Rather than rely solely on security staff, the Centers for Medicare & Medicaid Services has recruited "data guardians" to keep its employees on their toes, reports Nextgov.
The Office of Personnel Management hack that netted 21.5 million records had government agencies reeling. And CMS had noticed an uptick in phishing emails seeking employee credentials that peaked last June and July.
So it enlisted 27 volunteer data guardians--one for each CMS component--and holds bimonthly spearphishing exercises.
The data guardian role was introduced in an all-hands meeting of the 6,000-employee agency last summer. CMS defines the volunteers' role as "to 'serve on the front-lines of their respective center/office as the stewards of CMS privacy and security policy.'"
They help educate workers on security protocols, and ensure employees collect only the minimum amount of personal information on citizens possible. In addition, CMS has centered its policies on the idea that personal information should not be shared in email.
The volunteers meet every two weeks and are briefed on the latest threats. When the data guardians were put into place, about 15 percent of staff clicked on phishing emails during training exercises. That's down to about 1 percent, 27 phishing exercises later, according to the report.
To learn more:
- here's the article