Our story last week about a Tennessee city leader who refused to do city mandated security awareness training touched a #cybersecurity nerve.
Wait until you read some of the comments we received from those in InfoSec.
In a minute you'll also hear more from the man at the center of the controversy because he responded to questions from SecureWorld.
First, in case you missed it, here is a brief recap of a security awareness fight which has now devolved into a case of shadow IT.
Security awareness: city shuts down user email account
What is the crux of this security awareness battle?
Germantown Alderman Dean Massey, a city leader, refused to do a 45-minute online security awareness session. The deadline passed, and the city's IT director cut him off from city email.
The Alderman then opened his own Gmail account in response, and is now conducting official city business through that account.
Massey told a local publication at the time:
"I don't think it's appropriate for a city employee to tell aldermen what they have to do to access their email."
City administrator Patrick Lawton responded to Massey's refusal to take the cybersecurity training as "naive, reckless and irresponsible."
Cybersecurity professionals react to security awareness controversy
Based on the number of comments we received after publishing the story, this clearly evoked a response from InfoSec.
Bob W. wrote:
"This arrogant, self-important buffoon painted a target on his own back. He'll be hacked to pieces."
Dave M. posted:
"The IT Director is ultimately responsible for the overall security of the infrastructure. Cut them off for non-compliance!"
Jeffrey S. raised an interesting question:
"Would the alderman not accept being stopped by a city patrolman because that city employee had no business telling him how to drive? He is a pretentious fool and he had no business refusing the training. Least of all if he is a city official, given how heavily their accounts are targeted. Make an example of him, says I."
Cameron K. also wondered aloud if the city leader is uninformed on the current cyber threat landscape:
"I think the Security Director is right on the money. Obviously the Alderman doesn't read the news, or just doesn't care about security. I find it interesting that someone in his position is taking this approach to security when over the past 6-8 months we have seen a number of cities hit with major Ransomware attacks that literally brought the cities to their knees."
[RELATED: Texas Learned these 5 Lessons from Ransomware Attacks on Small Governments]
And lastly, Scott H. raised a really good point that needed to be addressed:
"The story only gives the statement from the IT Director attacking the alderman. What's missing is what, if any, outreach was done by the IT department to the Alderman. Should that be necessary? NO, but we're essentially talking about an executive level position here. They get a little extra hand-holding. If the IT Director's sole communication was effectively, 'Take the training, or else!', he missed the mark. If there were multiple outreach attempts and the Alderman still chose to be ignorant, then yeah, cut off his access."
As a side note, we have heard at least a few security awareness leaders at SecureWorld cybersecurity conferences say their senior executives are either exempt or coddled in some way when it comes to security awareness training requirements.
Should the alderman be considered an executive in this case? If so, does that change anything in your mind?
And what was the IT director's approach here?
Alderman responds to security awareness training questions
SecureWorld reached out to Germantown Alderman Dean Massey and asked him questions about what happened. Was there something else the IT director could have done to get him to say "yes" to security awareness training?
Here is most of his response:
You should first know that when I was first elected alderman I was warned not to use my personal devices to click on links or downloads from the mayor's administration, particularly the IT Department, as previous elected officials believed political operatives hacked and monitored communications of the previous elected officials.
Prior to receiving the link for the training, the mayor had eliminated the office and computer that was previously available to aldermen, and he also added new card readers that prevented aldermen from entering areas of City Hall.
To my knowledge, aldermen have never been required to complete the cyber training mandated for city employees....
I simply received a random email advising me to click a link and take training from a sender identified as "KnowBe4." I ignored the emails. Eventually, I received a warning from the IT Director advising me that he intended to place unspecified restrictions on my email account, which I never fathomed would prevent me from corresponding with the public through my official email account.
Prior to the restrictions going into effect, I asked the IT Director to discuss the matter with the city attorney and BMA [the leadership board], which he declined. Once the restrictions were in place, rather than being coerced into clicking on a random link from someone I don't trust, I simply created a new email address through "Gmail."
Frankly, if the cyber training is critical, it should be mandated by the State of Tennessee, rather than suddenly demanded by a city employee. It is still unclear why the city employee determined the training should be mandated for elected officials or where he allegedly found the authority to set such mandates for elected officials.
I contend the restrictions on my official email account were an overreach by the executive/administrative branch of government, and ultimately their lack of communication with and failure to get approval from the legislative branch should have resulted in more aldermen questioning whether or not they should blindly click on a link.
Initially, another alderman, and former U.S. Marshal, named Scott Sanders also declined to click the link, but he capitulated after the administration restricted his emails as well. Again, rather than capitulate to the demands of a city employee, whom I do not trust, I simply created a new email address through "Gmail."
So this helps answer a few questions here:
- The alderman believes elected city leaders are at an executive level and unless the state mandates security awareness training, officials in these roles should not be "coerced" to go through security awareness training
- It sounds like he also sees giving into the demands of a city employee as a slippery slope that could force elected leaders to act in certain ways.
- Trusted and known names in cybersecurity awareness circles are likely unknown to those outside of IT in your organization, so be sure to communicate who the training is coming from so they recognize it as legitimate. That may or may not have happened in this case; it remains unclear.
- The city IT director did communicate a deadline to complete security awareness training.
In fact, Alderman Massey shared an email with us where he objected to the required training. Check out the subject line of the email he was responding to:
"IMPORTANT: Cybersecurity Training Deadline Approaching," it read.
Despite this type of email, which is common in security training programs, Massey maintains there was a failure to communicate on the part of the city.
What is next in cybersecurity awareness controversy?
So what happens from here, as Alderman Massey continues using that new Gmail account for city business?
Massey concludes his letter to SecureWorld like this:
The administration is now taking the opportunity to spin their failure to communicate into a contrived controversy that they are attempting to use as part of an obvious smear campaign, which one alderman is using as the excuse to censure me and others within the mayor's circle are using as the excuse to start a recall campaign or pass a rule to prevent me from voting on issues during BMA meetings.
In closing, as a criminal justice major, insurance professional who sells cyber liability products, certified fraud examiner, etc., I am not unfamiliar with risks associated with cyber threats, and that is one of the reasons I would not risk exposing my own computers by clicking on a link without discussing the matter with the other Board members and IT professionals.
While claiming to require aldermen to click the link to protect the city's computers, I felt the IT Director was in fact asking me to put my own computers at risk, which seemed unwise and unreasonable.
Clearly, there is a lot going on in the Germantown, Tennessee, government right now.
Here are some questions we'd like your help with:
What do you think of this case? Is the alderman right, or is the city's IT director correct?
And if you have a security awareness training program at your organization, can people simply refuse to complete it, on principle?
Lastly, should there be consequences for those who refuse security awareness training?
Please comment below.
