How Strategy and Employee Education Combat Cyber Threats in Florida

IT leaders from the private sector, as well as local and state governments, discussed the challenges their organizations face in educating employees about cybersecurity at the recent Florida Public Sector Cybersecurity Summit* in Tallahassee earlier this week including the importance of tailored, engaging and ongoing education to effectively address cyber threats.

The panel, moderated by Candace Wynn of the Florida Digital Service, included Will Armstrong, information security manager at the Agency for Health Care Administration (AHCA); Kristan Keyes, cybersecurity director for the Hillsborough County Board of County Commissioners; and James Lapalme, vice president of identity at Entrust. They discussed the tools they use to help each of their organizations.

Armstrong highlighted the significance of engaging and effective training methods.

“We all know that our training is never going to be 100 percent retained. I like to remind myself what I do remember from previous training and what I do not remember from training,” he said. ”I know one of the industry buzzwords is 'gamification.' For me as a learner, I like to be entertained by what I have seen, and if I am entertained by it, I pay attention and I am engaged and I start retaining a little bit better.”

Keyes described the challenge of training employees across various departments with limited computer access.

”We have 40 different departments. For some employees in the field, such as those in parks and recreation, access to computers is limited, making it challenging to conduct monthly training,” she said. ”I try to make myself as accessible as possible.”

To address this, she consolidates training into fewer, larger sessions and modifies the format for greater accessibility. She stressed the importance of clearly communicating the reality of phishing threats to ensure employees understand their seriousness.

“I tell them they only have one fake phishing email and the rest are real,” she said.

Lapalme's approach to reinforcing cybersecurity training is through simulated phishing and social engineering attacks using a more direct phishing email including the company CEO, their pay rate or other high-profile emails. Those who fail face consequences, while those who report the emails are not penalized.

“When we started, our click rate was around 50 percent,” he said. ”Now, it has dropped to the low single digits.”

At AHCA, Armstrong said employees who fail these tests are immediately assigned additional training, with the added consequence of having their camera access disabled if they do not complete the training within the specified time frame.

“In our post-COVID world, executives are particularly concerned about being in the headlines. We engage with employees directly by distributing flyers and meeting with their supervisors if repeat clicking occurs. Rather than issuing immediate penalties, we adjust support to better address the issue,” Armstrong said.

Another important aspect is repeated and varied exposure, as everyone learns differently. During October — Cybersecurity Awareness Month — attention-grabbing posters, flyers and pens were discussed as a way to not only engage with those entering the building every day, but also as a way to build a conversation around the importance and risks of understanding what each person can do regarding the issue.

“We do handouts and physical training reminders in every office across the entire state and you cannot get into the building without seeing a cybersecurity reminder in a 2-foot-by-3-foot poster. We use posters with engaging content, such as a humorous illustration of a cow being abducted by a spaceship. Different employees respond to different stimuli, so incorporating humor can make the training more memorable and effective,” Armstrong explained.

Keyes also employs creative strategies to maintain interest and engagement in cybersecurity training. For instance, she produces four annual posters featuring humorous puns to keep the subject matter fresh and engaging.

When asked what some of the common mistakes are in cybersecurity training, most agreed that having consistency was essential in branding, including email signature blocks from others in their organization.

“Any discrepancies can lead to confusion about the authenticity of our communications, which can undermine the effectiveness of the training,” Keyes noted.

Overall, the discussion emphasized that by using diverse and innovative training methods, organizations can enhance their defenses and ensure that employees are well-equipped to recognize and respond to cyber threats.

*Note: The Florida Public Sector Cybersecurity Summit is hosted by Government Technology, a sister publication of Industry Insider — Florida. Both are part of e.Republic.