Human risk and error still represent the most significant cyber breach vectors, and with the dispersion of user-device network endpoints away from traditional networks during the coronavirus pandemic, those two vectors are only becoming more challenging to address, state and local government officials said during a Nov. 22 GovTech webinar.
In the pre-pandemic era, user-device endpoints on government networks were more often situated within government offices, and protected by layers of defenses including firewalls, intrusion prevention systems, DNS filtering, and even segmented networks. But as those endpoints have increasingly moved from office to home-based and mobile settings, they have become less trustworthy without office-based layers of defense.
“[End points] operated on what we deemed at that time as a trusted network,” said Michael T. Geraghtym, chief information security officer for the State of New Jersey. “Essentially, you have endpoints working in a landfill hoping that it doesn’t get dirty.”
The disruptions of the pandemic and the continued hybrid work environment have exponentially increased cyber risks generated by human error and behavior. Peter Miller, chief security officer for the Orange County Government in Orlando, Fla., attributes some of that increased risk to psychological factors because “once you’re at home you may feel freer to do things you wouldn’t normally do at work.”
In a remote work environment, distractions get in the way and lead to employees losing focus, and that loss of focus may lead to an increase in risk, Miller said. “Rushing through assignments and distractions lead to more mistakes and increased risks,” he said.
According to Miller, government organizations need to undertake extensive and continuous training to remind employees of what they should and should not be doing while working. “It’s a matter of constant training, concentration, and awareness. And any time we see a shift in the road, it’s our job to realign them,” he emphasized.
As employees begin to return to traditional office settings and bring their user devices with them, Geraghtym said state and local government agencies need to think about risks that have increased in the past year and a half, primarily because “adversaries have grown increasingly sophisticated in their efforts to exploit users in phishing attacks.”
In particular, state and local agencies must ensure that there is no dormant malware on incoming laptops or desktops that will be plugged into agency networks when remote workers return, he said.