• Home

  • Documents

  • INDUSTRY INSIGHTS GOVERNMENT · INDUSTRY INSIGHTS: GOVERNMENT STATE OF PRIVACY AND SECURITY...
1
We gauged the privacy and security awareness of employees in government by surveying 1,016 U.S.-based employees who work for local, state, and federal government entities. We compared the results against a broader sample of employed U.S. adults that took the same survey, the results of which we featured in our 2017 State of Privacy and Security Awareness report. Here are other key findings from our survey that every data protection leader in government at the local, state, or federal level needs to know: The bad news: lacked some preparedness (scoring as “Risks” or “Novices”) when asked how they would handle common privacy and security threat scenarios. Compare this to the 70% of surveyed employees in all other industries who scored as Risks or Novices when asked the same set of questions, and a clear picture starts to emerge. The inability to identify phishing attempts or malware warning signs: 15% worse than the average U.S. employee Misuse of social media: 17% worse than other industries Reporting incidents: 7% less likely to report an incident Improper mobile computing and cloud computing practices: 7% more likely to be done improperly And even physical security protocols: 13% more lax on protocols 82% OF EMPLOYEES IN GOVERNMENT The government sector employees surveyed performed worse in all eight threat vector categories when compared to the general population of employed adults in the U.S. Here’s some highlights: CONCLUSION GOVERNMENT INDUSTRY: KEY FINDINGS GOVERNMENT EMPLOYEE RISK PROFILES GOVERNMENT SECTOR THREAT VECTORS TEMPORARY AND SEASONAL EMPLOYEES scored better than full-time employees across all eight threat vector categories. Employees showed the riskiest behavior when asked about SOCIAL MEDIA USE (30%), followed closely by questions about physical security (29%) and mobile computing (25%). 46% 61% of government employees surveyed of the executives and managers The least risky group? SCORED IN THE “RISK” CATEGORY, meaning their actions pose a serious potential threat to the privacy or security of their organizations. Compare this to 19% of the general population that scored as Risks. Only 18% of gov’t employees showed a strong understanding of data protection best practices and earned the title of “Hero” in our survey results. Yet temporary employees still performed worse relative to the general population by a range of 3% to 10%, depending on the threat category. at government organizations that we surveyed scored as “Risks.” The numbers below represent the percentage of respondents who chose incorrect answers or risky behaviors in each of the eight threat vectors, compared to the general population surveyed in our 2017 State of Privacy and Security Awareness Report: Government employees showed the greatest understanding of security and privacy best practices when asked about cloud computing – yet NEARLY 1 IN 5 (18%) STILL EXHIBITED RISKY BEHAVIORS in this category. Admittedly, seeing how employees in government performed on our survey can be bleak. But, there is hope. You don’t need to develop a new type of technology or build a new network from scratch to solve this problem. The solution is simple: it’s just the humans that need an “update.” By keeping employees informed on a regular basis – not just about new and emerging threats but on how their daily actions impact the safekeeping of sensitive data at their organizations – employees can be empowered to better protect the sensitive information entrusted to them by American citizens. Government employees know that all parts of a system must be functioning optimally to get the best results. With that in mind, once-a-year training (or heaven forbid, only once ever, at hiring) isn’t nearly enough to keep the wheels of data protection moving smoothly within any level of government. Only a holistic, year-round security and privacy awareness program can keep data protection best practices top-of-mind with employees. With the trust of citizens on the line, checking and double-checking data protection practices at your government organization is more critical than ever. Make sure you can easily answer the question: what are you doing right now to protect citizens’ data from threats, both outside and inside your organization? To start improving the state of security and privacy awareness within your organization, you first need to gauge your organization’s state of risk. MediaPRO’s