Answering a seemingly routine email, Utah workers typed in their credentials as requested, and then they had a paycheck stolen. Cybercriminals tricked the state workers into opening fake links. The scammers used the information to access the state payroll system and change employees’ direct deposit information, diverting their paychecks into phony bank accounts, Stateline reports. Only three workers fell victim to the scam, thanks in part to Utah’s mandatory cyber awareness training, said Chief Information Officer Michael Hussey. Such training is not standard practice in all states. Unlike lots of companies, many states don’t require training for every staffer, although nearly every state offers it, says the National Conference of State Legislatures.
Some states are wary of placing another demand on employees’ time, and state agencies may balk at having IT workers dictate requirements to them. In other places, mandatory cyber training just isn’t a top priority. “This is very frustrating for those who are on the front line of fighting the cybersecurity fight every day,” said Meredith Ward of the National Association of State Chief Information Officers (NASCIO). “It’s not flashy. It’s not sexy. But cybersecurity awareness training is necessary.” A 2018 survey by NASCIO and consulting firm Deloitte & Touche LLP found that only 45 percent of states require that all executive branch employees complete cyber training. That’s up from 37 percent in 2016. The officials named phishing and ransomware as two of the top cyber threats facing states. The Utah staffers fell victim to phishing, or unwittingly clicking on emailed links designed to get personal information, such as passwords.