Businesses should pay attention to the joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA) in the USA that highlights a growing pattern of newly announced malware infections that have impacted municipal water and wastewater systems (WWS) across the country. Through a series of vulnerabilities that have emerged over the years, there is a risk that many more “critical infrastructure” systems that entire populations rely on will be affected.

Many of the same vulnerabilities that have exposed water utilities to attacks are also commonly found in the average business. But every organization needs to put a higher priority on strengthening the human weaknesses with more meaningful guidance, and practice simulations.

The implications are foreboding as we “boil the frog”

The unwritten implication is that, sooner or later, a critical infrastructure system failure in any of the thousands of municipal systems caused by malware or ransomware could eventually lead to personal injury or death. The alarming aspect of this advisory is that it details the ordinary, well-known system and human vulnerabilities, many of which have not been prioritize to reduce these large-scale risks to the population.


Aside from the fact that more pressure needs to be put on ensuring that authorities can at least monitor and control these systems reliably, there are some important lessons for all of us in how we combat ransomware and other malware infections. Like the “boiling frog” problem, a number of small vulnerabilities can remain unresolved until the point where there is a path for an attacker to be successful.

Every business has similar “kill chains” that employees can learn to break

These “vulnerability chains” (or sometimes called “kill chains”) represent opportunities to stop an attack because if one of them is removed, then an attack can’t continue to its ultimate goal.

Employees often play an important part in avoiding or detecting an attack, and can help break the chain. The CISA advisory points out these items that all employees should be made aware off, as clues to an attack:

  • Unexpected inability to access a system, which could be caused by an account take-over
  • Unfamiliar system alerts or errors
  • Evidence of files or records being changed at unusual times when employees are not usually active
  • Unexpected system restarts
  • Files or records that don’t get updated when they should have
  • Accounts of former employees still being active

Gamified learning and simulations for employee awareness are an elegant solution to this problem

The CISA advisory also recommends awareness training and simulations that provide employees with examples of situations that could represent a cyberattack. Traditional phishing simulations can only test employees on a limited frequency before they become predictable and counter productive, causing employee backlash and wasting everyone’s time.

Click Armor’s gamified phishing simulations provide a more positive experience for employees, with many scenarios that they can learn about and practice in a realistic situation, testing their ability to spot suspicious email senders, links, attachments and body content. This method has shown measurable improvements of 50% in the average employee’s ability to spot phishing messages.

And gamified simulations used in our social engineering course, Fakes and Frauds, provide many more scenarios than can be tested with just phishing simulations.

Click Armor helps businesses improve employees’ ability to spot phishing messages by 50%. To find out how gamified learning and simulations can provide immediate results for your team, use the button below to book a call.