Behavioral Risk Assessment tool, based on the survey we distributed for this report, is designed to be easily deployed to your employee population so that you can identify and address your organization’s unique risks as you build a comprehensive awareness program. No one wants the finger pointed at them when things go wrong. Maybe that’s why the 2018 Verizon Data Breach Investigations Report says 68% of breaches in government took months or longer to discover in 2017. We found that government workers were 7% worse at reporting incidents compared to the general population. Compared to the general population, 15% more government employees could not identify some common warning signs of malware. 26% of government employees surveyed reported they would take unnecessary risks when working remotely. 18% of respondents chose risky actions when presented with scenarios involving storing sensitive data on personal cloud-based storage or when sending work documents via personal email. 14% of seasonal and temporary employees exhibited risky behaviors, while 34% of executives and managers did the same. 17% more government employees reported making risky behavioral choices than the general population. And this time, foreign gov’ts are difficult to blame: survey questions included scenarios such as re-tweeting sensitive or inappropriate information and joining in on public social conversations about sensitive information controlled by the organization. INCIDENT REPORTING IDENTIFYING MALWARE WARNING SIGNS WORKING REMOTELY CLOUD COMPUTING ACCEPTABLE USE OF SOCIAL MEDIA 26% 27% 26% 19% 12% 19% GENERAL POPULATION GENERAL POPULATION GENERAL POPULATION GENERAL POPULATION GENERAL POPULATION GOVERNMENT SECTOR GOVERNMENT SECTOR GOVERNMENT SECTOR GOVERNMENT SECTOR GOVERNMENT SECTOR These individuals know their stuff, including how to identify and properly dispose of personal information, recognize phishing attempts and malware, and keep information safe while working remotely. 46% 36% 18% RISK 77.4% - 90.3% 0% - 74.2% 93.5% - 100% 24 - 28 0 - 23 29 - 31 SCORE SCORE SCORE PERCENT RANGE PERCENT RANGE PERCENT RANGE NOVICE RISK GENERAL POPULATION: GENERAL POPULATION: GENERAL POPULATION: HERO NOVICE HERO These individuals put their organizations at serious risk for a privacy or security incident. Such incidents can mean big trouble for an organization, including loss of consumer trust, financial and reputation damages, and more. Novices have a good understanding of the basics, but could stand to learn more. They should remember that even one wrong decision or mistake can lead to a security and/or privacy incident. INDUSTRY INSIGHTS: GOVERNMENT STATE OF PRIVACY AND SECURITY AWARENESS Citizens are increasingly concerned about the sensitive data held and used by government entities, fueled partly by stories of cyberespionage, rumors of voter fraud, and social media’s impact on U.S. elections. It’s not all speculation: in the 2018 Verizon Data Breach Investigations Report, public administration entities reported that cyberespionage accounted for a quarter of breaches in the last year (with 96% of those cyberespionage attacks executed via phishing). Of the data comprised in these breaches, 41% was personal information. But with all the focus on state-affiliated actors and cybercriminals, one major hole is being overlooked: employees. Privileged misuse and miscellaneous errors by insiders account for a third of breaches, according to the DBIR. It makes us wonder: when was the last time these government agencies deployed a refresher training course on appropriate use of social media, proper data handling, or using a VPN? 20% of respondents failed to recognize some examples of personally identifiable information, or PII. This was consistent across all levels of management and all sizes of institutions. IDENTIFYING PERSONAL INFORMATION 20% 19% GENERAL POPULATION GOVERNMENT SECTOR Government institutions that have more than 5,000 employees showed the greatest risk in this area (45% of respondents chose risky behaviors when asked about specific scenarios related to building security) relative to their smaller counterparts (33%). PHYSICAL SECURITY 37% 24% GENERAL POPULATION GOVERNMENT SECTOR It seems that not a lot has changed since the DNC breach in 2015. 23% of gov’t employees struggled to identify phishing attempts – a major deficit when compared to the general population (8%). IDENTIFYING PHISHING ATTEMPTS 23% 8% GENERAL POPULATION GOVERNMENT SECTOR 18% 37% 11% 20% 17% 7% 15% 7% 13% 19% 51% 30%

