Training Employees Can Thwart Phishing Attacks
According to the IBM Security survey, only 38 percent of respondents report receiving general ransomware prevention training. So, clearly, even for telework employees, state and local agencies can augment their training programs to spread the word about the threat of ransomware and what to do about it. Agencies have a great opportunity to broadcast such training to everyone at the same time on a work-from-home schedule.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has resources available to state and local governments that seek to establishing training programs. “Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website,” CISA notes.
Many state and local governments have identified successful ransomware incursions that began through a phishing email, so training employees to spot and report phishing is paramount. When ransomware successfully invades government networks, it often does so after a sole employee clicks one link in a phishing email. It is important to train everyone who has access to a network on best security practices.
Securing Networks Is Critical In and Out of the Office
As for best security practices, there is no one way to defeat ransomware. As Deloitte Insights observes, “Ultimately, reversing the current trend in ransomware attacks rests on doing the basics well: building and operating networks well, and responding well to inevitable attacks.”
Best practices for security carry similar characteristics whether government employees work in the office or work at home. Good cybersecurity practices may include, among other measures, implementing multifactor authentication, network segmentation and endpoint security tools, state and local CIOs tell us. But such measures may be beyond the reach of some localities.
“Many governments struggle to keep pace with the rapid pace of technology refresh cycles. Tight budgets limit the amount of modernization that can take place, and even if budget is available, the tech refresh process itself can strain government IT departments,” Deloitte Insights states.
Putting what money is available into training may make the most of what’s available.
Spend Budgets Effectively on Security Training
In the IBM Security survey, 52 percent of state and local government IT and security officials say cybersecurity budgets have remained stagnant. This perfect storm of limited training and limited budget helps make government agencies attractive ransomware targets. Ransomware struck more than 70 state and local governments in 2019, according to Barracuda Networks.
It follows that tight budgets and few experts may leave little money for training. But as Deloitte Insights notes, “The most advanced cybersecurity tools in the world cannot make up for poorly trained workers.”
Cybersecurity managers perhaps can find opportunity in a crisis. If faced with a large percentage of agency employees teleworking, for example, they can incorporate resources from CISA into a presentation that makes sense for their network and broadcast it to employees in a required meeting. With that, agencies can produce a cybersecurity playbook as a training reference manual and discuss it often.
Measures such as software patches and backup systems go a long way to defeating ransomware. But a well-trained staff will prove to be a powerful defense for securing a network. Agencies that can put a little time and effort into rudimentary training can make a strong start.