Test feds' info security savvy, report suggests

A majority of federal workers continue to violate information security policies despite being aware of threats to agency systems and knowing the importance of following data security policies, a survey by SecureInfo found.

Among federal workers, 22 percent said they believe their co-workers follow information security policies and procedures half the time or less. About 58 percent said they stick to them very frequently. Only 20 percent said their co-workers adhere to them all the time.

Although 97 percent of the participants said they were required to take information security training, awareness training is not enough. Only one-third said they remembered most of the material covered in the training, said Christopher Fountain, SecureInfo president and chief executive officer. Only 48 percent said their agency tested them, according to the report on information security awareness from the perspective of government workers.

“There seems to be a significant lack of understanding by the government worker that each individual plays a critical role in protecting information assets and contributes to an agency’s information security posture,” he said in the Dec. 10 report. ”A greater sense of urgency is required."

Cyberattackers now use more sophisticated and stealthier techniques to exploit user trust, such as phishing, a technique to fool online users into divulging sensitive information. This makes the human element in information security the most unpredictable and critical vulnerability of an agency’s systems, according to the September survey of 100 federal employees and contractors.

In its previous security awareness survey in May, SecureInfo found that many federal employees were unfamiliar with the Federal Information Security Management Act, and FISMA compliance is often viewed as a headache instead of a framework for improving system and data protection.

In its latest report, SecureInfo said agencies should test and hold their employees accountable to make sure that they understand and follow data security policies and procedures. Only 36 percent said that their knowledge of security policies and procedure was part of their annual performance review, Fountain said. Agencies also should conduct random evaluations of employees’ retention of security training content through social-engineering penetration testing techniques, such as attempts to get employees to share user ID and password information. It is also critical to understand whether awareness training is effective and hold agencies accountable for it, Fountain said.

“Agency leadership…should be required to publicly report on the effectiveness of training programs,” he said. With the appropriate focus on security awareness and accountability, federal workers will do a better job of protecting government information and systems.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.