and immediately following the attack, repair the damaged server, and heighten security and training.  According to the National Law Review, the county is still recovering, and “operations may not return to normal until 2018.” 

Fortunately, many states are increasingly using a proven technique to keep employees from falling into a phishing hole.

“They send something like 10,000 employees an email and monitor how many of those click on that link, and then they try to change users’ behavior,” says Doug Robinson, executive director of NASCIO.

It’s working for Delaware: Employees’ phishing click rate dropped from 23 percent in August 2013 to 1 percent in February, according to Elayne Starkey, the state’s chief security officer.

Despite that success, Starkey is still concerned by the oft-heard notion that the bad guys are always going to be one step ahead of the good guys when it comes to cybersecurity. 

“That’s the kind of mentality we’re trying to fight against,” she says. “We don’t want our employees to give up.”

Caroline Cournoyer is GOVERNING's senior web editor.
Special Projects
Sponsored Stories
In recent years, local governments have been forced to adapt to a wildly changing world, especially as it pertains to sending bills and collecting payments.
Workplace safety is in the spotlight as government leaders adapt to a prolonged pandemic.
While government employees, students and the general public had to wait in line for hours in the beginning of the pandemic, at-home test kits make it easy to diagnose for the novel coronavirus in less than 30 minutes.
Governments around the nation are working to design the best vaccine policies that keep both their employees and their residents safe. Although the latest data shows a variety of polarizing perspectives, there are clear emerging best practices that leading governments are following to put trust first: creating policies that are flexible and provide a range of options, and being in tune with the needs and sentiments of their employees so that they are able to be dynamic and accommodate the rapidly changing situation.
Service delivery and the individual experience within health and human services (HHS) is often very siloed and fragmented.
In this episode, Marianne Steger explains why health care for Pre-Medicare retirees and active employees just got easier.
Government organizations around the world are experiencing the consequences of plagiarism firsthand. A simple mistake can lead to loss of reputation, loss of trust and even lawsuits. It’s important to avoid plagiarism at all costs, and government organizations are held to a particularly high standard. Fortunately, technological solutions such as iThenticate allow government organizations to avoid instances of text plagiarism in an efficient manner.
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?