Test feds' info security savvy, report suggests

A majority of federal workers continue to violate information security policies despite being aware of threats to agency systems and knowing the importance of following data security policies, a survey by SecureInfo found.

Among federal workers, 22 percent said they believe their co-workers follow information security policies and procedures half the time or less. About 58 percent said they stick to them very frequently. Only 20 percent said their co-workers adhere to them all the time.

Although 97 percent of the participants said they were required to take information security training, awareness training is not enough. Only one-third said they remembered most of the material covered in the training, said Christopher Fountain, SecureInfo president and chief executive officer. Only 48 percent said their agency tested them, according to the report on information security awareness from the perspective of government workers.

“There seems to be a significant lack of understanding by the government worker that each individual plays a critical role in protecting information assets and contributes to an agency’s information security posture,” he said in the Dec. 10 report. ”A greater sense of urgency is required."

Cyberattackers now use more sophisticated and stealthier techniques to exploit user trust, such as phishing, a technique to fool online users into divulging sensitive information. This makes the human element in information security the most unpredictable and critical vulnerability of an agency’s systems, according to the September survey of 100 federal employees and contractors.

In its previous security awareness survey in May, SecureInfo found that many federal employees were unfamiliar with the Federal Information Security Management Act, and FISMA compliance is often viewed as a headache instead of a framework for improving system and data protection.

In its latest report, SecureInfo said agencies should test and hold their employees accountable to make sure that they understand and follow data security policies and procedures. Only 36 percent said that their knowledge of security policies and procedure was part of their annual performance review, Fountain said. Agencies also should conduct random evaluations of employees’ retention of security training content through social-engineering penetration testing techniques, such as attempts to get employees to share user ID and password information. It is also critical to understand whether awareness training is effective and hold agencies accountable for it, Fountain said.

“Agency leadership…should be required to publicly report on the effectiveness of training programs,” he said. With the appropriate focus on security awareness and accountability, federal workers will do a better job of protecting government information and systems.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.