Workers tested on security smarts

Agencies have implemented technology policies and procedures to safeguard data and system security. However, the toughest part is getting employees to follow them and change the way they handle data, security experts say.Agencies require annual security awareness training, but it is difficult to determine how effective it is and whether employees protect data in their daily work, said Marc Groman, chief privacy officer at the Federal Trade Commission. A formal training program should include one or more computer-based training modules or live presentations that cover basic computer security concepts, he said.Privacy and data-security education and training must be offered year-round, Groman said, adding that “it’s not a one time exercise, program or event.”One way to measure progress is to track how many agency employees and contractors have completed such training, security officials said. For example, at the Justice Department some agencies block the network accounts of employees who have not taken security training classes by a certain date.Required training should be the start, not the end, of an effective employee-training program, Groman said. “There must be other creative, ongoing initiatives to keep privacy and data security in the minds of your staff on a daily basis,” he said. FTC keeps data security and privacy on the front burner by offering a number of programs throughout the year.At Justice, officials annually revise the department’s security training topics, which are closely related to rules that employees must agree to follow when they use departmental systems. The topics evolve as awareness of specific problems grows. Last year, for example, the increased occurrence of data breaches led to expanded training related to safeguarding personal information.Some agencies are trying different approaches to assess how well employees respond to suspicious situations. This year, Justice tested a program in which it sent a phishing e-mail message to a number of employees. Because the sender was unknown, employees were expected to be suspicious and not open the attachment. If an employee opened the attachment — activity that training should have taught employees not to do — the department notified the employee that opening the attachment was risky behavior and warned the employee not to do it.“We can get feedback on how effective it is at changing that behavior over time,” said Dennis Heretick, Justice’s chief information security officer.Justice officials say they hope to expand the phishing exercise, conduct periodic random sampling and keep statistics to determine if fewer people fall for phishing scams.The Treasury Inspector General for Tax Administration recently conducted a similar hands-on exercise. TIGTA staff members, posing as computer help-desk representatives, called Internal Revenue Service employees, requested their user names and asked them to temporarily change their password to one the TIGTA staff members suggested. About 60 percent of those sampled did so.In response to the TIGTA report, the IRS plans develop awareness programs for employees about social-engineering attempts by hackers, said Daniel Galik, associate chief information officer for cybersecurity at the IRS.Agencies can monitor employees’ compliance in other ways, such as conducting internal audits of privacy controls, experts say. For example, an agency can make visual spot-checks in offices and common area file rooms to verify that office doors have working locks and that personal information is not in plain view on unoccupied desks.