People remain the number one vulnerability for government organisations and this holds true right across the board from the tax office to military command centres. Edward Snowdon’s data leakage and the WikiLeaks scandal have highlighted the danger of malicious disclosure, but more often than not the threat comes not only from deliberate employee sabotage, but rather from ignorance or careless practise.
Of the top five cyber incidents faced by government professionals the most frequently experienced (52%) was still employee misuse; this can range from deliberately ignoring security protocols, to inappropriate personal use, to downloading material that might have a huge reputational impact on the department. 49% had also experienced “phishing” attacks where an employee is fooled into opening a malicious attachment because it is disguised in an innocuous email. Evolutions of these threats continue to test even the strongest controls and alert employees.
Threats from hostile governments or sophisticated criminal organisations, dubbed “Advanced Threats” by the industry often use an initial employee mistake to embed themselves in a targeted department, gaining persistent access to a system and becoming increasingly difficult to detect. So employee mistakes can have implications far beyond the immediate incident.
Public organisations can mitigate against the employee threat by robust adherence to a few key principles. Departments should hold to the rule of least access combined with robust data classification; in short employees should only have access to the data and systems they need to do their jobs effectively – an operations manager doesn’t routinely need to see the work of a financial controller and vice versa. It’s also essential that all data in a system is classified at the appropriate level and, most importantly, real controls and processes are in place to prevent employees being able to accidently breech these rules. Too often stretched resources mean that these processes fall by the wayside.
A good way for departments to protect themselves is by implementing technology and intelligence partnerships with properly vetted contractors. These managed service providers have several advantages; they are dedicated professionals who focus on cyber security rather than seeing it as an onerous ad on to core functions, they have the necessary expertise to spot and counter advanced threats and, by pooling threats from various departments and organisations they can build up a greater understanding of the threat picture than any one IT department alone.
There will never be a magic bullet to defeating cyber threats where users are involved, this is a constant battle, but through a combination of training, processes and judicious use of outside expertise government security professionals can help mitigate against the employee threat. It’s reassuring to see that 61% of government cyber professionals agreed that employee training must be a lead priority. We may live in a virtual age, but people will continue to remain the weakest link, grounding us in reality.