Any business with an email address or phone number is a target for phishing. There are a lot of small federal contracting businesses trusted to support government operations, including ours, and we know we’re a target too.
But like most small businesses, we don’t have full-time security experts on staff. Instead, we have to apply simple and effective methods to reduce the risk of unauthorized people getting access to our information and systems.
One of the most important things we do is require multi-factor authentication on our company systems. Here’s our teaching tool that you can use with your coworkers to help explain why they should do this too.
Even small companies are targets
A few months ago, several of our A1M staff received targeted and customized text messages from unfamiliar phone numbers, claiming to be our CEO:
You guessed it: this wasn’t Kristine. I have her real phone number in my contacts, I knew it wasn’t the kind of text she would send, and her calendar said she was out of the office that day. I shared my text message screenshot in our team chat to make sure my coworkers knew to be careful. Coworkers who received similar messages also shared their screenshots.
Security training doesn’t have to be dull
We had discussed phishing as a company, but those text messages reminded me that it was time to dig into it.
I hadn’t seen a research-based and not-totally-boring training on this topic, so I made one. I focused on mitigating risk by using multi-factor authentication, because that’s what works best. I included examples of strategies that attackers use to trick people, to help coworkers better understand messages they may receive — but anyone can be tricked in a moment of distraction or stress, so it’s important to use multi-factor authentication to protect yourself even if you make a mistake.
I also tried to make it a little bit fun and interesting, with a colorful template and real examples, because enjoyment helps people learn.
The training went great! We identified concrete next steps to improve our company’s use of multi-factor authentication in company systems, especially making it required wherever possible, which we’ve implemented. As a team with many government UX designers, we also had a good discussion about the challenges of designing secure and usable authentication systems for government services.
You can give this training
We want to support good security in our industry. We invite you to reuse and adapt our training deck for your company or team. It’s designed to be one hour, including discussion, for an audience of 15–20 people who do tech-related work and have a wide range of levels of expertise about information security. Feel free to customize it for your audience and add details specific to the systems you use.
If you use it, we’d love for you to let us know what you did and how it went!
What else needs to happen?
I want my coworkers and myself to be able to use strong methods of multi-factor authentication for all of our government work accounts as well. The most phishing-resistant multi-factor authentication methods — including security keys, PIV cards, and WebAuthn — are not supported yet in some of the government account systems we use for work.
I’m excited about OMB’s Federal Zero Trust Strategy and its support for phishing-resistant authentication for government employees and contractors. OMB published this memo in January 2022, and I’m hoping these multi-factor methods will become available to us soon. I’m looking forward to helping my coworkers set them up so that we have even fewer worries.