Do you conduct cybersecurity training? If not, your city is taking on great risk.
For example:
- How would ransomware get into your city network?
- Who would receive an email with ransomware?
- Who might click on a malicious website link or open a malicious file that contains the ransomware?
The answer: City staff or some other end user on your network.
But how could they let that happen? How could they not see the danger or know better?
Well…have you trained them on how to spot these warning signs?
Today, training employees about cybersecurity is more important than ever. Cities are targets for hackers and criminals who use ransomware, malware, viruses, and other cyberattack tools to harm city operations, networks, and data. Hackers use techniques that trick employees into handing over access to your systems—and criminals know that people can be the weakest link in your security.
To ensure that your staff receives the best training possible, here are some essential topics to consider for making your cybersecurity training more effective.
Phishing today takes many forms that can trick anyone. Hackers still successfully send out broad emails that spoof organizations (like banks or retailers) hoping to get you to enter your personal and financial information. More sophisticated phishing attacks known as “spear phishing” specifically target people at your city. A hacker might pretend to be the city manager asking for information from the city clerk, such as trying to get the city clerk to make a large financial transaction into the hacker’s bank account.
Employees can learn how to spot signs of a phishing attack:
Ransomware is a form of malware that encrypts data to hold it hostage until you pay the criminal a “ransom” to unencrypt it. Since 2017, it has become a common form of malware that leaves a trail of destruction at cities. Examples include Atlanta, Spring Hill, Tennessee, and Cockrill Hill, Texas.
Because ransomware often originates from malware in email links and attachments, phishing training (above) can help prevent ransomware infections. In addition, IT staff and city decision makers need to learn about preventative measures such as patching and updating software, using endpoint detection and response (EDR), and backing up data (both onsite and offsite).
Cities should never pay a ransom. Quite simply, it’s not guaranteed that you will get your data back from criminals. Furthermore, a very high percentage of organizations do not get their data back after the untraceable funds an organization pays are long gone. Training should reinforce that cities should instead rely on data backup and disaster recovery plans to restore data.
It’s good to review with employees why security compromises occur. The top three reasons include:
This last point is especially important to discuss during training. Employees tend to ignore procedures and trust someone too quickly on the phone, in person, or through email. Just because someone says, “This is Dave from IT and I need your password to…” doesn’t mean that you should hand over a password.
Training should include recommendations that will impact employee behavior in a positive way. For example:
Also, train often! At a minimum, you should provide annual cybersecurity training for employees. But more frequently is better. People can easily forget the information shared during a training session. Plus, cyberattacks constantly evolve and adapt. Employees need to stay on top of new threats.
If you don’t involve everyone in training, it’s less likely that people will take it seriously. For example, if the mayor, elected officials, city manager, city clerk, and department heads all don’t care about cybersecurity training, then it’s less likely employees will care. Conversely, if only senior-level employees get training, then it’s less likely that this knowledge will trickle down to all employees.
A great way to supplement cybersecurity training is to simulate a cyberattack. For example, simulated phishing attacks will identify susceptible employees. You can then provide additional training and communication with them to make sure they are better able to spot phishing attacks.
Employees should be aware of additional reasons that security compromises occur such as:
Decision makers at cities especially need to understand how proactive IT investments help mitigate cybersecurity risks. Training should review how:
As you can see, there are many ways to make cybersecurity training more effective and engaging. Most importantly, you need to conduct ongoing cybersecurity training. It’s one of the best ways to mitigate the risk of cyberattacks.
Need help or assistance with your cybersecurity training? Reach out to us today.