"If you have one user who's fundamentally unaware of what a spear-phishing email looks like, the entire enterprise is vulnerable," he added, referring to a ploy in which computer uses receive legitimate-looking emails that offer plausible explanations for requesting personal data, along with a link. Hackers can gain access to sensitive data once the recipient clicks on the link.
Breaches frequently involve a degree of human error.
Personal data of 6.4 million South Carolina residents and businesses was stolen from the state's tax collection agency last year, apparently after a hacker sent emails containing malicious software to multiple Department of Revenue employees, including at least one who clicked on a link and unwittingly became compromised. Cybersecurity training was offered to employees after the massive breach. Kentucky officials in December notified roughly 1,100 Medicaid clients of a data breach that began after an employee of a subcontractor fell for a telephone computer scam that enabled a hacker to gain remote access to the worker's laptop.
Information technology offices in many states either require cybersecurity training or have erected websites with safety pointers, such as how to create strong passwords, protecting and storing personal information — even links to quizzes on computer safety.
New York State employees with access to potentially sensitive information must receive cybersecurity training and refresher courses. Virginia requires agencies to train employees, and access can be terminated for employees who don't comply, said the commonwealth's chief information officer Samuel Nixon, who said there were nearly 118 million attack attempts last year on executive branch computer networks.
The D.C. government administers Medicaid and other benefits in a comparable fashion to a state government, making it an obvious target too.
"If our system is breached or interrupted, can you imagine the trouble or the chaos and inconvenience, and the fact that people may not be able to receive benefits?" Quander asked.
Mancini, in DC, said he hasn't organized training yet because his more immediate goal has been to strengthen the network to withstand threats and survive the mistakes or carelessness of an individual employee. The system's strengths include multiple levels of protection of applications, routine testing for network vulnerability, 24-7 monitoring of the network for possible intrusions and specialized security equipment, he said.
He said his office has made more progress in meeting other goals that emerged from the summit, such as integrating cyber-security analysis into citywide threat assessments and better sharing among agencies.
The agency does send out occasional security bulletins and spam alerts and may ultimately develop a "library-type website" like the ones seen in other states, he said.
"We have been very focused on making security as good as we can make it in order to service the enterprise effectively. The time for awareness and informing folks of the things that we might need them to know is something that would come as a natural extension of our improved preparedness," Mancini said in an email.
Follow Eric Tucker on Twitter at http://www.twitter.com/etuckerAP