The inaugural release of The Endpoint Ecosystem study was released recently, and it offers some interesting findings on cybersecurity in governments. “Companies are getting hacked, employees are resigning, and the battle for talent is intensifying,” writes a blurb for this annual report, which also highlights the cyber risks in government settings.
The study, in general, aims to examine employee perception of privacy, personal well-being, and productivity in the workplace with respect to the ecosystem of devices, apps, and tools that employees use. It offers a glimpse into the dynamics between employee experiences and security. With the rise of the work-from-home, BYOD, and other setups that complicate workplace arrangements, the study is an excellent resource for employers in different sectors including the government.
How different is the cybersecurity situation in governments compared to businesses and private organizations? It appears there’s not that much difference, given the common government employee behaviors or habits revealed in The Endpoint Ecosystem report.
Employees growing their shadow IT
The Endpoint Ecosystem study reveals that over 39 percent of employees find the cybersecurity policies in their offices too restrictive, while 32 percent say that they have been looking for ways to get around the security measures and guidelines. The study also shows that 45 percent of employees think that they can work more efficiently by using non-work-related apps like Gmail and Dropbox.
This aversion to using what the organization provides or prescribes results in the rise of shadow IT, which refers to the IT infrastructure, resources, and assets that are not monitored by or visible to the central information technology administration. This entails the reduction of security visibility and the broadening of attack surfaces.
While shadow IT is often unavoidable in most organizations, it is vital to always view it as a potential risk. To address the threats that come with it, especially in the government setting, it is advisable to use a comprehensive government cyber protection system capable of providing in-depth security to address various kinds of cyberattacks, insider threats, and data vulnerabilities on-premises and in the cloud.
Government employees wittingly or unwittingly build a complex shadow IT in their respective offices or agencies. The more devices, digital appliances or gadgets, and apps or web services they use without coordinating with their IT department, the more security vulnerabilities emerge. The solution for this is to develop a system to increase security visibility or use a cybersecurity platform that can expand cybersecurity monitoring even into shadow IT assets and resources.
Government workers failing to escape the perennial password problems
Government employees have a serious problem with passwords, and it is similar to what can be observed in the private sector. Most of those who work in government have bad password habits. The study found that 73 percent of those who work in government offices use the same password for different apps. Around the same number, at 72 percent, also tend to use passwords that are easy to recall.
Additionally, the study found that around a fifth of government employees have the risky habit of writing their passwords in their personal journals. This would not be an issue if they have creative ways of camouflaging their passwords in a sea of words or paragraphs, like splicing and inserting bits of the passwords into notes, to-do lists, or messages that do not make it obvious that there is important information is written on a page. However, an ingenious scheme like this is rarely practiced.
Worse, some 11 percent say that they store their passwords in note apps on their smartphones, while 17 percent compile their passwords in Excel or Word. The digital medium makes it easier for threat actors to steal passwords.
To address the problem of easy to guess passwords, it is advisable to use passwords that are at least 8 characters long which include a combination of both uppercase and lowercase letters, numbers, and symbols if applicable. The idea of not using easy to recall passwords does not necessarily mean that it should be very difficult for the user to remember. It generally means avoiding the use of words or phrases most people are likely to guess.
Harvard Information Security has a good tip on how to come up with passwords that are easy to remember but very difficult to guess for hackers. Instead of using single words, it is better to use password phrases (with the space excluded). To make the password phrase more challenging to guess, numbers or characters can be inserted within the password phrase. For example, the password phrase “verYdifficut” can be written as “5erY5001ff1100ul+”, wherein letters that appear in the Roman numerals are converted into their number equivalents (v=5, d=500, i=1, etc) and the letter “t” is replaced with the “+” symbol.
Harvard Information Security also recommends the use of well-known, reliable password managers if it becomes difficult to remember multiple passwords. Password managers can generate very strong passwords and facilitate the secure use of these passwords without having to remember everything except for the login details of the password manager and the multifactor authentication system.
Failing to distinguish between work and personal affairs
This is not exclusive to the government setting, but it is notable that 44 percent of government workers use work computers and other devices for personal use, while 60 percent say that they use their personal devices for work purposes. Around a quarter of government employees also admit that they let their family members use their work computers or gadgets.
Also, BYOD and work-from-home setups, which have increased over the past couple of years, have been among the major drivers of cyber vulnerabilities in government offices. According to The Endpoint Ecosystem study, 64 percent of government employees use their personal laptops and 89 percent use their personal smartphones for work.
These situations are highly risky, especially for agencies that deal with sensitive data. The accidental transmission of information or multimedia content to personal contacts is a major concern. Also, there is a high likelihood for threat actors to find their way into confidential government data and resources by using an employee’s personal device as a starting point.
The solution is simple: impose a policy of limiting the use of work devices to official purposes. Easier said than done, though. The study may have not inquired into the specific device use policies of the organizations covered by the survey, but many of them most likely already have rules restricting the use of work gadgets for work-related matters. However, many tend to disregard such rules, especially in the absence of regular device inspections or audits.
To protect work devices and sensitive government data and resources access, it is important to properly secure all devices, regardless if they are for work or personal use. All data transmissions and communications must be encrypted. If there are challenges in distinguishing between work and personal affairs, it would be safer to install essential security controls in all devices.
Emphasis on cybersecurity in government
With the surge of cyberattacks, especially on government establishments during the pandemic and after the conflict between Ukraine and Russia, it’s not difficult to see why governments are now becoming more cautious with their security posture. The recent passing of the Strengthening American Cybersecurity Act by the United States Congress shows how the threat landscape has changed and how important it is to adapt.
Employee behaviors and habits are not easy to modify, but it is crucial to do something about them, as they can contribute heavily to cybersecurity problems. People continue to be the weakest link in the cybersecurity chain, but it is not impossible to strengthen them and reduce the success of cyberattacks aimed at inherent human weaknesses.