For the last 20 months or so, we’ve worked with nearly 200 government municipalities on cyber loss control projects, now largely completed. Cyber security training has recently been a popular topic of discussion, and in this post—the fifth in our Cyber Security Foundation for Municipal Government series—we would like to explore why information security education is so important for municipal employees.
The Risk of Ineffective Training
With “the global nightmare” of ransomware and other malware attacks escalating at 350% per year, the world’s greatest firewall can’t protect your organization if your “human firewall” doesn’t know how to spot and block malware attacks. It’s an established fact the great majority of data breaches are caused by human error and failure to uphold security policies and procedures.
This is why so many malware attacks target users! Investing in people is often the best move to protect data and the best solution is cyber security awareness education. Failure to educate users about cyber security is arguably the worst security mistake a municipality can make.
But with small budgets and big risks, you need a cyber security awareness program that is affordable, engaging and effective. Too many such programs fail to accomplish their goals because they’re boring, confusing, not relevant, too time-consuming, and/or make it hard to gauge progress and effectiveness.
Cyber Security Education for Municipal Government Personnel
To be effective, an education program also needs to cover the right topics. These include:
- Malware—how it works, what it targets and how to avoid becoming a victim
- Phishing and spear-phishing—what it is, what phishing attacks look like and how to identify and block them
- Social engineering and physical security—what’s involved, what attacks look like, and basic rules to keep attackers out
- Phone phishing (vishing)—basic concepts, attack types and how to handle them
In general, you want everyone in your organization to be security conscious and on alert for suspicious emails, phone calls and visits. As a follow-up to education or training, you also want to establish and educate users about your incident response protocol (more on that in our next post); especially who to contact if someone spots a threat.
Another important aspect of cybersecurity awareness education is validating the benefits by conducting periodic tests. Hand-in-hand with testing is repetition of the material to keep it top-of-mind and bring new people up to speed. As the saying goes: If someone hasn’t heard your message at least three times, they don’t know it.
Pivot Point Security offers an online cyber security awareness education program that’s affordable, simple to administer and proven effective. Contact us for a free demo.
In our next post, we’ll overview cyber security contingency planning: incident response, disaster recovery and business continuity. Until then… stay tuned and stay safe!
Ongoing Series: Cyber Security Foundation for Municipal Governments
We are overviewing this foundational cyber security guidance for municipalities in a series of blog posts. The full list of topics we will be covering includes:
- Covering the bases
- Password management and access control
- Backup and encryption
- Malware and social engineering attacks
- Cyber security awareness education (CURRENT POST)
- Contingency planning: Incident response, disaster recovery and business continuity
- Vendor risk management
- Patching and other “technical controls” (coming soon)