A culture of unaccountability, poor cyber-hygiene and limited staff training are creating a perfect storm of cyber-risk for governments worldwide, with many workers unbothered about the prospect of a serious data breach, Ivanti has warned.
The security vendor polled 800 public sector workers worldwide to compile its new Government Cybersecurity Status Report.
It found a “not my job” attitude is exposing governments to excessive cyber-risk. Just a third (34%) of workers recognized that their actions impact their organization’s security posture. Nearly two-fifths (36%) said they haven’t reported phishing emails in the past, while a fifth (21%) said they don’t even care if the organization is hacked.
Ivanti also found poor security practice was widespread: 40% used the same password for over a year, a third (34%) have used the same password across multiple devices and 12% admitted accessing sensitive information they didn’t require for work.
Younger (Gen Z and Millennial) respondents were more likely to have poor password hygiene.
This is increasingly important given that an estimated 70% of government employees are working at least some of the time remotely, where cyber-risk is arguably heightened.
Governments are also failing the security test. On average only 39% of respondents said their employer provides mandatory training, while nearly a third (29%) don’t require partners or vendors to complete such training, according to Ivanti.
Additionally, 17% of workers said they don’t feel comfortable reporting a mistake they’ve made to the security team.
This is already having an impact as 5% of respondents said they’ve fallen victim to a phishing attempt — either by clicking a link or sending money.
Ivanti chief product officer, Srinivas Mukkamala, described the situation as a “state of urgency” given the sensitive data government employees have access to.
“Government leaders around the world have recognized this urgency and are taking steps to combat ransomware and misinformation, and to protect their critical assets and infrastructure,” he added.
“If we don't focus on cybersecurity as a team effort and provide proactive security measures that enable a better employee experience, security teams and governments will continue to face an uphill battle.”