With cyberattacks coming from every direction—nation-states, hacktivists, criminal gangs—organizations need to use every tool in their arsenal to protect themselves following the Russian invasion of Ukraine. That includes their people.
Organizations can have millions of dollars’ worth of tools in their toolbox, and it can still take only one person clicking on a link or running an unpatched device to bring them all down.
And so in Arizona we made a big shift.
The old adage still holds true: An ounce of prevention is worth a pound of cure. When I helped define cybersecurity strategy for the state of Arizona, one of the first policy changes the state made was to cyber-train every single state employee, every year, with basic foundational information and awareness.
With this kind of preparation, we increased the size of our security team to all 36,000 state employees. They were all part of the cyber team. They were all responsible for defending against cyberattacks.
Expanding the idea of security
In Arizona, security pervaded the entire state government culture. We no longer wanted the security team to be this secretive group working behind closed doors. We wanted state employees to understand that we were their partners.
Security pervaded the entire state government culture. We no longer wanted the security team to be this secretive group.
If they ever had a question, we wanted to be the first group that employees would think to contact. Even if they were not sure about reporting an incident, we would look at anything suspicious and make sure workers were not putting the entire network at risk.
Arizona isn’t the only state doing this. I’m seeing other states that are also beginning to engage in comprehensive cyber training of their entire workforce.
Organizations are only as strong as their weakest link. Whether someone is developing an application, processing payroll, or writing
a contract, they need to be thinking about why they could be the
target of an attack. They need to know how bad actors could try to use them.
Educating employees makes organizations safer
In Arizona, cyber training became as routine as taking anti-harassment training. And we monitored to see if people completed the training. And if they didn’t, they could be disconnected from the network. That’s how important it was.
[It] went all the way up to the director level. If people didn’t do the training, their access and privileges could be revoked.
And that went all the way up to the director level. Even if someone was very busy and important, cybersecurity was also very important. If people didn’t do the training, their access and privileges could
Rather than just an annual training event, we also looked at different ways of sharing the same messages. For example, we provided short video clips that could be played during a team event.
Ultimately, we learned that cyber training must be more than a point-in-time solution. It must be designed to keep security top of mind for everyone, all the time.