tsingha25/Getty Images

Combating Threats to Employees in Digital Spaces

COMMENTARY | User activity monitoring and behavior analytics can beef up cybersecurity training and help protect the agency from internal and external risk.

Malware, phishing, disinformation and more—in the current landscape, agencies face numerous threats to their cybersecurity daily, especially within the digital spaces required to support hybrid work. The old-school castle-and-moat perimeter is gone, leaving many leaders feeling exposed.

Phishing attacks, for one, remain both popular and effective. Phishing encounters have increased every quarter since early 2020, with the most recent calendar year witnessing the highest rate ever. On average, phishing attacks cost over $1 million, while the cost of cybercrime writ large is slated to hit $8 trillion this year

With the cost of a breach so high, agencies are turning to cybersecurity training—an important first step for protecting both employees and data, but one that is hardly sufficient on its own. 

Training leaders and employees

One such training comes courtesy of the National Cybersecurity Center’s Cybersecurity for Government Leaders curriculum, which describes the most common cyberattacks and the vulnerabilities they exploit. The training’s tagline is: Don’t Get DUPED—an acronym that outlines five best practices for cybersecurity: deploy multifactor authentication, update software regularly, ensure password safety, encrypt files and messages and don’t click on unfamiliar links. 

This acronym is useful for reinforcing basic cybersecurity principles that all organizations should adhere to. Meanwhile, educating leadership is an important part of combating threats to employees in digital spaces, as many fail to understand the issue, must less address it. And yet, comprehensive cybersecurity requires not just training employees directly, but also monitoring the effectiveness of those trainings and tracking user behavior on an ongoing basis. 

Imagine an agency is training its employees based on the final step in the DUPED protocol: don’t click on unfamiliar links. The agency must be able to measure the percentage of employees clicking on a phishing link, for example, before and after the training takes place. Let’s say 60% of employees clicked on the link before the training, and 55% clicked on it after. That’s a huge chunk of people who are still clicking. A targeted training for that sub-group will then be required. 

Understanding user behavior

The main shortcoming of the National Cybersecurity Center’s curriculum, though, is that it focuses heavily on external threats: bad actors, such as nation states, trying to hack into the system. But insider threats must be top-of-mind as well. What if employees decide to start stealing sensitive information from the agency, perhaps because they didn’t get promoted? Or what if they compromise security unintentionally? Government leaders must have a way to identify and respond to such threats, in addition to protecting employees from bad actors. 

The best way to protect against insider threats is to understand the behavior of the user through user activity monitoring. By collecting behavioral data from multiple endpoint channels, agencies can have a deeper understanding of user activity. When paired with behavioral analytics, UAM provides the context to gain insight into user behavior that might signal malicious activity or bad cybersecurity hygiene.

A comprehensive insider threat strategy protects agencies and provides an opportunity to focus training on specific user behavior deficiencies by giving organizations the data to make better training investments. Without this data, agencies are training just for the sake of saying they did, as opposed to targeting the behaviors that are actually causing the greatest risk to the organization.

The bottom line

The good news is that most agencies already have insider threat detection capabilities in place (or they should). They won’t need to deploy new technology to identify poor cybersecurity hygiene and target trainings accordingly. The bad news is that, even with such solutions, a breach of some kind is inevitable. Thus, agencies must have a clear understanding of the five W’s (the who, what, when, where, and why) of an attack to effectively respond to the breach. UAM and behavior analytics provides the context necessary for cybersecurity leaders to enhance their training to combat threats—both internal and external—to their agency.

Michael Crouse is director of insider risk at Forcepoint.