Security awareness

Texas HB 3834: Security awareness training requirements for state employees

Greg Belding
July 26, 2021 by
Greg Belding

Cyberattacks have been on the increase all over the United States and Texas is no exception. As the old saying goes “don’t mess with Texas.” And with the passage of Texas HB 3834, cyberattackers will feel the sting of it. Texas HB 3834 mandates that state employees must participate in an approved cybersecurity awareness training program. 

Texas HB 3834 will be a good step forward in cybersecurity for the state. 

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

What is Texas HB 3834 and why is it needed?

The first question probably crossing your mind is what is Texas HB 3834? Enacted in 2020, this regulation requires that state employees complete mandatory training in a cybersecurity awareness program from a list of approved cyber security awareness training programs. This list of approved cybersecurity awareness training programs on the Texas Department of Information Resources (DIR) website.

Texas HB 3834 did not just appear out of nowhere like a Texas tumbleweed. Rather, it is a well-founded and a needed response to the dramatic rise of cyberattacks that have targeted state and municipal governments nationwide, with Texas feeling the brunt of it. 

Below is a rundown of some relatively recent events in Texas:

  • Texas governor Greg Abbot warned that government agencies in Texas were experiencing 10,000 attempted cyberattacks originating in Iran, literally amounting to billions of probes per day
  • In 2019, one cyberattack targeted 23 Texas municipalities with ransomware where the attack group demanded a $2.5 million ransom
  • Taking advantage of the COVID-19 crisis, attackers hit the Texas department of transportation with a ransomware attack in May of 2020

With the above instances being only the tip of the iceberg when it comes to cyberattacks impacting the state, it is safe to say that hackers have been messing with Texas despite the well-known saying.

Who does Texas HB 3834 cover?

Texas HB3834 applies to state employees, but who falls within the scope of this bill? Below are the types of employees that are covered by HB 3834 training:

  • State agencies: employees who work for state agencies and complete a minimum of 25% or more of their duties at a computer, as well as officers of the agency, both elected and appointed
  • Local government entities: local government employees who have access to a computer system or database of the local government entity, and the local government’s elected officials
  • Contractors of state agencies: contractors with access to state computer systems and databases must ensure completion of cybersecurity awareness training within the term of the contract as well as during the renewal period, if applicable

What you have to do to meet compliance with HB 3834

Meeting compliance with HB 3834 is not some onerous regulatory burden that is a bridge too far, but it may be a moderate challenge for those organizations that do not have experience in managing their own cybersecurity awareness training programs. With that said, compliance with Texas HB 3834 can be accomplished in four easy steps and a next step that we will discuss later. They are:

  1. Determine if you are in the scope of Texas HB3834. As described above, there are three categories of state employees that are within scope.
  2. Select an approved vendor from the DIR list of approved cybersecurity awareness training programs.
  3. Implement an approved cybersecurity awareness program within your organization.
  4. Ensure that you have completed the cybersecurity awareness training program.

Remember that Texas HB 3834 does not just require that your state employer have an approved cybersecurity awareness training program in place. You must actually complete the training program for it to count.

Next steps

After you have made sure that you completed the cybersecurity awareness training program, the most important thing to remember about going forward is that you need to complete an approved cybersecurity awareness training program every year. With the training program being a once-yearly thing, how do you keep your momentum going for the rest of the year?

This is where your powers of creativity need to come into play. The best way to ensure that the cyber security awareness remains fresh in the minds of those who are required to take the program is to make your state employer culture one that is security minded. You can do this by making it fun for your co-workers by a strategy of fun contests, games and other methods to keep the information they learned in training fresh in their minds. That way, when it comes time for cybersecurity awareness training, they will be merely refreshing their memory and not relearning the material.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Complying with HB 3834

The rise in cyberattacks has impacted the Texas state government to the point that they enacted regulation HB 3834. It applies to state employees and makes it mandatory for state employees to complete a cybersecurity awareness training annually. After your organization completes its training program, engage your organization during the rest of the year to keep the concepts fresh in everybody’s mind until the next year’s training.

 

Sources:

Cyberattack Disrupts Texas Department of Transportation, Government Technology

Gov. Greg Abbot warns Texas agencies seeing 10,000 attempted cyber attacks per minute from Iran, Texas Tribune

HB 3834 Compliance, CIMA Solutions Group

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.