There are a number of reasons why governments need Security Awareness Training to reduce the risk of successful attacks, protect sensitive information, and maintain public trust in government institutions. Governments and public sector departments are in the sights of cybercriminals. Research from Checkpoint backs up this claim; a survey from the company shows that the Government and Military Sectors in the UK and Ireland dealt with an average of 352 cyber attacks per week during mid-2021.
The UK as a whole saw a 20% increase in cyber attacks during 2020, with attack types such as ransomware increasing by a whopping 80% in the latter 3 months of 2020. This tsunami of cyber attacks follows a typical pattern of manipulating the human factor, usually an employee or supplier.
To help alleviate the onslaught of cyber threats from phishing, accidental data exposure, and social engineering, government departments must look to Security Awareness Training.
How Data Loss and Cyber Attacks in Governments Happen
Hackers are flush from the success of past attacks on government bodies.
Perhaps the most infamous was the WannaCry ransomware attack that was felt across the globe, and particularly acutely by the UK’s NHS. As with all ransomware attacks, WannaCry was devastating, closing hospitals to new patients and putting enormous pressure on an already stretched NHS. Government is a target for cybercriminals because it has proven to be a successful option, the cybercrime equivalent of low-hanging fruit.
Attacks such as ransomware, often begin with an employee being manipulated into clicking a malicious link in an email or downloading an infected attachment.
A Freedom of Information (FoI) request carried out by think tank, Parliament Street, found that Her Majesty’s Treasury managed to block almost 5 million phishing, malware, and spam emails over the three years to September 2021. A further Parliament Street report found that the House of Commons had blocked 126 million malicious email attempts.
But it isn’t just cyber attacks that should concern government security and compliance officers.
A report from the Ministry of Defence (MoD), and analysed by Parliament Street, shows an 18% increase in data loss incidents. Most of these incidents were caused by unauthorised disclosure of data, the rest was down to the loss of electronic equipment, devices, or documents, from within government premises, or the insecure disposal of paper documents.
Cybercriminals play a long game and are continually improving their evasion techniques. A single malicious email that slips through the net can become another WannaCry level incident. A single lost laptop on a train can end up at the doors of the media, dealt with as a regulatory non-compliance issue by the Information Commissioners Office (ICO).
The perfect cyber-storm comprised of a mix of cybercrime and accidental insider events are gathering like a dark cloud over UK government departments.
How Cyber Security Awareness Training Can Help a Government Department Stay Cyber-Safe
The UK’s ICO has stated that 90% of data breaches are caused by human error: the part that the human factor plays in data loss and cyber-breaches is clear from the research by Parliament Street. However, the human factor in security also provides an opportunity for government departments to reduce risk.
The ability to educate users on cyber security issues and data risk is an important part of an overall security policy and strategy. Security Awareness Training provides a formal program to deliver this education; the five fundamentals of effective Security Awareness Training are:
Prevent Data Breaches
Data breaches are typically tied to a phishing campaign at some stage in a breach. An employee or other associated entity such as a contractor or supplier will fall victim to a phishing message and the result can be ransomware (or other malware) infection or credential theft.
Security Awareness Training trains staff and others to spot tell-tale signs of phishing messages and other social engineering scams. Phishing simulations can be used to help in this education and to capture metrics to show how effective the training is. In a budget-strapped government IT department, security training programs can be highly cost-effective.
Prevent Accidental Data Exposure
Accidental data exposure covers a gamut of events from email mis-delivery to simply leaving sensitive documents on a printer. Security Awareness Training educates staff on the hygiene elements of staying safe online as well as the more technological ones. Employees and others are trained in good practices, such as keeping up with a clean desk policy and ensuring that they don’t share passwords.
Cybercriminals are always looking for ways to circumvent traditional security measures, this includes changing the tactics to trick employees into performing malicious activities on their behalf. Security Awareness Training is not a one-off event but works on the principle of continuous education to ensure that a government department (and its employees) stays on top of changes in the cyber security threat-scape.
Security For All
Every employee, consultant, and supplier is a potential target for a cybercriminal to take advantage of. Every employee and supplier also acts as a human factor in accidental data exposure. As such, Security Awareness Training programs are most effective when they are used across the entire organisation and include suppliers. With government departments using outsourced services and personnel, this aspect of Security Awareness Training is important to ensure that security-first thinking is universal.
The Human Firewall and Augmentation of Technical Measures
The concept of a human firewall is an idea that builds upon the education provided by a Security Awareness Training program. If done well, security education can empower everyone within an organisation, whilst ensuring that the group benefits as a whole from this training.
Regulatory Compliance, Data Protection Standards, and Government
One further thing that comes out of an effective security awareness program is meeting regulation requirements on information security. Government should set an example to the rest of the industry by ensuring that they meet the remit of the various data regulations in the UK, as well as those that may impact beyond the UK’s borders. Many data protection standards and regulations, including ISO27001 and DPA2018/UK GDPR, now mandate or strongly encourage an organisation to train its employees to be security-aware.
Whilst traditional security measures such as two-factor authentication and encryption can help alleviate data breaches, there is nothing quite like making employees aware of the risks to an organisation from phishing and other social engineering attacks.
Government departments are at risk from data loss and cyber attacks as much as any other industry. By providing essential security training to employees, a government department can de-risk their exposure and set an example and precedence for other industries to follow.