Featured eBooks
The 2023 Top 100 and the State of Federal Markets
Digital Transformation
The Transformation of Government Services
Managing Technology

Forget Something?

Offering security training isn’t enough to curtail breaches—employees must follow through.

Jill R. Aitoro

|

Offering security training isn't enough to curtail breaches-employees must follow through.

Most travelers know what to do at an airport security checkpoint: Pull out the quart-size, zip-top plastic bag filled with 3-ounce containers of liquids; take off shoes; place folded coat in a bin; remove laptop from its bag. It's almost second nature.

Go to any agency, however, and you likely will find many people who rarely change their passwords, who download sensitive documents to thumb drives, or who click on dubious embedded links in e-mails. Knowing what not to do when working on a computer should be just as ingrained in employees' psyches as knowing what to do at an airport security checkpoint.

But that isn't how it works. The answer, you might think, is to offer training. That can drive some changes in behavior, and agencies offer a slew of security courses. But the number of high-profile security breaches over the years proves that providing training doesn't cut down on such mishaps. "Compromises in security continuously arise where an employee is the cause," says Patrick Howard, chief information security officer for the Nuclear Regulatory Commission. He joined NRC in March, after holding the same position at the Housing and Urban Development Department. "A lot is human nature. People just don't think, or they rationalize, 'What I have to do today is more important than following security rules.'

"There has not been a culture of security established where [precautions have become] automatic, because agencies are too focused on getting the required box checked. Existing legislation is fine-it's the implementation that might be out of kilter."

The 2002 Federal Information Security Management Act requires agencies to provide training to ensure that employees are aware of their security responsibilities. The law also requires specialized training for employees whose jobs involve processing or managing sensitive information. Every year, agencies must file reports to the Office of Management and Budget on their security awareness and training programs.

The Information System Security Line of Business, part of the President's Management Agenda, directs agencies to provide by Sept. 30 security awareness training from the Defense Department, Office of Personnel Management or from a joint program developed by the State Department and the U.S. Agency for International Development. These agencies operate shared service centers that specialize in security awareness training.

The line of business encourages agencies to take advantage of specialized services, which include courses tailored to particular work roles. This training is voluntary, but OMB likely will require it once the program has been established. A volunteer cross-agency workgroup is developing standards for the program.

But employees aren't lining up to enroll. A little more than 138,500 employees from large agencies-only 4 percent of the governmentwide workforce-took security awareness training at a shared service center in 2007, according to OMB.

The key to training more employees, says Robert Howard, the Veterans Affairs Department's chief information officer, isn't more legislation. What's needed, he said, is to communicate to federal managers that security training is important. "We do not lack for guidance and direction," he says. "Just putting out programs and asking people to take them is not good enough. You've got to keep beating the drum."

In May 2006, a laptop was stolen from a VA employee's home, exposing the names, dates of birth and Social Security numbers of 26.5 million veterans and their family members. In response, the department revamped its information security program, focusing on consistent and customized training. All VA employees now sign a document that details the rules of behavior for security. They must enroll in two online training programs at least once a year-one on privacy and one on security-which are customized by each VA organization and focus on individual security responsibilities.

The department mandates a series of role-based courses that IT and security professionals must take within the first 90 days of being hired. The more an employee works with sensitive information and networks, the more advanced the security course. An intern program for new information security professionals augments the Web-based training with hands-on classroom instruction. VA assigns trained mentors to employees who need individual attention.

"You don't want everyone to become aware of information security after a VA-type of breach happens, but there needs to be a balance," says Karen Evans, OMB administrator for the Office of

E-Government and Information Technology. "If an agency wants to take advantage of a particular capability, some degree of risk might be necessary. It's up to agencies to analyze backdoor vulnerabilities that exist and ask, 'Is this a risk we're willing to live with?' Then either sign off, or set the threshold higher."

Agencies should consider emerging threats that could infect their systems and incorporate lessons on how to thwart those attacks into their training programs, NRC's Howard says. Then they should test employees to see whether they retained the information and rework the content they failed to learn. "There's a temptation to say, 'That worked last year, so it's probably good this year,' but a lot changes," he says. "The bad guys, more than ever before, are taking advantage of those failures of human nature-the opening of e-mail attachments, clicking on embedded links. It's difficult to expect users to automatically not fall for that. People are basically trusting, even when they shouldn't be."

NEXT STORY: Use a Safety Net

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.