Taking measures to protect employees from workplace accidents seems like an obvious need today, but that was not always the case. Less than half a century ago, there was no Occupational Safety and Health Administration (OSHA). Workers’ compensation laws were passed state by state during the first half of the twentieth century, but before the 1970 law that created OSHA, workers had little recourse to prevent injuries on the job.
Today, failing to ensure the safety of employees would be unthinkable. When I worked with a major global chemical manufacturer, every meeting began with a PowerPoint presentation on safety, highlighting the importance of the topic. Heaven help the person whose power cord was stretched across the pathway where someone could trip and fall in one of those meetings. Today, agencies need to bring the same level of motivation to ensure that their data and devices are secure.
Not unlike workplace accidents, the cost of a cyber breach is expensive to say the least. While the numbers vary based on a variety of factors, from organization size to severity of the attack, the average cost of a major data breach in the U.S. has been estimated at more than $7 million.
In the government, just as in the private sector, we’re certainly not seeing a decrease in cyberattacks—I have yet to walk into an office building displaying a large sign that reads, “Zero cyber incidents for the third month in a row.” Federal agencies responsible for safeguarding the personally identifying information of millions of Americans, or which protect national security secrets, may be especially tempting targets for cyber criminals or spies.
A few key questions to ask, early on
Cybersecurity is critical to digital transformation, but, more importantly, it must be part of a culture change throughout a government organization. Federal IT leaders must consider security needs early on, whether an application is being developed or a process is being automated. Here are a few key questions to ask:
- Are security requirements included in the planning and design process, or an afterthought?
- Who will have access to the system or application and what functions can be performed?
- What types of data are being processed and how is it stored, processed and transmitted?
- Are users or applications able to be uniquely identified and their actions logged?
And remember, automated processes and robots need to be subject to the same security controls that we put in place for humans.
Tips to prioritize cybersecurity
While there are many things you can do to improve your agency’s cybersecurity profile, too often we see organizations implement technical security safeguards, but fail to implement proper security policies or procedures. I outlined some key principles for laying a strong security foundation in my previous blog, Laying the foundation for cybersecurity, but here some basic steps you can prioritize now:
- Include training and security reviews as part of project planning and system design
- Conduct unannounced phishing exercises to test how susceptible your organization is to an attack (and train your employees to spot fake email messages!)
- Make sure visitors are running updated antivirus software before they connect to your corporate network—or, better yet, don’t allow connections.
By taking a broader approach to cybersecurity, with the same diligence used to prevent injuries on the job, you can safeguard your whole organization—employees, stakeholders and customers alike. For more insight, download our whitepaper IT Security Governance: Taking a holistic approach.