Did you know that Texas passed a new regulation for state employees to participate in a mandatory cyber security awareness training program?
In June of 2019, Texas State Legislature passed HB 3834, a bill requiring local and state government employees, and even state contractors, to complete a Department of Information Resources (DIR) approved cyber security awareness training program —like Curricula! (Hint: We’ve made security awareness training more flavorful than your favorite steak house!)
Depending on your organization’s role as a state agency, local government entity, or contractor, you may be immediately impacted by this annual compliance training requirement, known as HB 3834. If your organization falls into scope, HB 3834 requires that a security awareness training program has been rolled out and completed by all required employees before June 14, 2020. That’s a pretty big burden if you haven’t established a formal security awareness training program yet.
But don’t worry, we are going to show you what is required, why this regulation came to be, and how you can comply with HB 3834 without stressing out.
Why is the HB 3834 Regulation Necessary?
It’s no secret that governments are now prime targets for hackers more than ever. In August 2019, the computer systems of 23 Texas municipalities were hit with a ransomware cyber attack that locked access to all computer files in one instance. The ransomware even revoked the ability to process utility payments in another municipality. The Mayor of one unnamed Texas city came forward with claims the hacker demanded $2.5 million in ransom. It goes without saying that the Lone Star State is no exception and hackers are officially messing with Texas.
Now is the time to make a change. With over 90% of all cyber attacks caused by human error, it’s no secret that a strong security awareness program is the key to staying out of the news headlines.
It’s time to fight back, Texas. It’s time to train your employees on how to defend themselves and beat the hackers.
How do I Comply With the HB 3834 Cyber Security Awareness Training Requirements?
HB 3834 is in full force and all state agency, local government, and contractors needs to complete their compliance training before June 14, 2020. Let’s look at the steps you need to take to get you and your team compliant with the HB 3834 cyber security training requirements. And if you are looking for advice on building your security awareness training program for HB 3834, our expert security awareness team is happy to help.
Texas HB 3834 Scope
Step 1: Are you in Scope?
First step is to determine if your organization is in scope of HB 3834. If you are reading this, you probably already have a hunch that you may be. To confirm, the personnel in scope of HB 3834 cyber security awareness training compliance applies to state agency, local government, and even contractor employees throughout the state of Texas.
State Agencies – Employees who use a computer to complete at least 25 percent of the employee’s required duties, and elected or appointed officers of the agency.[/item]
Local Government Entities – Employees who have access to a local government computer system or database, and elected officials.
Contractors of State Agencies – Those contractors who have access to a state computer system or database must complete training during the term of the contract and during any renewal period.
Step 2: Choose a State Certified Vendor
Now that you confirmed your scope, you must choose a security awareness training vendor that is certified by the State of Texas, such as Curricula. Certified vendors must complete a rigorous training content assessment, certify with the State of Texas that their training program meets all cyber education requirements, and ensure that those requirements are upheld on a continuous basis year over year. Simply put, selecting a vendor that’s already done the heavy lifting is required to get started.
Step 3: Launch your Program
Okay so you picked your vendor, but now you need to launch the cyber security training program to your employees. It’s critical to communicate how important completing this required training is. If your employees don’t understand why they are required to participate in this training, they won’t have the motivation you need to have it completed. Motivation is a key component of getting your cyber security training program off the ground and supported by employees.
Step 4: Ensure Completion
Now that you have launched your training program, that doesn’t mean you are done. As part of HB 3834, you need to ensure your employees complete the required cyber security training. Remember it’s important to discuss how this cyber security training program will help your employees become more cyber-savy both at work and at home. Make it fun by promoting the training across your organization similar to a marketing campaign. This will help drive completion records, and you may even offer incentives for early completion.
Step 5: Keep it Going
Congrats, you’ve finished your first round of security awareness training! This is a big accomplishment, but the party doesn’t stop here. Remember that you need to keep this momentum going. The best way to do that is to reinforce your security culture to help make security top of mind. Once a year security awareness training is not going to stop the hackers. You need to continue this effort throughout the year, using different methods to communicate and reinforce security concepts in every employee’s mind.
What NOT to do with HB 3834
Although it’s easy to recognize HB 3834 as another compliance regulation to just check the box, it shouldn’t be.
The consequences of falling victim to a cyber attack are well known and your focus should be to ensure all employees understand the risks they face.
You don’t want to be tomorrow’s news headline and your employees are your first step as the most powerful defense for your organization. A strong cyber security training program is the key to protect beyond the regulations of HB 3834. Remember we are all working towards a common goal to beat the hackers, not the regulations.