COVID-19 has radically changed how state and local government (SLG) services are delivered and how their workforces operate. As employees moved from physical offices to their homes, government services had to be virtualized. This has presented SLG IT teams with a host of new concerns – chief among them is cybersecurity.
When employees connect from state network to their own, cyber risks skyrockets. IT pros must work to secure state information and services in an unsecured environment. During today’s Cybersmart 2020 digital conference hosted by NextGov, two SLG cybersecurity leaders said they have relied on cybersecurity training to keep things secure amid the pandemic.
Michael Anderson, CISO for Dallas County, Texas, issued a warning to SLG cybersecurity leaders.
“As security practitioners and leaders, we have to realize that the workforce is the lowest common denominator in all of this,” Anderson said. Cyber teams can put together robust security and layered defenses, but if an employee doesn’t know how to identify or respond to a phishing email, the government is still at risk, he said. “It only takes one,” Anderson warned.
However, it’s not enough to simply push out cybersecurity training; IT staff must work to ensure that training is actually effective. Tim Roemer, CISO of the State of Arizona, said IT pros need to keep things in simple terms, stay away from the technical side, and stay away from boring one-hour videos.
“We did short, quick engaging videos – no more than three minutes,” he said. “I tasked my team to find the most engaging videos you can,” Roemer said, and his team ended up turning to YouTube. “We found a video of Jimmy Kimmel going on the street and asking people to tell him their passwords and then we sent that to our employees.” Yes, they laughed, he said. But, they also learned the importance of their password.
Both Anderson and Roemer agreed that training cannot be a one-time activity, it has to be constant and diversified. That said, training has to start early.
Anderson stressed the importance of “training folks as soon as they enter the organization,” explaining that it “reduces the learning curve.” He also noted that his team uses different types of training, including newsletters and flash trainings, to keep employees up to date.
“You can’t train once, it has to be constant,” Roemer agreed. “Yes, we have one large training event during Cybersecurity Awareness Month [in October], but we also do smaller training every week.”
One way Roemer worked to improve Arizona’s cybersecurity posture was by growing his team from 16 employees to 32,000. He didn’t go on a wild hiring spree, rather he worked to make sure all employees felt like part of his team and responsible for cybersecurity.
Anderson agreed that making non-IT employees feel like cybersecurity is their responsibility is key.
“We share information in an easy-to-consume format so employees understand that just because I am a security leader, doesn’t mean I am solely responsible for cybersecurity,” Anderson said. While it is up to Anderson to provide information and training, “it is up to the employee to consume that information and apply it to the real world.”
Pivoting back to COVID-specific concerns, Roemer discussed what happened right as the pandemic hit and the state had to transition to telework.
“When COVID hit, the [state] government asked what I needed,” he said, adding, “I think they were expecting me to ask for $5 million.” But that wasn’t what Roemer needed – and he stressed that throwing money at the problem isn’t always the solution.
Rather, he wanted to be able to email all state employees to tell them what cyber risks existed and share Federal government cybersecurity resources.
“We shared what they shouldn’t do, but also what attacks they should be on the lookout for,” he said. Romer was able to email every state employee, and he said “that put employees in a better position to protect the state.”