INDUSTRY INSIGHTS GOVERNMENT · INDUSTRY INSIGHTS: GOVERNMENT STATE OF PRIVACY AND SECURITY AWARENESS Citizens are increasingly concerned about the sensitive data held and used by

  • Upload
    others

  • View
    3

  • Download
    0

Embed Size (px)

Citation preview

Page 1: INDUSTRY INSIGHTS GOVERNMENT · INDUSTRY INSIGHTS: GOVERNMENT STATE OF PRIVACY AND SECURITY AWARENESS Citizens are increasingly concerned about the sensitive data held and used by

We gauged the privacy and security awareness of employees in government by surveying 1,016 U.S.-based employees who work for local, state, and federal government entities. We compared the results against a broader sample of employed U.S. adults that took the same survey, the results of which we featured in our 2017 State of Privacy and Security Awareness report.

Here are other key findings from our survey that every data protection leader in government at the local, state, or federal

level needs to know:

The bad news:

lacked some preparedness (scoring as “Risks” or “Novices”) when asked how they would handle common privacy and security threat scenarios. Compare this to the 70% of surveyed employees in all other industries who scored as Risks or Novices when asked the same set of questions, and a clear picture starts to emerge.

The inability to identify phishing attempts or malware warning signs: 15% worse than the average U.S. employee

Misuse of social media: 17% worse than other industries

Reporting incidents: 7% less likely to report an incident

Improper mobile computing and cloud computing practices: 7% more likely to be done improperly

And even physical security protocols: 13% more lax on protocols

82% OF EMPLOYEES IN GOVERNMENT

The government sector employees surveyed performed worse in all eight threat vector categories when compared to

the general population of employed adults in the U.S.

Here’s some highlights:

CONCLUSION

GOVERNMENT INDUSTRY: KEY FINDINGS

GOVERNMENT EMPLOYEE RISK PROFILES

GOVERNMENT SECTOR THREAT VECTORS

TEMPORARY AND SEASONAL EMPLOYEES

scored better than full-time employees across all eight threat

vector categories.

Employees showed the riskiest behavior when asked about

SOCIAL MEDIA USE (30%), followed closely by questions about physical security (29%) and mobile computing (25%).

46%

61%

of government employees surveyed

of the executives and managers

The least risky group?

SCORED IN THE “RISK” CATEGORY,

meaning their actions pose a serious potential threat to the privacy or security of their

organizations.

Compare this to 19% of the

general population

that scored as Risks.

Only 18% of gov’t employees showed a strong understanding of data protection best practices and earned the title of “Hero” in our survey results.

Yet temporary employees still performed worse relative to the general population by a range of

3% to 10%, depending on the threat category.

at government organizations that we surveyed scored as “Risks.”

The numbers below represent the percentage of respondents who chose incorrect answers or risky behaviors in each of the eight threat vectors, compared to the general population

surveyed in our 2017 State of Privacy and Security Awareness Report:

Government employees showed the greatest understanding of security and privacy best practices

when asked about cloud computing – yet

NEARLY 1 IN 5 (18%) STILL EXHIBITED RISKY BEHAVIORS

in this category.

Admittedly, seeing how employees in government performed on our survey can be bleak.

But, there is hope.

You don’t need to develop a new type of technology or build a new network from scratch to solve this problem. The solution is simple: it’s just the humans that need an “update.” By keeping employees informed on a regular basis – not just about new and emerging threats but on how their daily actions impact the safekeeping of sensitive data at their organizations – employees can be empowered to better protect the sensitive information

entrusted to them by American citizens.

Government employees know that all parts of a system must be functioning optimally to get the best results. With that in mind, once-a-year training (or heaven forbid, only once ever, at hiring) isn’t nearly enough to keep the wheels of data protection moving smoothly within any level of government. Only a holistic, year-round security and privacy awareness

program can keep data protection best practices top-of-mind with employees.

With the trust of citizens on the line, checking and double-checking data protection practices at your government organization is more critical than ever. Make sure you can easily answer the question: what are you doing right now to protect citizens’ data from

threats, both outside and inside your organization?

To start improving the state of security and privacy awareness within your organization, you first need to gauge your organization’s state of risk. MediaPRO’s Behavioral Risk Assessment tool, based on the survey we distributed for this report, is designed to be easily deployed to your employee population so that you can identify and address your

organization’s unique risks as you build a comprehensive awareness program.

No one wants the finger pointed at them when things go wrong. Maybe that’s why the 2018 Verizon Data Breach Investigations Report says 68% of breaches in government took months or longer to discover in 2017. We found that government workers were 7% worse at reporting incidents compared to the general population.

Compared to the general population, 15% more government employees could not identify some common warning signs of malware.

26% of government employees surveyed reported they would take unnecessary risks when working remotely.

