Security Apathy Is Real – Here Are 5 Ways Agencies Can Combat It
January 31, 2022
Security
A new study—the SolarWinds IT Trends Report 2021—suggests, although tech pros are confident with their work from home and remote work policies, agencies are at a critical inflection point as this confidence could create complacency or lead to security failures.
Rather than potentially fall behind, here are five steps government agencies can take to combat security apathy and proactively manage cyber risk when we emerge from the pandemic.
1. Acknowledge Security 101 is everyone’s responsibility
Security 101 demands security to be every employee’s responsibility. Most risk is produced by human behavior, and tech and non-tech employees must think of themselves as part of the extended security team.
IT teams must examine current processes and deploy solutions providing complete visibility into all systems. For non-tech teams, not being “blind” to risk means practicing basic cyber hygiene.
2. Foster greater alignment between IT and organizational leadership
The SolarWinds report found 63% believe it’s not a case of “if” but “when” a risk factor will impact them. However, a third of these leaders have difficulty convincing other leaders of this reality.
To help agency leaders make informed decisions about policies and technologies, government tech pros must speak the “language of the business” and present proof points to gain senior buy-in. They must also pinpoint the impacts should the game of risk not go in the organization’s favor.
3. Normalize risk aversion
The SolarWinds survey found 47% of respondents said their organization had medium exposure to enterprise IT risk over the past 12 months. Security breaches were the top macro trend impacting risk (71%).
Agencies must adopt a mentality in which even small levels of risk are unacceptable.
Tech pros and the IT community at large must normalize a sense of risk aversion. This starts with understanding that security compromises will happen.
4. Prioritize skills development
IT professionals are no strangers to certifications. Tech pros should feel empowered to push back when appropriate, and ask how specific certifications or training map back to the organization’s priorities. Tech teams need to communicate what form of training can bring value to the organization, so senior leaders can prioritize skills development more strategically.
5. Improve employee engagement
To combat security apathy among non-technical employees, agencies must go beyond tactical methods like regularly training them to change their passwords. Organization leaders should point out the business impact of a cyberattack, particularly the disruption employees will experience at work as the agency works to manage the crisis. Agencies must engage their employees and highlight these risks—then follow through with security guidelines and recommendations.
Read the full GovLoop article here.