In mid-June, a sprawling, apparently coordinated wave of cyberattacks hit hundreds of organizations worldwide. Among these organizations was Louisiana’s motor vehicle office, which had approximately 6 million records exposed in the breach, including driver’s license numbers, vehicle registration data, birthdates, heights, and more. Oregon, too, suffered a breach in the same wave of attacks that exposed the information of 3.5 million state citizens.

The threat of cyberattacks against government agencies everywhere is only ramping up as time goes on. In this context of increased risk, regulators possess sensitive information that can be leveraged by criminals for monetary gain.

Verizon’s 2023 Data Breach Investigations Report (DBIR) found that public administrations experienced more cybersecurity incidents than any other industry in 2022. System intrusion, lost/stolen assets, and social engineering – a form of attack in which members of an organization are deceived into granting hackers access to sensitive data – accounted for 76% of identified attack methods in the public sector.

How can regulators ensure their agencies are safe from these threats?

Where does culture come into play?

For one thing, agencies would do well to follow widely adopted cybersecurity frameworks such as the NIST Risk Management Framework, which outlines how to implement and maintain an IT system with a high level of security, privacy, and resilience. They can also benefit from vetting third-party software providers, checking for a history of safety and security in the track record of every vendor.

In the complex tapestry that makes up an agency’s cybersecurity protocol, something that often gets glossed over is the importance of organizational culture. The more employees are aware of threats, feel safe to speak up about them, educated about what they look like, and prepared to respond to them in an appropriate and effective manner, the better off an agency will be.

But what are the exact steps regulators can take to build a culture of cybersecurity preparedness?

Leadership and communications

A fundamental part of organizational culture is clarity of vision and purpose. Every employee at an agency should be able to understand and articulate what the organization’s cybersecurity standards are and how they are expected to be upheld.

Even more simply, agency leaders must communicate clearly, regularly, and consistently what cybersecurity looks like for their organization and why it is important to be vigilant.

What are breaches? What are the warning signs that the organization is under attack? What are the best practices to keep information and systems safe? In an agency with a strong cybersecurity culture, every employee should be able to answer these questions.

Training and onboarding

Robust training and onboarding practices can help regulators build a strong foundation for operational security overall. Regular cybersecurity awareness training is already required in most data security regulations and frameworks, including HIPAA, GDPR, PCI DSS, and FISMA. Cybersecurity training can include modules on basic cyber hygiene and social engineering threats as well as attack simulations to gauge employee awareness and reinforce basic principles.

Some state governments have already taken notice of the importance of cybersecurity training – take, for example, Texas’s 2019 law requiring state and local government employees to undergo mandatory cybersecurity training. The law was passed immediately before a series of ransomware attacks affected 22 governments across the state, and programs taught under the new rules must meet a certain set of criteria – they must teach “principles of information security” and show employees how to be aware of basic cyberthreats, including phishing emails and ransomware.

According to Dallas Chief Information Security Officer Brian Gardner, the new regulations made his job easier, as they not only mandated cybersecurity training for all state and local government workers but also gave certain officials the authority to restrict network access for employees who refused training. Kristen Sanders, CISO of the Albuquerque-Bernalillo County Water Utility in New Mexico, said illustrating to users the purpose of each cybersecurity measure makes the experience easier for everyone involved.

When choosing training programs for their employees, public officials may look to established frameworks that outline best practices for cybersecurity training, education, and workforce development – frameworks like that provided by the National Initiative for Cybersecurity Education (NICE). The NICE Framework “assists organizations with managing cybersecurity risks by providing a way to discuss the work and learners associated with cybersecurity.”

Reporting mechanisms

While training and education create an important foundation for cybersecurity culture within an organization, other pillars must be upheld to ensure a high level of awareness and responsiveness across the board. For example, without robust reporting mechanisms to alert administrators or IT staff of cyberthreats and potential breaches, instances of suspicious activity can slip through the cracks and fail to reach the appropriate desks so that they are treated with adequate care and diligence.

Regulatory staff must be comfortable knowing they can report any perceived threats to the appropriate personnel, like information and communication technology (ICT) specialists, without fear of admonishment or penalties. The reporting mechanisms they use must be simple and clear-cut, with explicitly designated parties to which different potential threats and incidents can be reported. Without adequate reporting systems, even the best cybersecurity training and education programs can prove ineffectual.

Culture may not be enough – but it’s a good start

Of course, culture alone cannot curb cyberthreats. Preparedness will always require a multi-pronged approach that involves maintaining robust internal hardware and software systems and vetting third-party software providers, among other measures.

But by thoroughly training employees, creating a work environment where they feel safe to raise concerns and making clear the situations in which they should report suspicious activity on an organization’s networks, regulators can ensure a higher level of internal resilience to the constantly developing threat of cyberattacks.