The Tennessee Valley Authority’s (TVA) phishing prevention training is ineffective and lacks formalized procedures, according to a Feb. 21 report from the Office of the Inspector General (OIG).
“We reviewed the effectiveness of the phishing training provided to TVA users and determined it was ineffective. Additionally, we found TVA does not have formal procedures for conducting periodic phishing exercises, follow-up training for users who failed the periodic exercises, or consequences for users who fail to take required phishing training,” the report states. TVA’s repeat offender failure rate is higher than the industry average, despite attempts to retrain repeat offenders through an educational video. Auditors found that most users closed the educational video before it was completed.
Because of the sensitive nature of cybersecurity, the OIG did not include specific details about TVA’s shortcomings. They did, however, brief TVA authorities on the problems in November 2019.
The OIG made three recommendations to the TVA vice president and CIO:
- Update end user training to improve awareness;
- Consider consequences for employees who repeatedly fail to take phishing training; and
- Include requirements for periodic phishing exercises, follow-up training, and potential consequences for missing training in agency procedures.
TVA management agreed with all recommendations. TVA is a Federal agency providing electricity to businesses and citizens in seven southeastern states.