Would you ban an executive from using your corporate email if he or she refused to go through security awareness training?
That is essentially what's happening right now in a suburb of Memphis, Tennessee.
Germantown Alderman Dean Massey, one of the city leaders, refused to do a 45-minute online security awareness training. So, the city's IT director cut him off from city email.
Massey told a local publication, called the Commercial Appeal, why he refused:
"I don't think it's appropriate for a city employee to tell aldermen what they have to do to access their email."
Is there more to his decision? Could the IT director have approached things differently to get the alderman's buy-in? SecureWorld has reached out to the alderman for additional insights.
Bypassing organizational IT restrictions
Now, without access to city email, Alderman Massey has a workaround for the city's IT restrictions.
He has created a new personal email account which he can access at all times. He says he will use that account to conduct city business.
We're not exactly sure if we'd classify this as shadow IT or external IT. Either way, it is certainly being managed outside of city IT, and we are fairly certain this does not improve Germantown's security posture.
City manager calls alderman 'reckless'
The back story on this is that everyone with a Germantown email address was asked to complete a 45-minute online cybersecurity training session by a certain date and warned that email access would be curtailed if it was not done.
City administrator Patrick Lawton confirmed Massey's email account had been restricted after he failed to complete a mandatory cybersecurity training for all Germantown officials and city employees.
Lawton categorized Massey's refusal to take the cyber training as "naive, reckless and irresponsible."
Consequences for employees who refuse security awareness training?
I just sat in a SecureWorld web conference which unpacked the 2019 Beyond the Phish report.
The report reveals that many working adults do not understand various types of cyber threats, like ransomware or phishing, and that consistent security awareness training improves this.
And we know governments are facing a significant number of cyberattacks right now. We've recently written about Florida, the Ransomware State and shared 5 Best Practices Learned from the ransomware attacks on Texas governments.
However, there is still a lingering question: Is it okay for a city leader or your company's leadership to refuse security awareness training? What about a non-executive employee? And do consequences make sense for any employee who refuses the training?
We'd love to have your opinion on this one.
[UPDATE: Alderman Massey responds with his side of the story]