IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Employee 'Phishing' Expeditions Among States' Tools for Cybersecurity Awareness

Cybersecurity awareness programs in Missouri and Washington center on education, anonymized real-life anecdotes and assessments that can include "phishing" their own employees.

Phishing and spear-phishing — two simplistic examples of cyberattacks well-known in the public sector — may remain popular indefinitely, but state cybersecurity personnel are battling the bad actors with strategies aimed at the same soft target: the human mind.

Neither form of email attack — the more generic phishing, which seeks personal financial information, or spearphishing, which is more targeted and frequently carries attached malware — is new.

But this spring, authors of the Symantec 2017 Internet Security Threat Report found email attacks increased 68 percent in 2016, while phishing attacks climbed nearly 41 percent.

Officials in Missouri and Washington state acknowledged the sustained threat that each of the attacks presents to the tens of thousands of state employees who may be vulnerable.

Washington Chief Information Security Officer Agnes Kirk pointed out that following the success of the May 12 WannaCry ransomware attack, dark Web entrepreneurs launched a subscription service offering would-be hackers access to a virus or hacking “tool of the month.”

“I think as long as you have that kind of business model on the dark Web I don’t see anything declining,” Kirk said.

At Government Technology's Missouri Digital Government Summit earlier this month, state CISO Michael Roling said so-called “fast thinking” continues to expose his state’s roughly 40,000 vulnerable government employees to phishing attacks.

“Phishing is really no different than any other classic swindle. They’re trying to misguide the user into doing something they wouldn’t normally do,” Roling said at the event. “It’s that knee-jerk reaction, it’s that gut instinct when we see something. A lot of times they use fear to evoke that thinking.”

But both CISOs said their agencies continue to warn staffers of the dangers of fast thinking with education, humor and assessments modeled after classic phishing expeditions to test staff members’ resolve.

In Missouri, Roling said the Cybersecurity Awareness Program features multiple activities and subprograms, but two key elements are monthly awareness lessons of 10 to 15 minutes each, and ongoing participation charts ranking agencies on which has the most educated employees.

Staffers earn points for completing lessons — and they earn more points for finishing them soon after their monthly release — and contribute to their agency’s overall ranking. The Information Technology Services Division is currently “barely edging out the second-place agency,” Roling joked, in a friendly rivalry that has seen the two agencies exchange rankings before.

Agencies with lower scores are sent “detailed information,” the CISO said, about which employees haven’t completed lessons.

But perhaps ITSD’s signature cybersecurity training activity is its end-user awareness assessments, which happen every four to six weeks — and during which security folk have “phished” employees with emails designed to be just as irresistible as the genuine article.

In place for about a year, this component of the program generated “strong reactions” among those who clicked, ranging from “feeling ashamed to being angry,” Roling said, emphasizing ITSD’s goal was only to boost awareness of what actual attacks look like.

One real-world strategy Missouri ITSD hasn’t employed yet is “phishing” via telephone call — occasionally a precursor to an online hacking campaign.

But about a year ago, in an assessment with genuine parallels to successful hacks, the agency left several pocket-size USB “sticks” outside its primary building in Jefferson City, labeled to suggest they might contain interesting or sensitive data.

“What’s amazing about it was when we did, every single USB storage device came right back to us. We were very impressed,” Roling said.

In Washington, Kirk said her agency spearheaded a similar assessment around USB drives left in random places, but around 95 percent of employees who were “phished” simply returned the devices to Information Technology.

Her agency emails daily tips on how to avoid being compromised or hacked, distributes informational cybersecurity awareness reports and holds face-to-face sessions featuring anonymized, real-life examples to remind staffers they need to practice safe Internet use at home and at work.

Anecdotes are what people remember, Kirk said, indicating that if employees are “safer at home, they’ll be safer at work. It isn’t all or nothing.”

For Cyberawareness Month in October, the CISO said the state “gamified” an awareness program in which employees who answered questions testing their security best practices were entered into a weekly prize pool. Feedback from staffers indicated they enjoyed comparing answers and the event may be repeated.

The state has mandatory end-user security awareness training, but arguably a more dramatic educational component is its use of “phishing” telephone calls, a strategy used to test employees at one of the state’s smaller but more public-facing agencies, Kirk said.

The calls, a targeted event, came at the suggestion of people within the agency who requested cybersecurity officials conduct the test following a security assessment.

“I think we don’t have the bandwidth to do a significant amount of it, but training a few key people that are first in line to get the calls can be really critical. These people can train others,” Kirk said. “That will be something we’ll look at again.”

Kirk, whose state pioneered SecureAccess Washington, a single sign-on public gateway to secured applications in 2004, said phishing trends up and down, with the state somewhat insulated by its ability to track and block questionable emails.

She and Roling agreed change and humans’ innate curiosity are among the only constants on the cybersecurity landscape, and emphasized that top-down buy-in and manageability are key to implementing a successful awareness program.

“I would say don’t try to boil the ocean. Start with a small campaign," Kirk said. "When you demonstrate value it makes it way easier to get others on-board."

During the first year of Missouri’s program, Roling said officials did get some pushback, “but because of that top-down buy-in, which is so critical for any awareness program, they all understood the value of the mission we were trying to carry out.”

That, he added, “was absolutely vital.”

Theo Douglas is assistant managing editor for, and before that was a staff writer for Government Technology. His reporting experience includes covering municipal, county and state governments, business and breaking news. He has a Bachelor's degree in Newspaper Journalism and a Master's in History, both from California State University, Long Beach.