Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Want to Prevent Cyberattacks? Don't Count on Employee Training to Stop Them.

Tips from a cybersecurity expert.

Fortune Brainstorm Tech 2017
Oren Falkowitz
(FlickrCC/Fortune Brainstorm Tech 2017)
Last month, ransomware attacks disabled critical government systems in Atlanta and Baltimore. City employees in Atlanta had no access to their own data, and citizens lost their ability to pay water bills or traffic tickets online, use airport WiFi and report problems to the 311 system. In Baltimore, the 911 call center was hacked.

“What happened in Atlanta [and Baltimore] has happened in many organizations. It’s not unique. Even the specific type of ransomware is well-known" says Oren Falkowitz, a cybersecurity expert who is a former senior analyst for the National Security Agency and the United States Cyber Command.

Ransomware encrypts a victim's files and then sends a digital ransom note demanding money to decrypt them.

As a co-founder of Area 1 Security, Falkowitz works with public- and private-sector clients to boost their cybsersecurity. The way Falkowitz sees it, there are a lot of cities, counties and states spending money to prevent cybersecurity attacks in misguided ways. 

“Governments are spending an exorbitant amount of resources that have no impact on future cyberdamages,” he says.

They rely too heavily, he says, on cybersecurity training programs for employees. Almost all states have one, but he says training doesn’t "provide tangible results in making organizations safer.” 

“It only takes one person to click,” he says. “Training isn’t a practical solution. It’s a hope strategy.”

If governments really want to prevent cyberattacks, Falkowitz says they have to stop thinking of themselves as victims and start taking a more preemptive approach. That includes scoping out the vulnerabilities of their systems, analyzing likely threats, building in protective software solutions and carefully -- and publicly -- charting the results of their efforts. 

"Accountability is the most important thing," says Falkowitz, and the lack of it is "the scarlet letter of the industry."

According to the most recent survey from the National Association of State Chief Information Officers (NASCIO), only 57 percent of CIOs measure the effectiveness of their cybersecurity programs. What’s more, many of these efforts are only at the beginning stages. Only 12 percent of respondents said their cybersecurity metrics program is fully operational. 

Many state and local governments “don’t have baseline data and can’t measure their results. But you can’t measure improvement unless you know where you are today,” says Falkowitz.

Falkowitz also believes governments need to build and improve their cybersecurity leadership. This doesn’t just mean hiring a chief security officer but hiring one who can speak in nontechnical terms, as well as devolving cyber-responsibilities down so that managers throughout government understand their own systems and vulnerabilities. 

Cybersecurity isn't just the IT department's problem. Falkowitz says it's as much a political and social issue as protecting citizens from crime or homelessness.

Still, he says “I have yet to see a candidate campaign on cybersecurity issues.”  

This appears in the Management & Workforce newsletter. Subscribe for free.

Caroline Cournoyer is GOVERNING's senior web editor.
Special Projects
Sponsored Stories
Workplace safety is in the spotlight as government leaders adapt to a prolonged pandemic.
While government employees, students and the general public had to wait in line for hours in the beginning of the pandemic, at-home test kits make it easy to diagnose for the novel coronavirus in less than 30 minutes.
Governments around the nation are working to design the best vaccine policies that keep both their employees and their residents safe. Although the latest data shows a variety of polarizing perspectives, there are clear emerging best practices that leading governments are following to put trust first: creating policies that are flexible and provide a range of options, and being in tune with the needs and sentiments of their employees so that they are able to be dynamic and accommodate the rapidly changing situation.
Service delivery and the individual experience within health and human services (HHS) is often very siloed and fragmented.
In this episode, Marianne Steger explains why health care for Pre-Medicare retirees and active employees just got easier.
Government organizations around the world are experiencing the consequences of plagiarism firsthand. A simple mistake can lead to loss of reputation, loss of trust and even lawsuits. It’s important to avoid plagiarism at all costs, and government organizations are held to a particularly high standard. Fortunately, technological solutions such as iThenticate allow government organizations to avoid instances of text plagiarism in an efficient manner.
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?
As more state and local jurisdictions have placed a priority on creating sustainable and resilient communities, many have set strong targets to reduce the energy use and greenhouse gases (GHGs) associated with commercial and residential buildings.