A new law could save the state up to $9 million through greater awareness of malicious and costly cybersecurity attacks.
State Chief Information Officer Hardik Bhatt (left) and Chief Information Security Officer Kirk Lonbom (right) join Gov. Bruce Rauner for the signing of HB 2371, which requires cybersecurity training for state employees. (Twitter / @IllinoisDoIT)
Annual cybersecurity training is now mandatory in Illinois.
On Monday, Gov. Bruce Rauner made it official when he signed a bipartisan house bill that requires cybersecurity training for all state employees. The training is estimated to cost taxpayers $5 per employee, or about $250,000 per year, and save the state millions through data breach prevention.
Speaking at a press conference, Rauner said that cybersecurity is one of the most serious threats facing the state and that the legislation, HB 2371, was critical to preserve the state’s systems and safeguard residents’ personal data. Illinois is now the 15th state to require such cybersecurity training.
“This is a critical time. We have terrorists, we have criminals of various types, people with ill intent, using all sorts of creative approaches to gain access to our computer systems and to our personal files,“ Rauner, a Republican, said. “I’m very proud to say, that on a bipartisan basis, members of the General Assembly came together to pass very important legislation, landmark legislation, basically requiring annual training for all state employees on cybersecurity and cyber threats.”
Rauner said the state’s Department of Innovation & Technology (DoIT) has already trained more than 47,000 state employees of the roughly 50,000 total. DoIT is now tasked to continue this training annually.
At the press conference, the department's secretary-designate, Illinois Chief Information Officer Hardik Bhatt, said the cybersecurity training bill made good on the State of Illinois' Cybersecurity Strategy, which contains a comprehensive game plan for agencies to protect themselves from breaches, malware and other threats. One of the key goals in this strategy, released in March, is to reduce risk digital risk through staff education.
“One of the weaker points in organizations across the globe is the human being,” Bhatt said. “We get emails, we get drawn into clicking some links that we should not be, and that can cause virus attacks on our personal computer and then it propagates in an enterprise environment into many other networks and computers. So it is very important that employees become our first line of defense.”
Kirk Lonbom, the state's chief information security officer, said 91 percent of attacks start with phishing emails. In response to that statistic, much of the training offered will be designed to help employees detect and report instances of phishing, while also understanding how to manage and protect sensitive data, he said.
The training program could save the state up to $9 million annually in system repairs and critical response operations, the CISO said.
“Nearly 50 percent of Americans do not receive cybersecurity training in the workplace. HB 2371 ensures that will not be the case here in Illinois,” Lonbom said. “Our employees will continue to learn how to protect themselves and the state, receive guidance on how to report phishing and other security incidents and help us respond quickly to reduce the impact of successful attacks.”