How to Create Effective Cybersecurity Training for Cities

June 28, 2018

Nathan Eisner, COO, Sophicity

This article is posted with permission from VC3's blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. VC3 is solely responsible for the article’s content.
Do you conduct cybersecurity training? If not, your city is taking on great risk. 

For example:
  • How would ransomware get into your city network?
  • Who would receive an email with ransomware?
  • Who might click on a malicious website link or open a malicious file that contains the ransomware?
The answer: City staff or some other end user on your network.

But how could they let that happen? How could they not see the danger or know better?

Well…have you trained them on how to spot these warning signs?

Today, training employees about cybersecurity is more important than ever. Cities are targets for hackers and criminals who use ransomware, malware, viruses, and other cyberattack tools to harm city operations, networks, and data. Hackers use techniques that trick employees into handing over access to your systems—and criminals know that people can be the weakest link in your security.

To ensure that your staff receives the best training possible, here are some essential topics to consider for making your cybersecurity training more effective.

Phishing
Phishing today takes many forms that can trick anyone. Hackers still successfully send out broad emails that spoof organizations (like banks or retailers) hoping to get you to enter your personal and financial information. More sophisticated phishing attacks known as “spear phishing” specifically target people at your city. A hacker might pretend to be the city manager asking for information from the city clerk, such as trying to get the city clerk to make a large financial transaction into the hacker’s bank account.

Employees can learn how to spot signs of a phishing attack:
  • Email scams: Emails may contain poor grammar, URLs that are clearly not from the presumed organization contacting you, and email addresses that look incorrect (or even bizarre). Employees can learn to spot such obvious signs of an email scam, such as this well-executed scam email fended off by the City of Paris, Kentucky.
  • Phone scams: Phone scams can be a little trickier, and this is where training needs to focus on following your city’s policies and procedures. Employees should learn never to give out usernames and passwords. A legitimate IT person or customer support representative does not need your account username and/or password to perform their task. Period. In addition, employees need to follow a process for setting up new vendors—especially when giving vendors access to systems or authorizing payments to them.
  • In-person scams: While rare, a criminal will occasionally play the role of a new vendor or employee to extract information from unsuspecting people at city hall. They may even follow someone through a door and later walk out with city assets (such as equipment or data).
Ransomware
Ransomware is a form of malware that encrypts data to hold it hostage until you pay the criminal a “ransom” to unencrypt it. Since 2017, it has become a common form of malware that leaves a trail of destruction at cities. Examples include AtlantaSpring Hill, Tennessee, and Cockrill Hill, Texas.

Because ransomware often originates from malware in email links and attachments, phishing training (above) can help prevent ransomware infections. In addition, IT staff and city decision makers need to learn about preventative measures such as patching and updating software, using enterprise-class antivirus software, and backing up data (both onsite and offsite).

Cities should never pay a ransom—and we’ve written in depth about this issue in a past blog post. Quite simply, it’s not guaranteed that you will get your data back from criminals. Furthermore, a very high percentage of organizations do not get their data back after the untraceable funds an organization pays are long gone. Training should reinforce that cities should instead rely on data backup and disaster recovery plans to restore data.

Top Reasons for Security Compromises
It’s good to review with employees why security compromises occur. The top three reasons include: This last point is especially important to discuss during training. Employees tend to ignore procedures and trust someone too quickly on the phone, in person, or through email. Just because someone says, “This is Dave from IT and I need your password to…” doesn’t mean that you should hand over a password.

Important Recommendations
Training should include recommendations that will impact employee behavior in a positive way. For example:
  • Require employees to use passphrases or complex passwords. Too many compromises occur because of poor passwords. Passphrases tend to be more secure because there are more letters—and they are easier for people to remember because they are meaningful (such as the passphrase “ILike2Hamburgers!”).
  • Encourage the use of Two Factor Authentication (2FA) to greatly decrease the risk of a hack. A second form of required authorization (such as a passcode sent to your mobile device) alongside your regular username and password can make you as hard to hack as finding a needle in a haystack. The hacker can even know your username and password but not be able to log in because they don’t have your phone.
  • Ensure that cities are regularly patching and updating software through a patch management strategy. Too many compromises occur from unpatched servers and computers such as the Equifax Data Breach, Petya Ransomware, and WannaCry Ransomware.
Also, train often! At a minimum, you should provide annual cybersecurity training for employees. But more frequently is better. People can easily forget the information shared during a training session. Plus, cyberattacks constantly evolve and adapt. Employees need to stay on top of new threats.

If you don’t involve everyone in training, it’s less likely that people will take it seriously. For example, if the mayor, elected officials, city manager, city clerk, and department heads all don’t care about cybersecurity training, then it’s less likely employees will care. Conversely, if only senior-level employees get training, then it’s less likely that this knowledge will trickle down to all employees.

A great way to supplement cybersecurity training is to simulate a cyberattack. For example, simulated phishing attacks will identify susceptible employees. You can then provide additional training and communication with them to make sure they are better able to spot phishing attacks.

Additional Reasons for Security Compromises
Employees should be aware of additional reasons that security compromises occur such as:
  • Outdated systems (servers, computers, and hardware no longer supported by the vendor).
  • Unsecured and misconfigured systems such as devices, servers, and workstations.
  • No clear, working data backup and disaster recovery plan.

Additional Points to Make During Training
Decision makers at cities especially need to understand how proactive IT investments help mitigate cybersecurity risks. Training should review how:
  • Upgrading and modernizing systems while engaging IT professionals to perform ongoing management and maintenance will help reduce issues that lead to successful cyberattacks.
  • Ongoing management and monitoring of systems (including all devices, servers, and workstations) helps spot cyberattacks or security vulnerabilities before they can impact your city.
  • A comprehensive data backup and disaster recovery plan (with regular testing) can help a city recover even after a worst-case scenario (such as ransomware).
As you can see, there are many ways to make cybersecurity training more effective and engaging. Most importantly, you need to conduct ongoing cybersecurity training. It’s one of the best ways to mitigate the risk of cyberattacks.

Back to Listing