18% of respondents chose risky actions when presented with scenarios involving storing sensitive data on personal cloud-based storage or when sending work documents via personal email. 14% of seasonal and temporary employees exhibited risky behaviors, while 34% of executives and managers did the same.

17% more government employees reported making risky behavioral choices than the general population. And this time, foreign gov’ts are difficult to blame: survey questions included scenarios such as re-tweeting sensitive or inappropriate information and joining in on public social conversations about sensitive information controlled by the organization.

INCIDENT REPORTING

IDENTIFYING MALWARE WARNING SIGNS

WORKING REMOTELY

CLOUD COMPUTING

ACCEPTABLE USE OF SOCIAL MEDIA

26%

27%

26%

19%

12%

19%

GENERAL POPULATION

GENERAL POPULATION

GENERAL POPULATION

GENERAL POPULATION

GENERAL POPULATION

GOVERNMENT SECTOR

GOVERNMENT SECTOR

GOVERNMENT SECTOR

GOVERNMENT SECTOR

GOVERNMENT SECTOR

These individuals know their stuff, including how to identify

and properly dispose of personal information, recognize phishing

attempts and malware, and keep information safe while working

remotely.

46% 36% 18%

RISK

77.4% - 90.3%0% - 74.2% 93.5% - 100%24 - 280 - 23 29 - 31

SCORESCORE SCOREPERCENT RANGEPERCENT RANGE PERCENT RANGE

NOVICERISK

GENERAL POPULATION: GENERAL POPULATION: GENERAL POPULATION:

HERO

NOVICE HERO

These individuals put their organizations at serious risk for a privacy or security incident. Such incidents can mean big trouble

for an organization, including loss of consumer trust, financial and reputation damages, and more.

Novices have a good understanding of the basics, but could stand to

learn more. They should remember that even one wrong decision or

mistake can lead to a security and/or privacy incident.

INDUSTRY INSIGHTS:GOVERNMENTSTATE OF PRIVACY AND SECURITY AWARENESS

Citizens are increasingly concerned about the sensitive data held and used by government entities, fueled partly by stories of cyberespionage, rumors of voter fraud, and social media’s impact on U.S. elections. It’s not all speculation: in the 2018 Verizon Data Breach Investigations Report, public administration entities reported that cyberespionage accounted for a quarter of breaches in the last year (with 96% of those cyberespionage attacks executed via phishing).

Of the data comprised in these breaches, 41% was personal information.

But with all the focus on state-affiliated actors and cybercriminals, one major hole is being overlooked: employees. Privileged misuse and miscellaneous errors by insiders account for a third of breaches, according to the DBIR. It makes us wonder: when was the last time these government agencies deployed a refresher training course on appropriate use of social

media, proper data handling, or using a VPN?

20% of respondents failed to recognize some examples of personally identifiable information, or PII. This was consistent across all levels of management and all sizes of institutions.

IDENTIFYING PERSONAL INFORMATION

20% 19%

GENERAL POPULATION

GOVERNMENT SECTOR

Government institutions that have more than 5,000 employees showed the greatest risk in this area (45% of respondents chose risky behaviors when asked about specific scenarios related to building security) relative to their smaller counterparts (33%).

PHYSICAL SECURITY

37% 24%

GENERAL POPULATION

GOVERNMENT SECTOR

It seems that not a lot has changed since the DNC breach in 2015. 23% of gov’t employees struggled to identify phishing attempts – a major deficit when compared to the general population (8%).

IDENTIFYING PHISHING ATTEMPTS

23% 8%GENERAL

POPULATIONGOVERNMENT

SECTOR

18%

37%

11%

20%

17%

7%

15%

7%

13%

19% 51% 30%

https://www.verizonenterprise.com/verizon-insights-lab/dbir/
https://www.verizonenterprise.com/verizon-insights-lab/dbir/
https://pages.mediapro.com/behavioral-risk-assessment-offer.html
https://www.mediapro.com/
https://pages.mediapro.com/2017-State-of-Privacy-Security-Awareness.html

DEFENCE INDUSTRY INSIGHTS

DEFENCE INDUSTRY INSIGHTS

Documents
AIR TRANSPORT INDUSTRY INSIGHTS

AIR TRANSPORT INDUSTRY INSIGHTS

Documents
Great expectations - Deloitte US · Great expectations Insights exploring ... government policy, ... Looking forward, traditional industry classifications will continue to evolve

