Feds as Cyber Defense

Most agencies take great pains to use technology to combat cyber attacks, but few effectively prepare and reward their employees for keeping information secure, according to a new report by the IBM Center for the Business of Government.

The report -- "A Best Practices Guide to Information Security" -- notes that while technology is a major aspect of cyber defense, the greatest resource organizations have to protect information is their own staff.

Organizations should view their employees in a positive light, motivating and educating them to become protective stewards of information, the report states.

"Despite increased attention to cybersecurity, limited funding for employee training presents a major challenge to organizations, especially government organizations," the report states. "Much of the attention that is given to cybersecurity now focuses more on deterring detrimental actions by employees than on encouraging positive actions."

The report encourages agencies to move away from a negative approach to cybersecurity, instead encouraging positive behaviors from employees. The report also points to a number of best practices related to logging in/out, workspace security, email and Internet protection, document protection, reporting of security matters and electronic device security.

IBM also found that 46 percent of employees have never received formal education in security education, training and awareness, or SETA, from their organization. The report encourages agencies to develop a standard SETA curriculum that emphasizes the what, the how, and the why -- what security dangers are inside and outside the organization, how to deal with security threats, and the reasons why agencies are focusing on specific security efforts.

"Employees must believe that the suggested responses to threats are actually effective," the report states. "Without this perception, employees see no reason to engage in the suggested response other than 'because the boss told me so.'"

What are your perceptions of information security at your agency? Are you an employee considered critical to your agency's security efforts, or are more training, awareness and incentives needed?