Hackers' Little Helpers: Employees With Bad 'Cyber-Hygiene'

Governments are starting to realize that cybersecurity isn't just the responsibility of the IT department.

Hacker walking down a hallway of zeros and ones.
On this year’s list of top 10 policy and technology priorities, the National Association of State Chief Information Officers (NASCIO) named cybersecurity No. 1.

When people think about cybersecurity, they often focus on the vulnerabilities of hardware and software systems. For example, as Governing reported in late July, “several local governments across the U.S. are using a Russian brand of security software that the federal government fears could be leveraged by the foreign country for cyberespionage.” 

But, as Rajiv Das, chief security officer for the state of Michigan explains: “There are two aspects to cybersecurity: One is the systems side, and the other is the human side.” 

Agnes Kirk, chief information security officer for Washington state, agrees. “The human factor is critical. It’s been demonstrated as the weakest link in cybersecurity.”

When cities, counties and states don’t adequately train their workforces, experts warn that the entire entity is at heightened risk of cyberattack. Luckily, a growing number of governments are beginning to catch on and are working to improve their “cyber-hygiene.”

One important element of this is limiting technology access to people who genuinely need it and giving those people the necessary training to protect it. A study released in late April by Verizon reported that one of the most common reasons for a breach in the public sector is “misuse of privilege.” 

Washington state has been highly successful at avoiding serious breaches of its digital integrity. Why? Every state worker is required to undergo cybertraining.

First and foremost, the training expresses the idea that cybersecurity is everyone’s job -- not just the job of the IT department. Employees are shown the IT resources available to them, including an easy way to have an expert review a suspicious email before responding. Then, employees are taught how their specific jobs can turn them into targets.

“If they can’t relate it to their job, then it’s hard to care,” says Kirk.

Perhaps the biggest cyberthreat on the horizon is the prospect of "phishing," or disguising of malicious software inside harmless-looking links in emails or pop-ups. One employee's click on the harmful link can open the gates for people to steal privileged data, including Social Security numbers and birth dates. It can even give hackers the ability to lock data and charge governments to unlock it, using a type of malicious software referred to as "ransomware."

Bingham County, Idaho, for example, paid $3,500 in ransom to unlock encrypted data in February. But the true cost of the attack was far greater -- nearly $100,000, which was needed to cover the conversion to manual processes during and immediately following the attack, repair the damaged server, and heighten security and training.  According to the National Law Review, the county is still recovering, and “operations may not return to normal until 2018.” 

Fortunately, many states are increasingly using a proven technique to keep employees from falling into a phishing hole.

“They send something like 10,000 employees an email and monitor how many of those click on that link, and then they try to change users’ behavior,” says Doug Robinson, executive director of NASCIO.

It’s working for Delaware: Employees’ phishing click rate dropped from 23 percent in August 2013 to 1 percent in February, according to Elayne Starkey, the state’s chief security officer.

Despite that success, Starkey is still concerned by the oft-heard notion that the bad guys are always going to be one step ahead of the good guys when it comes to cybersecurity. 

“That’s the kind of mentality we’re trying to fight against,” she says. “We don’t want our employees to give up.”

Caroline Cournoyer is GOVERNING's senior web editor.