Take computer security awareness training with a county CISO
When Patricia Fitnich, then financial administrator for Shiawassee County in Michigan, opened an email asking her to pay an unpaid bill on behalf of the County Board of Commissioners, she had no idea it would end her career in the public sector.
Believing the message came from the chairman of the board, Fitnich complied with the request, wired $50,000 to an overseas bank account and, with the click of a mouse, became a cautionary tale.
Richard Malewicz, CIO and CISO of neighboring Livingston County, Michigan, remembers the 2018 incident vividly. It made Fitnich’s headlines and ultimately led to his resignation. He added that several counties in the state have experienced severe cybersecurity breaches in recent years.
“The bad guys are after us,” said Malewicz, who is also an officer with the Army Reserve Cyber Operations Group. “They see government employees as easy targets.”
He cited Symantec’s “2019 Internet Security Threat Report,” which indicates that public sector employees experience a significantly higher rate of malicious emails than typical workers: one in 302 messages, compared to one in 412 across all the sectors. And threat intelligence firm Recorded Future, based in Somerville, Mass., recently reported that the number of ransomware attacks involving state or local governments jumped 39% between 2017 and 2018.
Richard Malewicz CIO and CISO, Livingston County, Michigan.
“Just recently, a neighboring county was completely decimated by ransomware,” Malewicz said. “He even deleted their saves. Knock on wood, because we haven’t had any major issues in Livingston County.”
“It’s a cyberwar”
The CISO added, however, that his team had had their share of encounters with cyber threats. He recalled a case in which the chief financial officer of Livingston County received an email that appeared to be from the county administrator asking him to transfer funds to a new account. Coincidentally, the county administrator herself had just stopped by the CFO’s office when the message arrived in her inbox.
“She looks at it and says, ‘Did you just email me?'” Malewicz said. “And she said, ‘No, I didn’t. “”
In another instance, cybercriminals used social engineering tactics to trick several Livingston County employees into sharing their email IDs. As part of a payroll hijacking scam, hackers then sent internal messages from employee addresses to HR administrators, asking them to update their direct deposit information – redirecting payroll funds to accounts controlled by criminals.
“The hacker deletes ‘sent’ and ‘received’ emails very quickly, so the real user doesn’t see them,” Malewicz said. “Fortunately, we have a policy in place that HR calls employees to confirm they want to make these kinds of payroll changes.”
The CISO added that these close calls underscore the critical importance of IT security awareness training for everyone – from executives to entry-level recruits – saying it can help prevent major breaches like the ones that brought cities and counties across the country to their knees. In fact, he said he sees the employee as the new zero-day vulnerability, with every organization only as secure as its least security-aware member.
“This is cyber warfare. Our government organizations are under a constant barrage of attacks,” Malewicz said. “We have to prepare our users, otherwise we are failing them. We are failing our citizens.”
How to Choose Computer Security Awareness Training
When Malewicz stepped into the role of CISO of Livingston County in 2013, he quickly implemented the county’s first-ever IT security awareness training initiative. He said he initially selected a program from a major cybersecurity vendor, then moved on to another well-known offering after about a year.
According to Malewicz, both options offered users a deep dive into a single topic per month – phishing or ransomware, for example. But Malewicz has come to question the assumption that narrowly focused courses lead to more effective learning and better long-term retention. He also worried that releasing critical security awareness information over the course of a year would leave users vulnerable for too long.
“It’s very problematic,” he said. “I’m a military man, and when our new recruits come in, we send them to basic training for three months and then we put them in their units. We don’t put them in the units and then teach them month by month. We don’t send them to war unless they’re fully trained.
Malewicz then began sifting through the plethora of computer security awareness training offerings to find the most affordable, efficient, and effective option for Livingston County employees.
“I started getting interested in the science of microlearning and retention,” he said, citing Ebbinghaus’s retention curve, which shows that humans typically forget almost 50% of new learning in one hour and 80% in 30 days. But when a user reviews what they’ve learned at regular intervals over the following weeks and months, retention rates tend to increase.
Malewicz has also found himself questioning the value of the bells and whistles – such as CGI animation and professional acting – that many top vendors incorporate into their security awareness training content. computers to entertain viewers. He wondered if, instead of engaging users, these elements might actually distract them from what matters.
“I believe the more irrelevant information you add, the more you’re going to forget,” the CISO said. “I may remember the name of the talking bear because it’s entertaining and not much else.”
Security awareness training that places a high emphasis on entertainment also tends to have longer run times, he added. Livingston County’s latest campaign took about two hours from each employee over the course of a year.
“Time is money,” he said. “And in government, when we use that time, it prevents us from serving the citizens.”
In his search for a more concise and cost-effective option that still met federal regulatory requirements for employees with access to taxpayer data, Malewicz eventually landed on Wizer. The SaaS startup launched in early 2019, providing free computer security awareness video training content, with an offer that specifically targets government employees.
Every new employee now completes the 30-minute Wizer training as part of Livingston County’s standard onboarding process, with Malewicz periodically bolstering the training by sharing real-world lessons with staff.
“There is no shortage of stories in government about phishing, [SMS phishing] and [business email compromise] attacks,” he said, adding that he had recently circulated an article about the neighboring county which experienced a cataclysmic ransomware incident. want to see him again.'”
When he later checked his admin dashboard on the Wizer platform, Malewicz reported seeing an influx of employees logging in to review IT security awareness training content.
“That’s how you take that ‘forgetting curve’ and turn it into a ‘retention curve,'” he said.