Great expectations - Deloitte US · Great expectations Insights exploring ... government policy, ... Looking forward, traditional industry classifications will continue to evolve

Documents
industry INSIGHTS (Excerpt)

industry INSIGHTS (Excerpt)

Documents
Outdoor Products Industry Insights 2016

Outdoor Products Industry Insights 2016

Economy & Finance
National Industry Insights Report

National Industry Insights Report

Documents
SEC Comment Letters — Including Industry Insights · v SEC Comment Letters — Including Industry Insights Acknowledgments. vi SEC Comment Letters — Including Industry Insights

SEC Comment Letters — Including Industry Insights · v SEC Comment Letters — Including Industry Insights Acknowledgments. vi SEC Comment Letters — Including Industry Insights

Documents
9781909287518_Critical Insights From Government Project

9781909287518_Critical Insights From Government Project

Documents
Hotel Industry Insights 2013 (Hotel Industry Magazine On...)

Hotel Industry Insights 2013 (Hotel Industry Magazine On...)

Documents
Industry Insights Summer 2021

Industry Insights Summer 2021

Documents
Big Data Industry Insights 2015

Big Data Industry Insights 2015

Technology
Insights from the Industry

Insights from the Industry

Documents
MingleMore Industry Insights - December 2011

MingleMore Industry Insights - December 2011

Business
Industry Insights - summer 2014

Industry Insights - summer 2014

Documents
Industry Insights - CAMdivision

Industry Insights - CAMdivision

Documents
Restaurant Industry Insights - November 2015

Restaurant Industry Insights - November 2015

Economy & Finance
ICG Industry Insights Review - Internal Consultinginternalconsulting.com/.../ICG-Industry-Insights-Review-Feb-2012.pdf · The ICG Industry Insights Review presents ... McKinsey’s

ICG Industry Insights Review - Internal Consultinginternalconsulting.com/.../ICG-Industry-Insights-Review-Feb-2012.pdf · The ICG Industry Insights Review presents ... McKinsey’s

Documents
Restaurant Industry Insights 2015 - Duff & Phelps€¦ · Restaurant Industry Insights – 2015 Duff & Phelps 3 Restaurant Industry Insights 2015. Big Players Tap into Fast Casual

Restaurant Industry Insights 2015 - Duff & Phelps€¦ · Restaurant Industry Insights – 2015 Duff & Phelps 3 Restaurant Industry Insights 2015. Big Players Tap into Fast Casual

Documents
Behavioral Health Industry Insights - 2016

Behavioral Health Industry Insights - 2016

Healthcare
INDUSTRY INSIGHTS - Nielsen

INDUSTRY INSIGHTS - Nielsen

Documents
Industry Insights - Issue 02

Industry Insights - Issue 02

Documents
Industry Insights: Outdoor Recreational Products

Industry Insights: Outdoor Recreational Products

Documents
Industry Insights: Staffing Industry M&A Insights€¦ · Staffing Industry M&A Insights By the Numbers 54 Staffing Industry M&A transactions reported in the first six months of 2015,

Industry Insights: Staffing Industry M&A Insights€¦ · Staffing Industry M&A Insights By the Numbers 54 Staffing Industry M&A transactions reported in the first six months of 2015,

Documents
Industry Insights

Industry Insights

Documents
Industry Insights with David Ayre

Industry Insights with David Ayre

Services
IT-BPO Industry Insights Nov2011

IT-BPO Industry Insights Nov2011

Documents
Airport Business & Industry Insights

Airport Business & Industry Insights

Business
SkyNet Industry Insights

SkyNet Industry Insights

Documents
IIC Partners Industry Insights ... - Holtrop Raveslootholtropravesloot.nl/.../IIC_Building_a_talent_acquisition_brand.pdf · IIC Partners Industry Insights: Building A Talent Acquisition

IIC Partners Industry Insights ... - Holtrop Raveslootholtropravesloot.nl/.../IIC_Building_a_talent_acquisition_brand.pdf · IIC Partners Industry Insights: Building A Talent Acquisition

Documents
Industry Insights - Issue 01

Industry Insights - Issue 01

Documents