The Importance of a Robust Cyber Security Awareness Programme for Government Employees

Lisa Ventura, CEO of the UK Cyber Security Association, on the need for urgently boosting civil servant capability around Cyber

Posted 28 May 2020 by Matt Stanley

Lisa Ventura, CEO UK Cyber Security Association

Human error plays a big part in many security breaches – more than 90% according to a recent study. It is therefore little wonder that organisations are looking at cyber security awareness training programmes, and these are especially important for government departments.

No government department is immune from the threat of ransomware, phishing or CEO fraud; according to the Ninth Annual Cost of Cybercrime study released by Accenture and the Ponemon Institute the average cost of cybercrime for a government department has increased £1.4 million over the past year to £13.0 million. In addition, the average number of security breaches in the last year have also risen by 11%.

With cybercriminals using sophisticated social engineering techniques to by-pass defences, all it takes is for one employee to unknowingly click on a malicious link. All government departments and staff are at risks from the most influential government figures through to external government staff such as teachers who are often targeted by hackers looking for private data. These members of staff are often too busy to stay up to date with best practice for staying safe online, rendering them prime targets and entry points for cyber criminals and hackers.

Employees are the first line of defence against cybercrime, and it is vital they are equipped with all the knowledge and skills they need to protect government departments from cyber-attacks. This is where a comprehensive Cyber Security Awareness Programme comes in, it is the best way to educate staff and create a security-first culture.

How are government bodies at risk online?

Busy government employees often don’t have time to learn best practice when it comes to cyber security. Those working in departments such as finance, HR and planning usually have intense workloads, so it is important they can work efficiently and quickly without their online safety being compromised in any way.

Government organisations need to look at limiting the risk of human error being a factor in cyber attacks as much as possible. Two factor authentication can be a solution for staff who reuse static or simple passwords that can be stolen through brute force attacks.

It isn’t just central government workers that can be at risk when it comes to network access. Third party users such as social workers and healthcare staff may need to access a local government network – it is much more difficult to regulate the security of those logging on externally from multiple and different devices.

Government Information is Often Worth Stealing

It is said that oil is no longer worth more than gold, and data now leads the way as the new oil. Government information has often very precious and well coveted to the right people. Government hackers often look for more substantial data than credit card numbers or personal information. It is therefore important that government bodies to ensure no-one other than authorised users can access private information. 

There are also many websites that drive a lot of traffic from certain groups such as local government or political party staff, and these are often targeted by hackers. This is called a watering hole attack as it mirrors predators waiting for their prey while they fetch water.  It is likely that someone will click a malicious link and become infected with malware, giving hackers access to personal information.

It is therefore critical that IT staff ensure their colleagues aren’t accessing websites that are compromised from their network. A web filtering system is one way to try to stay on top of sites that could potentially be harmful. The filter will update with sites that have been flagged as dangerous or compromised, and block users from accessing them.

To help government employees be more cyber aware, a successful cyber awareness program should address the following 3 areas:

  1. Identify and Mitigate Risks

When creating an effective security awareness programme, you should evaluate the threat landscape and identify the top risks. Bombarding employees with the wrong training can often result in information overload. Every government department has a different threat profile but some of the biggest threats include malware, phishing and poor security practices. Phishing attempts is behind at least 71% of all cyber-attacks worldwide, with the common denominator behind these attacks being human error.

Taking time to identify the risks each government department faces will help with shaping the delivery, messaging, and effective targeting of a successful cyber security awareness program.

  • Change the behaviour of employees 

Training methods have changed dramatically in the last ten years or so. With organisations no longer restricted to classroom-based training or tick-box one day course to demonstrate cyber security compliance, the scope for online training is much larger than before.

For any training programme to be successful employees need to be fully engaged with it to understand what is required of them and the importance of their role in the security of their government department. The best way to achieve this is through a comprehensive training programme that makes good use of videos, realistic scenarios, quizzes, policies, and real-world phishing simulation tests.

  • Test the effectiveness of Training

    At the very start of a cyber security awareness program, the government department should conduct an initial baseline assessment to see where their risks lie. Once this has been conducted, regular phishing email simulations can be rolled out to find out just how much the department is susceptible to fraudulent phishing emails. What is more, it will be possible to identify any staff who need additional training. Having controlled simulation tests will help recognise avoid and report potential threats that could threaten the security of the department. Employees should be able to report potential threats if they have clicked on something they shouldn’t have without fear.

Final Thoughts

Determining if a cyber security awareness program is effective is the key to its success, and any government department will need to track the metrics that come from the program and act accordingly. Having a detailed reporting structure will provide specific information on participation and engagement and help to assess the individual progress of individual employees or specific departments.

Cyber security awareness training is now more vital than ever. Every government department should consider implementing a robust cyber security awareness training programme to limit the risk of human error when it comes to preventing cyber-attacks.

About The Author

Lisa Ventura: CEO & Founder of the UK Cyber Security Association

Lisa Ventura is an award-winning Cyber Security consultant and is the CEO and Founder of the UK Cyber Security Association (UKCSA), a membership association that is dedicated to individuals and companies who actively work in cyber security in the UK. She has over 10 years’ experience in the cyber security industry and is passionate about raising awareness of being more cyber aware in business to help prevent cyber-attacks and cyber fraud. She is an author and keynote speaker and has been published in various publications globally. Her first book “The Rise of the Cyber Women” is scheduled for release in June 2020. In addition, Lisa is also an advocate for women in cyber security, the cyber skills gap and neurodiversity.

More information about Lisa can be found on www.lisaventura.com.

The UK Cyber Security Association website is www.cybersecurityassociation.co.uk

Lisa’s twitter – @cybergeekgirl and @ukcybersecassoc
Lisa’s LinkedIn – https://www.linkedin.com/in/lisasventura/ 
Lisa’s Facebook Page – https://www.facebook.com/lisaventurauk/