INDUSTRY INSIGHTS GOVERNMENT · INDUSTRY INSIGHTS: GOVERNMENT STATE OF PRIVACY AND SECURITY...
Transcript of INDUSTRY INSIGHTS GOVERNMENT · INDUSTRY INSIGHTS: GOVERNMENT STATE OF PRIVACY AND SECURITY...
We gauged the privacy and security awareness of employees in government by surveying 1,016 U.S.-based employees who work for local, state, and federal government entities. We compared the results against a broader sample of employed U.S. adults that took the same survey, the results of which we featured in our 2017 State of Privacy and Security Awareness report.
Here are other key findings from our survey that every data protection leader in government at the local, state, or federal
level needs to know:
The bad news:
lacked some preparedness (scoring as “Risks” or “Novices”) when asked how they would handle common privacy and security threat scenarios. Compare this to the 70% of surveyed employees in all other industries who scored as Risks or Novices when asked the same set of questions, and a clear picture starts to emerge.
The inability to identify phishing attempts or malware warning signs: 15% worse than the average U.S. employee
Misuse of social media: 17% worse than other industries
Reporting incidents: 7% less likely to report an incident
Improper mobile computing and cloud computing practices: 7% more likely to be done improperly
And even physical security protocols: 13% more lax on protocols
82% OF EMPLOYEES IN GOVERNMENT
The government sector employees surveyed performed worse in all eight threat vector categories when compared to
the general population of employed adults in the U.S.
Here’s some highlights:
CONCLUSION
GOVERNMENT INDUSTRY: KEY FINDINGS
GOVERNMENT EMPLOYEE RISK PROFILES
GOVERNMENT SECTOR THREAT VECTORS
TEMPORARY AND SEASONAL EMPLOYEES
scored better than full-time employees across all eight threat
vector categories.
Employees showed the riskiest behavior when asked about
SOCIAL MEDIA USE (30%), followed closely by questions about physical security (29%) and mobile computing (25%).
46%
61%
of government employees surveyed
of the executives and managers
The least risky group?
SCORED IN THE “RISK” CATEGORY,
meaning their actions pose a serious potential threat to the privacy or security of their
organizations.
Compare this to 19% of the
general population
that scored as Risks.
Only 18% of gov’t employees showed a strong understanding of data protection best practices and earned the title of “Hero” in our survey results.
Yet temporary employees still performed worse relative to the general population by a range of
3% to 10%, depending on the threat category.
at government organizations that we surveyed scored as “Risks.”
The numbers below represent the percentage of respondents who chose incorrect answers or risky behaviors in each of the eight threat vectors, compared to the general population
surveyed in our 2017 State of Privacy and Security Awareness Report:
Government employees showed the greatest understanding of security and privacy best practices
when asked about cloud computing – yet
NEARLY 1 IN 5 (18%) STILL EXHIBITED RISKY BEHAVIORS
in this category.
Admittedly, seeing how employees in government performed on our survey can be bleak.
But, there is hope.
You don’t need to develop a new type of technology or build a new network from scratch to solve this problem. The solution is simple: it’s just the humans that need an “update.” By keeping employees informed on a regular basis – not just about new and emerging threats but on how their daily actions impact the safekeeping of sensitive data at their organizations – employees can be empowered to better protect the sensitive information
entrusted to them by American citizens.
Government employees know that all parts of a system must be functioning optimally to get the best results. With that in mind, once-a-year training (or heaven forbid, only once ever, at hiring) isn’t nearly enough to keep the wheels of data protection moving smoothly within any level of government. Only a holistic, year-round security and privacy awareness
program can keep data protection best practices top-of-mind with employees.
With the trust of citizens on the line, checking and double-checking data protection practices at your government organization is more critical than ever. Make sure you can easily answer the question: what are you doing right now to protect citizens’ data from
threats, both outside and inside your organization?
To start improving the state of security and privacy awareness within your organization, you first need to gauge your organization’s state of risk. MediaPRO’s Behavioral Risk Assessment tool, based on the survey we distributed for this report, is designed to be easily deployed to your employee population so that you can identify and address your
organization’s unique risks as you build a comprehensive awareness program.
