After a spate of crippling cyberattacks targeting Georgia agencies, Gov. Brian Kemp signed an executive order in August requiring state workers to undergo new training aimed at preventing ransomware attacks. The order also bolsters a state government systems security review board created in 2015 by adding a slate of additional state leaders and requiring new cybersecurity protocols to defend against online intrusion.
The steps came after hackers demanding a ransom payment hobbled a string of state and local departments, including Georgia’s courts agency and several law enforcement offices. The order requires state staffers to complete a cybersecurity training course within the next three months or face formal disciplinary action that could include job loss.
But state governments should not wait for hacks to mandate statewide cybersecurity training and administer it on regular basis. In October 2018, the National Association for State Chief Information Officers and Deloitte emphasized the importance of cybersecurity training for the state government workforce. In “States at risk: Bold plays for change,” the organizations find almost all state CISOs say they provide cybersecurity training regularly, in part to address a shortage of skilled workers.
“Further evidence of CISOs’ growing proficiency includes an increase in delivering cybersecurity awareness training and regular assessments of top security threats. Awareness training for state employees and contractors, at least annually, is now the established model in the vast majority of states — 94 percent in 2018 compared to 84 percent in 2016,” the report states.
Cybersecurity Training for State Workers Is Key
The National Conference of State Legislatures echoes the observation that most states offer cybersecurity training to workers and notes many require it. In a fact sheet, “State Cyber Training for State Employees,” NCSL enumerates the training initiative of each state, from training opportunities in California to Maryland's mandate that employees take a class with the U.S. Department of Homeland Security.
As for DHS, it offers cybersecurity training resources to all state and local governments that request its assistance.
“Training is essential to preparing the cybersecurity workforce of tomorrow, and for keeping current cybersecurity workers up to date on skills and evolving threats. The Department of Homeland Security is committed to providing the nation with access to cybersecurity training and workforce development efforts to develop a more resilient and capable cyber nation,” DHS states.
When it comes to local governments, the New Hampshire Municipal Association prescribes the implementation of cybersecurity awareness training and testing by a city not only for all government employees but also “anyone who interacts with its networks and systems.”
“Effectively training all municipal employees on cybersecurity issues is an essential component of any comprehensive cybersecurity program and should, at a minimum, include educating employees on how to recognize risks and potential cyberthreats such as phishing scams, malware and ransomware,” writes Lisa Thompson, chair of the New Hampshire Bar Association’s intellectual property section, in NMMA’s Town and City Magazine.
“Local governments should also consider creating training manuals for employees. Regularly educating employees on the risks of downloading attachments from unknown sources, using insecure networks, sharing passwords and social engineering can greatly reduce the threat of a cyberattack,” she adds.
What Cybersecurity Training Should Cover
Texas passed a law in June requiring all state workers who perform at least 25 percent of their duties with a computer, and all local government employees with computer access, to undergo cybersecurity awareness training, StateScoop reports. Two months later, 22 local governments across the state were hit with ransomware.
The Texas Department of Information Resources is approving training through a variety of sources. “DIR is opening the application process to training courses developed both in-house and by third-party vendors, but all programs seeking certification must meet a handful of requirements,” StateScoop reports.
The programs must follow an authorized course certification checklist and “must teach ‘principles of information security’ … including knowledge of the types of data employees work with as well as how that data is stored,” StateScoop reports. The training must address basic cybersecurity threats facing governments, such as phishing, malicious code and ransomware.
The National Institute of Standards and Technology promulgated a cybersecurity education framework from which Texas drew its certification requirements, according to the Texas DIR.
NHMA prescribes continuing cybersecurity training, noting that “since cyberthreats are constantly evolving, creating a culture of awareness requires ongoing education and training and is not something that can be done just once.”