Security

User Awareness Training Must Be Cybersecurity Investment No. 1

For small and rural towns and counties, cybersecurity awareness training is the lowest of the low-hanging fruit when it comes to achieving cyber resilience.

Eric Marchewitz

Eric Marchewitz is a field solution architect with a 23-year career in cybersecurity solutions, working for such companies as PGP Security, McAfee, Cisco and Check Point. He is a recovering CISSP and cloud practitioner. Marchewitz helps architect solutions and bring in the proper resources and specialists to solve security challenges in all areas.

Cyberthreats are multiplying and getting more complex. No one is immune, especially not small or rural communities with limited IT staff and tight budgets.

When you're facing ransomware, phishing emails, deepfakes or invoice fraud with a two- or three-person IT team and a long list of responsibilities, high-impact, cost-effective solutions are a necessity.

That’s where user awareness training shines.

Of all the things that a town, county or other small jurisdiction can invest in to improve its cybersecurity posture, consistent, practical training for end users delivers the greatest bang for the buck.

Click the banner below to learn how smaller jurisdictions maintain high-functioning IT.

People Are the Front Line, and the Most Common Point of Failure

Gary Coverdale, the CISO for Santa Barbara County, Calif., recently told StateTech that his top key performance indicator for cybersecurity is 100% completion of user awareness training. Why? Because ransomware is the threat that keeps him up at night, and ransomware is so often disseminated through phishing, social engineering and compromised business email. Put simply, ransomware and malware start with people.

Rural counties, small towns and suburbs are often targeted by cybercriminals because they’re vulnerable and because communities rely on them to maintain uptime. It’s not unusual for one person in the finance office to receive and process most, if not all, invoices. If that person is targeted with a convincing fake invoice or a spoofed email from a “vendor,” the odds of an error are high, especially if there’s no policy requiring a second verification step.

This is why awareness training is so critical. It teaches people to slow down, ask questions and verify. The most effective training programs are lightweight, recurring and tailored to staff. Rather than requiring a long information session once per year, provide 10-minute modules every month or quarter.

Cyberthreat simulations can also add value. For instance, tools from Trend Micro and Proofpoint offer phishing simulation campaigns where organizations can test their staff with real-world scenarios, such as police-targeted phishing, and adjust based on the results. With AI-generated examples and platforms that support customization, these training opportunities become more relevant, and therefore more effective.

Policy and Process Matter Just as Much as Training

Cybersecurity awareness training doesn’t exist in a vacuum. It only works when paired with clear, enforced policies. In many ways, policies are the answer to the question, “What are we training them to do?”

A great example of a policy at work would be treating email-based processes the way we treat account logins: with two-factor verification. In the same way that multifactor authentication protects your login, your workflow should have a second layer of verification. For instance, invoices over a certain amount should trigger a policy-mandated phone call or in-person confirmation.

Too often, small jurisdictions don’t document workflows at all, let alone implement controls that govern them in accordance with a clear policy. When a request looks plausible enough, staff may default to trust rather than protocol, and that’s when things can go wrong.

Everyone from the finance office to utilities should know the red flags to watch out for and what steps to take if something feels off. Combine that with regular training, and you create not just cybersecurity awareness, but true cyber resilience.

Click the image below to read more coverage pertinent to small and rural IT.

Other Tools That Make a Difference Without Breaking the Bank

Beyond awareness and policy, small communities need to know that there are affordable tools to support and enforce safer user behaviors, including:

Privileged access management. When attackers get in, the damage depends on what accounts they can access. Shared administrator logins and reused passwords are common in small teams, making lateral movement easy for attackers. Tools such as Fortinet offer low-cost PAM options to help prevent this.
Anti-phishing tools. Email gateways such as Check Point, Abnormal Security, Trend Micro and Mimecast offer much better protection than native operating system defenses. Blocking malicious emails before they even hit the inbox is the best-case scenario.

It’s also worth noting that many cyber insurance policies require organizations to implement security controls such as PAM and MFA. Meeting those standards can sometimes lower premiums and, more important, prevent a situation where a claim is denied because a requirement hasn’t been met.

Cybersecurity doesn’t necessarily have to be expensive to be effective, but it does need to be intentional. Training people, creating good policies and investing in a few critical safeguards can go a long way toward protecting even the smallest jurisdiction from today’s increasingly sophisticated cyberthreats.

SrdjanPav/Getty Images