No one wants the finger pointed at them when things go wrong. Maybe that’s why the 2018 Verizon Data Breach Investigations Report says 68% of breaches in government took months or longer to discover in 2017. We found that government workers were 7% worse at reporting incidents compared to the general population.
Compared to the general population, 15% more government employees could not identify some common warning signs of malware.
26% of government employees surveyed reported they would take unnecessary risks when working remotely.
18% of respondents chose risky actions when presented with scenarios involving storing sensitive data on personal cloud-based storage or when sending work documents via personal email. 14% of seasonal and temporary employees exhibited risky behaviors, while 34% of executives and managers did the same.
17% more government employees reported making risky behavioral choices than the general population. And this time, foreign gov’ts are difficult to blame: survey questions included scenarios such as re-tweeting sensitive or inappropriate information and joining in on public social conversations about sensitive information controlled by the organization.
INCIDENT REPORTING
IDENTIFYING MALWARE WARNING SIGNS
WORKING REMOTELY
CLOUD COMPUTING
ACCEPTABLE USE OF SOCIAL MEDIA
26%
27%
26%
19%
12%
19%
GENERAL POPULATION
GENERAL POPULATION
GENERAL POPULATION
GENERAL POPULATION
GENERAL POPULATION
GOVERNMENT SECTOR
GOVERNMENT SECTOR
GOVERNMENT SECTOR
GOVERNMENT SECTOR
GOVERNMENT SECTOR
These individuals know their stuff, including how to identify
and properly dispose of personal information, recognize phishing
attempts and malware, and keep information safe while working
remotely.
46% 36% 18%
RISK
77.4% - 90.3%0% - 74.2% 93.5% - 100%24 - 280 - 23 29 - 31
SCORESCORE SCOREPERCENT RANGEPERCENT RANGE PERCENT RANGE
NOVICERISK
GENERAL POPULATION: GENERAL POPULATION: GENERAL POPULATION:
HERO
NOVICE HERO
These individuals put their organizations at serious risk for a privacy or security incident. Such incidents can mean big trouble
for an organization, including loss of consumer trust, financial and reputation damages, and more.
Novices have a good understanding of the basics, but could stand to
learn more. They should remember that even one wrong decision or
mistake can lead to a security and/or privacy incident.
INDUSTRY INSIGHTS:GOVERNMENTSTATE OF PRIVACY AND SECURITY AWARENESS
Citizens are increasingly concerned about the sensitive data held and used by government entities, fueled partly by stories of cyberespionage, rumors of voter fraud, and social media’s impact on U.S. elections. It’s not all speculation: in the 2018 Verizon Data Breach Investigations Report, public administration entities reported that cyberespionage accounted for a quarter of breaches in the last year (with 96% of those cyberespionage attacks executed via phishing).
Of the data comprised in these breaches, 41% was personal information.
But with all the focus on state-affiliated actors and cybercriminals, one major hole is being overlooked: employees. Privileged misuse and miscellaneous errors by insiders account for a third of breaches, according to the DBIR. It makes us wonder: when was the last time these government agencies deployed a refresher training course on appropriate use of social
media, proper data handling, or using a VPN?
20% of respondents failed to recognize some examples of personally identifiable information, or PII. This was consistent across all levels of management and all sizes of institutions.
IDENTIFYING PERSONAL INFORMATION
20% 19%
GENERAL POPULATION
GOVERNMENT SECTOR
Government institutions that have more than 5,000 employees showed the greatest risk in this area (45% of respondents chose risky behaviors when asked about specific scenarios related to building security) relative to their smaller counterparts (33%).
PHYSICAL SECURITY
37% 24%
GENERAL POPULATION
GOVERNMENT SECTOR
It seems that not a lot has changed since the DNC breach in 2015. 23% of gov’t employees struggled to identify phishing attempts – a major deficit when compared to the general population (8%).
IDENTIFYING PHISHING ATTEMPTS
23% 8%GENERAL
POPULATIONGOVERNMENT
SECTOR
18%
37%
11%
20%
17%
7%
15%
7%
13%
19% 51% 30%