Training Can Have a Powerful Impact on Election Security


Cybersecurity attackers work pretty much like we all do – finding the easiest way to get the job done. You can have the most sophisticated security measures in place and use the most sophisticated technology, configured correctly and adherent to all regulations and policies, but if your team is not security-savvy, attackers will easily find the easiest path through the weakest link.

In too many cases, an election business can be compromised when an attacker tricks a volunteer or a staff member into sharing important information, such as their login credentials to a critical system. Once this happens, it’s game over. The threat actor now has a way to bypass every meticulously implemented defense.

What Is Social Engineering and How You Can Avoid Being a Victim?

Unfortunately, the methods of going through human gatekeepers to infiltrate parts of the election business are becoming even more sophisticated. Using social engineering like a well-orchestrated phone call or carefully crafted and convincing phishing emails attackers lure unsuspecting workers to open doors without even realizing it’s happened.

The adage that we can only control what we can control holds true in this case, and while it can be disheartening and discouraging, it also offers some hope too. We may not be able to control the actions of other people, but we can arm them through education, provide them with knowledge, and influence positive behaviors.

Make Election Security Education Part of Your Cybersecurity Strategy

Elevating the importance of election security education and training can go a long way in improving election security. When the entire election team understands their role as gatekeepers in keeping the election technology, environment and process protected against cyber criminals, they form a powerful line of defense.

Here are some of the key things you can focus on when shaping your team’s security understanding:

  • Knowing what motivates attackers
    Understanding what cyber criminals want to achieve can help election staffers and volunteers inherently know what needs to be protected.
  • Combining curiosity and skepticism while delivering friendly customer service
    Our staff members aim to be as helpful as possible. It’s what makes them good at their jobs, and sadly what attackers rely on. Teach your team to ask questions and use curiosity to make sure attackers have to work harder to trick us. Friendly push back and asking “why” can sometimes be the best defense for social engineering attacks.
  • Being familiar with your Incident Response Plan
    Ensure that everyone knows how to identify an attack, how to report it and how the entire organization will respond, including communicating to the media and public.

This is only a partial list, but it is a start in the right direction. Security can’t be isolated to technology, and responsibility can’t remain with only a few people. It takes the whole team of human gatekeepers to stop the attackers we face. Security must be part of everyone’s job responsibilities because attackers can target anyone.

Sign up for CyberDefenses upcoming training for Election Officials.

About the author

Brian Engle

Brian Engle is the CISO and Director of Advisory Services, a role in which he leads the delivery of strategic consulting services for CyberDefenses's growing client base with risk management support, information security program assessment and cybersecurity program maturity evolution. Prior to working at CyberDefenses, he was the founder and CEO of Riskceptional Strategies, a consulting firm focused on enabling the development of successful strategies for implementing, operating, and evolving risk-based cybersecurity programs. Brian’s previous information security roles include Executive Director of Retail Cyber Intelligence Sharing Center (R-CISC), CISO and Cybersecurity Coordinator for the State of Texas, CISO for Texas Health and Human Services Commission, CISO for Temple-Inland, Manager of Information Security Assurance for Guaranty Bank, and Senior Information Security Analyst for Silicon Laboratories. Brian has been a professional within Information Security and Information Technology for over 25 years, and serves as a past president and Lifetime Board of Directors member of the ISSA Capitol of Texas Chapter, is a member of ISACA, and holds CISSP and CISA certifications.