Whether you’re trying to improve the security posture of your own HR team or you’re enforcing policies for all agency employees, technology is a point of concern for HR. That’s because it’s a major vulnerability for government agencies.
There are plenty of reasons. Government software tends to be older, because it’s more expensive to replace than most private-sector software. Most government agencies can’t afford the expense of high-dollar cybersecurity consultants used by large corporations. Senior-most leadership turns over at least as often as political parties change, and often more frequently than that. The biggest threat, however, is an unexpected one.
The biggest threat to governments, as it is in the private sector, are internal actors.
This seems to imply that employees are directly attacking the network. In some cases, that’s true; if you’re an HR investigator, you might have even seen cases in your own agency. Logic Bomb cases, where an employee designs software to stop functioning periodically (either to exact revenge or protect his or her job) have led to convictions at Army bases, TSA databases, and the mortgage finance company Fannie Mae over the years.
The bigger threat, however, is that agency employees are unaware or unconcerned with how to keep organizations safe. A recent study found that 25% of employees said they leave their computer unlocked and unattended. Passwords are often written down and posted next to PCs by many non tech-savvy employees, leaving an opening to be exploited at a later time by any contractor or vendor walking through the office. And the most obvious threat is phishing emails with ransomware-based attachments or links, which are ensnaring a growing number of government agencies at all levels, leading to millions of dollars of lost time, money or both.
What can be done?
Data security and the consequences of stolen credentials are important information for all agency employees – if the topic isn’t discussed in an employee onboarding, it’s a great place to start the conversation. But the topic is especially important for HR employees, who have access to databases with sensitive PII.
The most consequential action an agency can take to improve network and data security doesn’t involve expensive new software or hardware or pricey consultants. The most important thing is to educate your workforce on how to keep the agency safe, and to hire people who care enough to do it. Employees should know how to protect their passwords. Two factor authentication should be used when available. Finally, employees should know the red flags associated with a ransomware email, and they should take the few seconds it takes to look for them in any email they receive.
All of this is easier if your team, agency or state leaders are treating cybersecurity according to its true potential for harm. As recently as last year, several states had no money directly allocated to cybersecurity specifically. It’s no surprise that these states also faced a range of other problems, including a high rate of cybersecurity events given their population.
To learn how CMTS:HR can help your HR investigators manage cases more efficiently, call us at 919-747-3812 or email us at Team_CMTSHR@CMTSHR.com.