You’ve taken some measures for securing your agency against hackers – undertaken security assessments to identify exposure points and adopted cybersecurity software to protect your systems and data.
Cybersecurity solutions are effective for defending against external threats, but internal risks are just as real. Often, a security breach arises from a government employee making a mistake during their everyday work. Fortunately, there are ways to safeguard your organization against these security risks too.
Security Changes When an Employee Changes Roles
No one wants to think their employees are doing something wrong, but it’s crucial to have in place processes that prevent unintentional security violations by employees. One key step is updating security profiles when employees change roles within the agency. They likely won’t need access to the same software as before.
This is in keeping with the principle of least privilege: employees should have only the access to data, resources, and applications they specifically need to do their jobs. This is usually implemented in applications by role-based security. While it might be frustrating for employees (especially managers) to lose access to the tools they’re used to, it’s a vital safeguard, protecting against things like the accidental deletion of important data.
Security for When an Employee Leaves the Agency
Government entities have a significantly lower rate of employee churn compared to the public sector. Nonetheless, it’s important to have automated process in place to revoke access as soon as an employee departs, including physical access like key cards or codes for alarm systems.
The use of SaaS tools in government entities is ubiquitous, and it’s another area that can introduce some security risks when an employee departs. When purchasing SaaS software, consider whether they have controls in place to prevent employees from downloading large volumes of data. Also, signups to SaaS tools should be monitored to ensure employees don’t register with a private email address that allows them to continue to access the software after leaving an organization. Temporary access granted to vendors or project partners needs to be revoked once a project is over.
Security in the Workplace
There are some conventional security controls at most government agencies – access control systems, security cameras, alarms, motion sensors. Large organizations often have rules in place to prevent staff from leaving sensitive materials on desks; some even require screen privacy filters which prevent the visual hacking of devices.
There are other ways that technology can compromise security, however. Video conferencing solutions have added security capabilities like end-to-end encryption and access permissions. Unfortunately, employees often leave applications that contain sensitive information (such as email) open when screensharing during video calls.
Sensitive information can also be inadvertently leaked when displayed on a white board visible in the background during a video call, or even as a reflection on eyeglasses. Employees will sometimes share videos or screenshots that display URLs that have not been masked. Unfortunately, these may display information, such as login credentials or API parameters, that allow hackers to access web pages or to create convincing phishing links. In extreme cases, employees will screenshare actual production data during demos or webinars. Employees who work from home should turn off devices like Google Home or Alexa before making calls that cover sensitive information, as they may be recording what is being said.
Lapses like these can be prevented by developing organizational security processes and training employees in them. Our government IT experts can conduct security assessments and implement a cybersecurity solution for your agency. We can also provide cybersecurity training solutions to help your staff identify and prevent common security compromises. Talk to us about how we’ve helped secure government agencies like yours.
