Test feds' info security savvy, report suggests

A majority of federal workers continue to violate information security policies despite being aware of threats to agency systems and knowing the importance of following data security policies, a survey by SecureInfo found. Among federal workers, 22 percent said they believe their co-workers follow information security policies and procedures half the time or less. About 58 percent said they stick to them very frequently. Only 20 percent said their co-workers adhere to them all the time.Although 97 percent of the participants said they were required to take information security training, awareness training is not enough. Only one-third said they remembered most of the material covered in the training, said Christopher Fountain, SecureInfo president and chief executive officer. Only 48 percent said their agency tested them, according to the report on information security awareness from the perspective of government workers. “There seems to be a significant lack of understanding by the government worker that each individual plays a critical role in protecting information assets and contributes to an agency’s information security posture,” he said in the Dec. 10 report. ”A greater sense of urgency is required." Cyberattackers now use more sophisticated and stealthier techniques to exploit user trust, such as phishing, a technique to fool online users into divulging sensitive information. This makes the human element in information security the most unpredictable and critical vulnerability of an agency’s systems, according to the September survey of 100 federal employees and contractors. In its previous security awareness survey in May, SecureInfo found that many federal employees were unfamiliar with the Federal Information Security Management Act, and FISMA compliance is often viewed as a headache instead of a framework for improving system and data protection. In its latest report, SecureInfo said agencies should test and hold their employees accountable to make sure that they understand and follow data security policies and procedures. Only 36 percent said that their knowledge of security policies and procedure was part of their annual performance review, Fountain said. Agencies also should conduct random evaluations of employees’ retention of security training content through social-engineering penetration testing techniques, such as attempts to get employees to share user ID and password information. It is also critical to understand whether awareness training is effective and hold agencies accountable for it, Fountain said. “Agency leadership…should be required to publicly report on the effectiveness of training programs,” he said. With the appropriate focus on security awareness and accountability, federal workers will do a better job of protecting government information and systems.