Improving their employees’ cybersecurity awareness has been a longtime focus of government agencies. The changing cyber threat landscape, with attacks becoming ever-more frequent and sophisticated, has put a finer point on what employees need to know. The goal now is not just cyber awareness, but cyber literacy — the ability to function safely in online environments with a clear understanding of what constitutes safe behavior.
For agencies, that means regularly connecting with employees to provide education and training that align with their jobs and to update them on new threats and attack techniques. In addition, agencies can sharpen the focus of mandatory annual cyber awareness training to form a foundation for cyber literacy.
“The annual training, at least as it’s being done by our agency, is very effective [for] not only sharing tips, information and resources, but assessing that the employees actually understand the content and can apply it in the right way,” said Rodney Petersen, Director of the National Initiative for Cybersecurity Education (NICE) at NIST. But achieving cyber literacy among the workforce requires agencies to exceed that baseline.
Train Regularly
“Annual training is not enough,” Petersen said. “It has to be reinforced throughout the year.” NICE, which originated in 2008, focuses on helping government agencies, the private sector and academia build their cybersecurity workforces from within. Part of its initial focus was preparing federal workers to handle cybersecurity challenges, and it now coordinates with cyber education programs such as those that CISA and the Federal Information Security Educators run.
Another role NICE plays is promoting an integrated ecosystem of cybersecurity education. In the current threat climate, that means bringing about a cultural change in which cyber literacy is interlaced with daily aspects of work.
Foundations of Cyber Literacy
“The main message is that cybersecurity is everyone’s job,” Petersen said. “It’s not just the job of the CIO, CISO or the people doing technical work, but it’s everyone across the enterprise.”
There are three general levels of cybersecurity education: training for all, for the many, and for the few. The first level applies to all users, including the general public, and the third area is NICE’s focus — that is, people who will make cybersecurity their career.
Cyber literacy falls into the second category — and applies to all agency employees, including “people who have specialized access to data and systems and may need specialized training to administer systems securely,” Petersen said.
To be cyber literate, employees need regular updates and education plus annual and job-specific training. For instance, security teams can issue alerts about new phishing campaigns or other attacks to keep employees apprised of current threats. “We look at phishing especially because some of the messages can be really targeted,” he said.
Where to Start
In developing cyber literacy programs, agencies can draw from many resources. NIST’s Special Publication 800-50, released in final form in October 2023, spells out the steps for designing, developing and implementing an awareness program.
CISA outlines the four basics of online safety — recognizing and reporting phishing; using strong passwords; using multifactor authentication on any site an agency offers, whenever possible; and updating software promptly, even automatically. The National Cybersecurity Alliance expands on that with other advice, such as using secure Wi-Fi and ways to recognize suspicious links.
NICE also coordinates with the National Cyber Workforce and Education Strategy, which promotes foundational cyber skills for all employees, in addition to supporting the pursuit of careers.
Ultimately, Petersen said, developing cyber literacy depends on making it part of an agency’s culture through persistent, consistent messaging.
This article appeared in our guide, “How to Build a Cyber-Savvy Workforce.” To read more about how agencies are raising their cyber game, download it here:
Leave a Reply
You must be logged in to post a comment.