We are living in a world where mask and vaccine mandates have become more than health issues—they are also political landmines.
It's hard to believe, but security awareness training is now being viewed through a political lens, as well.
There is an unusual case unfolding right now in Alabama. The controversy revolves around race, politics, and executive privilege as a city's mayor, CTO, and councilman go back and forth on cybersecurity training.
Mobile councilman refuses cybersecurity training
Fred Richardson, a councilman in the city of Mobile, Alabama, says he has been shut out of his city email for refusing cybersecurity training.
Richardson, who is challenging current Mayor Sandy Stimpson for the position, believes the move is politically motivated by his opponent. The timing of this move is less than ideal for Richardson, as the mayoral election will be held August 24th.
In a city council meeting, Richardson compared this situation to Jim Crow era laws:
"I'm not bowing down to no tyrant. I'm not bowing down. I'm not giving up my authority. I was told what bathrooms to use, what water fountain to use. I was told what school I couldn't go to. I was told what neighborhood I couldn't live in. You ain't telling me what to do.
I believe this is political and has to do with the election. You are cutting me down during the final leg of the campaign.
I'm not opposed to cyber training, I want you to know that. I'm opposed to the administration saying I can make you take cyber training."
Richardson is attempting to make the argument that council members do not have to follow directives from the mayor's administrative staff, but in reality, that is simply not the case.
The mandatory training for all Mobile city employees was initiated on March 15, 2021, with a six-week window to complete the training. A reminder would be sent out after four weeks, a warning after five weeks, and a suspension of all email accounts after eight weeks.
Of all Mobile city employees, only 1%, or 18 people, failed to complete the training. All other council members completed the requirement.
Mobile CTO responds
Mobile's CTO, Scott Kearney, extended the deadline from eight weeks to 19 weeks to allow for all employees to complete the new training program, yet Richardson still failed to do so.
Kearney says the training program consists of five 10-minute videos with some review questions after each. This week, he spoke out about the security training standoff. From his point of view, taking the training is about two things: the city's insurance policy and the city's constituents.
"While we are bound by the stipulations in our cyber insurance agreement, we also have a responsibility to protect the private information and data of citizens and companies that interact with the city. That is why we will follow best practices and guidelines set forth by cybersecurity experts."
Mayor Stimpson considered the training a basic step in educating employees on common cyber threats. He said:
"In today's world, cybersecurity is an important human rights issue. One would think Councilman Richardson could take a couple of minutes out of his day to ensure that as he communicates with constituents through email, he isn't being reckless with their personal information."
[RELATED: Security Awareness Squabble: The City Leader Who Refused Training and Got Booted from Email]
Surprising backdrop for refusing security awareness training
Everyone from Wall Street to Main Street USA is talking about cybersecurity right now, as ransomware and other cyberattacks have disrupted everything from top level government organizations to local businesses.
In May, the Colonial Pipeline ransomware incident impacted gas supply and prices in Alabama.
And if that is not enough, consider the local talk of a prominent cyberattack on May 24, 2021, in which malware knocked Mobile County's systems offline for three days. Employees were later notified that Social Security numbers, dates of birth, and other personal information could have been compromised during the attack.
Aside from these incidents, security best practices outlined by U.S. CISA include conducting security awareness training for end-users.
So where does this leave the councilman?
Instead of making the decision to complete the security awareness training, Councilman Richardson plans to introduce a resolution that would allow all council members to have "unhindered" access to their email accounts.
UPDATE - 8/4/21:
Councilman Richardson completed the cybersecurity training a day before a recent council meeting and had his email access restored. His proposed resolution to allow council members to have "unhindered" access to emails was voted down by all in attendance, except for one who abstained. Read here for further details.
