Six hundred Calvert County employees are now armed with the tools to fight cyber threats in the workplace. The county mandated employees to participate in an online interactive briefing to protect their identity, help them identify red flags in phishing emails and to make them generally more aware of cyber security measures.
“The most vulnerable link is the user themselves,” said Kathryn Poff, network administrator supervisor for Calvert County’s Department of Technology Services (TS). “This training is due diligence. … We do this training to inoculate our users.”
Employees participated in the training from their desktop using the “KnowB4” software, which has integrated lessons on detecting and mitigating spam and malware (malicious software). The program also includes simulated phishing attacks and quizzes to test the employees’ knowledge.
Poff, a Certified Information Systems Security Professional (CISSP) and a (Global Information Assurance Certification Information Security Professional (GISP), started the program in 2013 and is very eager to take advantage of the opportunity to educate employees on how to detect when they are being socially engineered.
Social engineering is the manipulation of people to give up confidential information. Often the attack appears to come in an email from a friend, but it is actually from someone who has gain access to a friend’s contact list. In some cases, the email has a clickable link that is infected with a virus or has a downloadable file that has malicious software that can infect your computer or network. A phishing attack is an email scam in which the email sender attempts to get personal or financial information from the email recipient through a web link in the email.
“The training is pretty timely. It reflects real life scenarios and includes video [that] incorporates Kevin Mitnick,” explained Poff referring to the well known hacker criminal turned computer security consultant.
While the web-based training equips the employees with knowledge to safeguard their day-to-day job, there is applicability in their personal life.
“We recommend people take it at home so they can share with their families. The training is for everybody, not totally focused on workplace,” said Joe Klausner, Technology Services Director
In addition, to the annual training session TS periodically sends out phishing emails to employees to test their security awareness and to evaluate the effectiveness of the training. Emails are sent out prior to and after the training. Klausner said the click rate went way down for emails, with malicious links and files, that were sent out after the employees completed the training.
Calvert County has casted its training net wide to make sure as many people as possible are aware of cyber threats. State’s Attorney Laura Martin understands the importance of getting the word out on cyber safety as her department speaks on the topic whenever asked.
Martin has teamed up with the County’s Department on Aging to alert seniors on internet scams. Her deputy, Katherine Marsh, collaborates with the Maryland State Police Department on presentations on internet safety and cybersecurity. Geared towards parents with young children, the outreach includes tips for things to look out for on the internet to include social media. There is a similar outreach effort for high school students.
As for the efforts for county employees, Klausner says end-user training is the biggest bang for the bucks and supplements what TS already has in place.
“We have a layered defense. If we don’t catch it through email filtering, then we will catch it on the local client on the desktop,” shared Klausner referring to how TS handles its most common threat, phishing emails.
Klausner will speaking at the Maryland Association of Counties (MACo) conference in Ocean City to share Calvert’s cyber defense strategies. This year’s conference theme is Cyber Solutions: Counties in the Digital Age. Klausner’s presentation will be on cybersecurity on a shoe string budget. His motto is, if you don’t have a lot of money you can still be effective.
He encourages other federal, state and local organizations to take advantage of free training services provided by Department of Homeland Security.
County employees will be required to take the roughly 45 minute training annually. Poff said the training will change every year. New employees will be required to take it immediately. Those who don’t satisfy the training requirement will lose their network access.