KnowBe4 Protects Tampa Bay Water. PHOTO: Cybercrime Magazine.

Dishing On Phishing: Security Awareness Training Is A Must Have For Utilities

KnowBe4 helps Tampa Bay Water avoid a cyber meltdown

Steven T. Kroll

Northport, N.Y. – Jun. 13, 2019

Chaos and catastrophe are two words that come to mind when thinking about the potential outcome of a cyberattack on a water authority. That was confirmed by Joseph Wityshyn, an information security specialist at Tampa Bay Water, when we met up with him at last month’s KB4-CON, the world’s largest security awareness user conference, organized by KnowBe4.

Tampa Bay Water supplies wholesale drinking water to governments serving more than 2.5 million people in Hillsborough County, Pasco County, Pinellas County, New Port Richey, St. Petersburg and Tampa, in the state of Florida.

Even though the principles are the same, staying on top of cybersecurity for government-related infrastructure has its own set of consequences that are different from businesses. Losing access to electrical power, water, healthcare, or other key services can cause all sorts of chaos. For some reason, the images of all post-apocalyptic movies come to mind when I think about cyber breaches at utilities.

But thanks to Wityshyn, his co-workers, and KnowBe4, Tampa area residents can sleep a little easier, if not stay hydrated at the same time. This is no small feat. “I do everything on the endpoint end,” says Wityshyn. “I make sure all of our employees have specific training in regards to what they need to do to keep our data secure.”

What kinds of resources would a water authority need to defend besides H20? It’s not just the data such as personal and financial information that matters so much as the infrastructure that serves millions of people. That’s why Wityshyn is a big believer in security awareness training, especially for new employees.

“Receiving emails, clicking on executables, downloading software — we need to make sure all those avenues are secure,” says Wityshyn. “It’s good for us to talk about those issues and basically let them know the specific things we look at as a point to protect our organization.”

When asked about the importance of ongoing reinforcement, Wityshyn’s eyes popped up like a circus tent on a cloudy day. “Because they forget. We have to kind of gently nudge them on the shoulder and let them know these are important things that we need to protect our infrastructure.” He wants the people under his supervision to keep security in mind on a daily basis.

I can’t stress the importance of safeguarding infrastructure enough, so here are Wityshyn’s words. The consequences would be total catastrophe. “We have some critical systems online,” adds Wityshyn. “If those things are disrupted, you’re talking total geographical chaos.”

Greg Kras, chief product officer at KnowBe4, agrees with Wityshyn — the physical harm of cybercrime can be very damaging to public services and the people they serve. His experience isn’t hypothetical.

“Eight hospitals were shut down for more than three days because everything was locked down through ransomware,” says Kras.” They had no awareness training in place. The user just opened the phish and ran it. That was probably the worst scenario I’ve heard about.”

In this case, a little training could have prevented all of that. And the industry is catching on to this trend.

Kras was also at KB4-CON, alongside Roger Grimes, data-driven defense evangelist at KnowBe4, amidst a crowd of more than 700 people.

“Phishing is responsible for 70-90 percent of all malicious data breaches, far surpassing every other type of cyberattack,” says Grimes, a well-known computer security columnist for Infoworld. “You have to figure out a multi-modality, defense-in-depth approach, using both technical controls and training to fight. Neither type of control will work alone; you need both types. If you don’t, you’re going to have employees phished and badness will get into your environment, and I don’t care if you are a water authority, hospital, police station, or city. The same attacks work against every type of entity.”

Is it any worse for a utility? “Of course, when it’s committed against a city utility the critical impacts can be further reaching than if it just touched one corporation, because an attack against a city utility impacts all customers in that city, not just one company,” adds Grimes.

Global spending on security awareness training for employees — one of the fastest growing categories in the cybersecurity industry — is predicted to reach $10 billion by 2027, up from around $1 billion in 2014. Much of this training is centered on combating phishing scams and ransomware attacks. KnowBe4 is clearly in the right place at the right time, and they’re delivering big time to their customers. Just ask Wityshyn and Tampa Bay Water.

Stay tuned for our next monthly edition of “Dishing On Phishing,” which draws on our contacts and interviews from KB4-CON 2019.

Dishing On Phishing Archives

Steven T. Kroll is a public relations specialist and staff writer at Cybercrime Magazine.

Sponsored by KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We are a leader in the Gartner Magic Quadrant and the fastest-growing vendor in this space. We are proud of the fact that more than 50 percent of our team are women.