santiago silver - Fotolia

Tackling IT security awareness training with a county CISO

A Michigan county CISO says government workers are under siege by cybercriminals. In this case study, he shares how his IT security awareness training strategy has evolved.

When Patricia Fitnich, then financial administrator for Michigan's Shiawassee County, opened an email directing her to settle an outstanding bill on behalf of the county's board of commissioners, she had no idea it would spell the end of her public sector career.

Believing the message came from the board's chairman, Fitnich complied with the request, wiring $50,000 to an overseas bank account, and with a quick click of her mouse, became a cautionary tale.

Richard Malewicz, CIO and CISO for neighboring Livingston County, Mich., remembers the 2018 incident all too well. It landed Fitnich in the headlines and ultimately led to her resignation. He added that several counties around the state have experienced serious cybersecurity breaches in recent years. 

"The bad guys are after us," Malewicz said, who also serves as an officer for the Army Reserve Cyber Operations Group. "They look at government employees as easy targets."

He cited Symantec's "2019 Internet Security Threat Report," which indicated public sector employees experience a significantly higher malicious email rate than typical workers -- one in 302 messages, compared with one in 412 across industries. And threat intelligence firm Recorded Future, based in Somerville, Mass., recently reported the number of ransomware attacks involving state or local governments jumped 39% between 2017 and 2018.

The bad guys are after us. They look at government employees as easy targets.
Richard Malewicz CIO and CISO, Livingston County, Mich.

"Just recently, a nearby county was completely decimated by ransomware," Malewicz said. "It even took out their backups. I'm knocking on wood, because we haven't had any major issues in Livingston County."

'This is a cyberwar'

The CISO added, however, that his team has had its share of brushes with cyberthreats. He recalled one instance in which the Livingston County financial officer (CFO) received an email that appeared to come from the county administrator asking her to transfer funds to a new account. Coincidentally, the county administrator herself had just stopped by the CFO's desk when the message arrived in her inbox.

"She looks at her and said, 'Did you just send me an email?'" Malewicz said. "And she said, 'No, I didn't.'"

In another instance, cybercriminals used social engineering tactics to successfully trick multiple Livingston County workers into sharing their email credentials. As part of a payroll diversion scam, the hackers then sent internal messages from the employees' addresses to human resources administrators, asking them to update their direct deposit information -- redirecting payroll funds into criminally controlled accounts.

"The hacker deletes the 'sent' and 'received' emails really quickly, so the actual user doesn't see them," Malewicz said. "Luckily, we have a policy in place where HR calls employees up to confirm they want to make those kinds of payroll changes."

A CISO juggles business and technical goals

The CISO added that these close calls underscore the critical importance of IT security awareness training for everyone -- from executives to entry-level hires -- saying it can help prevent major breaches like the ones that have brought cities and counties across the country to their knees. In fact, he said he views the employee as the new zero-day vulnerability -- with each organization only as safe as its least security-aware member.

"This is a cyberwar. Our government organizations are under a constant barrage of attacks," Malewicz said. "We've got to prepare our users, or we're letting them down. We're letting our citizens down."

How to choose IT security awareness training

When Malewicz stepped into the role of Livingston County CISO in 2013, he quickly moved to implement the county's first-ever IT security awareness training initiative. He said he initially selected a program from a big-name cybersecurity vendor, moving on to another well-known offering after about a year.

According to Malewicz, both options presented users with a deep dive into a single topic per month -- phishing or ransomware, for example. But Malewicz came to question the assumption that narrowly focused lessons lead to more effective learning and better long-term retention. He also worried that delivering critical security awareness information over the course of a year leaves users vulnerable for far too long.

"It's very problematic," he said. "I'm a military person, and when our new recruits come in, we send them to basic training for three months, and then we put them in their units. We don't put them in the units, and then teach them month by month. We don't send them to war unless they're fully trained."

Malewicz then began weeding through the plethora of IT security awareness training offerings to find the most affordable, efficient and effective option for Livingston County employees.

"I started looking at the science of microlearning and retention," he said, citing the Ebbinghaus Retention Curve, which shows that humans typically forget nearly 50% of new learning within an hour and 80% within 30 days. But when a user reviews what they've learned at regular intervals in subsequent weeks and months, retention rates tend to spike.

Malewicz also found himself questioning the value of the bells and whistles -- such as CGI animation and professional acting -- that many leading vendors build into their IT security awareness training content to entertain viewers. He wondered if instead of engaging users, these elements might actually distract them from what matters.

"I believe the more irrelevant information you add, the more you're going to forget," the CISO said. "I might remember the talking bear's name because it's entertaining and not much else."

Security awareness training that places a premium on entertainment value also tends to have longer runtimes, he added. Livingston County's last campaign took each employee about two hours to complete over the course of a year.

"Time is money," he said. "And in government, when we use that time, it takes away from serving the citizens."

In his search for a more concise and cost-effective option that still satisfied federal regulatory requirements for employees with access to taxpayer data, Malewicz ultimately landed on Wizer. The SaaS startup launched in early 2019, providing free, video-based IT security awareness training content, with an offering that caters specifically to government workers.

Each new employee now completes the 30-minute Wizer training as part of Livingston County's standard onboarding process, with Malewicz periodically reinforcing the training by sharing real-world lessons with staff.

"There's no shortage of stories in government about phishing, [SMS phishing] and [business email compromise] attacks," he said, adding that he recently circulated an article about the nearby county that experienced a cataclysmic ransomware incident. "I said, 'Here are some key takeaways on how to protect yourself, and here's the link to the Wizer training if you want to revisit it.'"

When he later checked his administrator dashboard on the Wizer platform, Malewicz reported seeing an influx of employees logging in to review the IT security awareness training content.

"That's how you take that 'forgetting curve' and you flip it to a 'retention curve,'" he said.

Dig Deeper on Risk management

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close