In a report that could serve as a warning to other agencies as well, the inspector general of the TVA has said the agency’s anti-phishing training is “ineffective” and that the agency is at risk that employees will take the bait dangled by hackers.
Some specifics of the issues identified were redacted from the issued report, which in general reviewed a type of annual training common in government that includes general information on the risks of phishing, how to identify it and what to do if a phishing email is received.
However, the TVA “does not have formal procedures for conducting periodic phishing exercise, follow-up training for users who failed the periodic exercises, or consequences for users who fail to take required phishing training,” it said.
On the latter point, it found that TVA’s percentage of employees who repeatedly fail is higher than the industry average, indicating a “risk of successful phishing attacks.” Most of employees who were provided an educational video after failing “closed it before it completed” and some users who completed the educational video failed follow-up exercises, as did some who took follow-up training.
In contrast, it said, those who fail the TVA’s required annual cybersecurity awareness training have their network IDs disabled.