How Missouri's State Government Is Fending Off Social Engineering Incidents


Connecting state and local government leaders

Cybersecurity awareness training for state employees is paying off.

Missouri's state government has recorded an uptick in social engineering incidents in recent months, not because the cyberattacks themselves are increasing, but because more end users are reporting the advanced threats.

Convincing phishing emails playing on state employees’ emotions or a timely event—and waiting for uneducated users to click to deliver their ransomware payloads—are encountered multiple times per day.

So in July, Missouri selected security awareness training provider Security Mentor to educate its more than 40,000 state employees on compliance and the wide variety of cyber threats governments face.

“Social engineers are responsible for the majority of our recent breaches; they go after the weakest link—what’s between the ears—and they get in that way,” Michael Roling, Missouri's chief information security officer, said in an interview. “From there, they persist getting into the network using their stolen credentials.”

Eight months after launch, Pacific Grove, California-based Security Mentor has trained more than 85 percent of the state’s employees.

The curriculum features 10- to 12-minute lessons on password security, phishing and physical security, for instance during travel, because stolen devices like smartphones or laptops can be the sources of breaches.

“Don’t stay with the status quo,” said Dan Lohrmann, Security Mentor chief security officer. “Awareness training needs to be fresh and interactive.”

Lohrmann’s team accomplishes that with “sticky content” in the form of games and puzzles that students find fun.

Missouri created its own in-house training in 2012, then went with a competing, video-based offering that failed to keep participants focused.

The new Security Mentor program keeps state employees engaged, Roling said, to the point where he now counts Missouri’s end users as part of its cyber defense.

“In my opinion, there’s not a better investment than raising awareness in our organizations,” he said. “You can thwart malware with traditional intrusion detection systems but can’t easily thwart highly trained, highly educated social engineers unless end users are aware of the threat landscape in front of them.”

After training, state employees can identify when they’re not dealing with a real person—reducing the risk of a possible breach and keeping citizens’ data secure.

As new social engineering techniques emerge like whaling, in which hackers hunt for useful personal data belonging to high-ranking government executives, Security Mentor adapts.

“We’ve prevented large breaches from happening,” Lohrmann said.

Though it’s hard to estimate the savings of a stymied cyberattack, he estimates Security Mentor has saved certain private sector organizations $50,000 to $100,000 on a single breach.

Missouri tracks how employees feel about Security Mentor’s lessons and promotes a holistic approach in which they bring best practices home to their families. Executive support and management buy-in is also important.

“Everyone with access can be an asset or potential vulnerability,” Lohrmann said.

Dave Nyczepir is a News Editor at Government Executive’s Route Fifty.

NEXT STORY: 5 Bits of Expert Advice About Analytics and New Medicaid Rules