Raising low cybersecurity awareness in local government a matter of culture, training
Although security is a top priority for government IT leaders, it has yet to reach a shared level of importance among others in local government, according to cybersecurity experts speaking on a DC CyberWeek panel.
Panelists discussed security strategies to protect local government systems, as well as the need for user buy-in to cybersecurity protocol and contingency plans. The discussion was one of the first events Monday to kick off the weeklong cybersecurity festival, which is presented by CyberScoop.
Cybersecurity has been the No. 1 priority for state chief information officers for the past five years, according to panelist Yejin Jang, director of government affairs for the National Association of State Chief Information Officers. However, less than 35 percent of average end users in local governments were either moderately aware or exceptionally aware of cybersecurity issues, according to the International City/County Management Association’s 2016 cybersecurity survey.
The discussion emphasized employee awareness and training as a cybersecurity priority for local government. According to panelist Jane Reeve, director of information services for Spotsylvania County, Virginia, cybersecurity training is an important focus for local government resources, and employee awareness is crucial.
“Security has to come first,” Reeve said.
Panelist Luis A. Campudoni, director of information technology and facilities management for the Metropolitan Washington Council of Governments, also stressed the importance for employees to have a strong knowledge of security protocol so that deviations can be noticed and reported. Cybersecurity training, he said, is able to cultivate awareness and remind employees what is at risk if security measures are not adhered to.
Several local governments have seen success with training by establishing a “carrot and stick,” incentive program to enforce the testing and teaching of cybersecurity skills, said Jang. In one instance, employees have been rewarded with parking spots if they report and don’t fall for test phishing emails. Rewarding employees for good security habits creates a stronger feeling of responsibility for maintaining cybersecurity, according to Jang.
Dale Worley, the CIO of Greenbelt, Maryland, said that training alone is not enough to make an organization cyber secure. To test and strengthen security skills, users need “constant, constant reminding.”
To strengthen cybersecurity in local government, Chris Walschin, vice president of systems security for Election Systems & Software, recommended that a change in mindset begins with frequent practice. Walschin recommended that local government employees prepare for proper cyber-hygiene at work by practicing at home.
