Test feds' info security savvy, report suggests

A majority of federal workers continue to violate information security policies despite being aware of threats to agency systems and knowing the importance of following data security policies, a survey by SecureInfo found.

Among federal workers, 22 percent said they believe their co-workers follow information security policies and procedures half the time or less. About 58 percent said they stick to them very frequently. Only 20 percent said their co-workers adhere to them all the time.

Although 97 percent of the participants said they were required to take information security training, awareness training is not enough. Only one-third said they remembered most of the material covered in the training, said Christopher Fountain, SecureInfo president and chief executive officer. Only 48 percent said their agency tested them, according to the report on information security awareness from the perspective of government workers.

“There seems to be a significant lack of understanding by the government worker that each individual plays a critical role in protecting information assets and contributes to an agency’s information security posture,” he said in the Dec. 10 report. ”A greater sense of urgency is required."

Cyberattackers now use more sophisticated and stealthier techniques to exploit user trust, such as phishing, a technique to fool online users into divulging sensitive information. This makes the human element in information security the most unpredictable and critical vulnerability of an agency’s systems, according to the September survey of 100 federal employees and contractors.

In its previous security awareness survey in May, SecureInfo found that many federal employees were unfamiliar with the Federal Information Security Management Act, and FISMA compliance is often viewed as a headache instead of a framework for improving system and data protection.

In its latest report, SecureInfo said agencies should test and hold their employees accountable to make sure that they understand and follow data security policies and procedures. Only 36 percent said that their knowledge of security policies and procedure was part of their annual performance review, Fountain said. Agencies also should conduct random evaluations of employees’ retention of security training content through social-engineering penetration testing techniques, such as attempts to get employees to share user ID and password information. It is also critical to understand whether awareness training is effective and hold agencies accountable for it, Fountain said.

“Agency leadership…should be required to publicly report on the effectiveness of training programs,” he said. With the appropriate focus on security awareness and accountability, federal workers will do a better job of protecting government information and systems.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.