One Employee Click, 60+ Agencies Down

A forensic report has now confirmed the root cause: months earlier, a state employee downloaded a malware-laced tool from a spoofed website, which established a backdoor into state systems.  That foothold remained active for weeks before detection and was later leveraged to deploy ransomware at scale. Nevada refused to pay, restored roughly 90% of impacted data within 28 days, and leaned on cyber insurance and pre-negotiated vendor agreements to contain damage—still incurring an estimated $1.3 million in recovery and response costs, plus material operational disruption and exposed files.

This is not a “sophisticated nation-state only” story. It is a predictable outcome of basic user compromise, delayed detection, and broad internal access. It shows how a single unvetted download can become an enterprise-wide outage when endpoint, identity, and user controls are misaligned.

Why it matters for security leaders

Human behavior remains the easiest initial access path. A spoofed site and a convincing download were sufficient to bypass tools and policies on paper.

Dwell time still kills. The malware sat in the environment long enough to stage a high-impact event. That is a monitoring and response gap, not just a user mistake.

Government and regulated environments are high-value, low-tolerance. Interruptions to services, even if “mostly restored,” reshape regulatory, political, and public trust exposure.

Insurance and vendors help only after the hit. Nevada’s pre-negotiated support and coverage were smart, but they monetized recovery, not resilience.

InfoSight insight: employee security training that actually breaks this kill chain

Standard “don’t click links” training is irrelevant here. The Nevada case maps directly to gaps InfoSight targets in its employee-centric security programs:

1.  Task-specific training, not generic modules

Training aligned to how people really work:

Downloading tools, software, and “utilities” for day-to-day tasks

Using search to find drivers, plugins, templates

Handling pop-ups, update prompts, and “performance optimizer” ads

Every role that installs or requests software needs muscle-memory rules: only trusted catalogs, change-control-backed installs, and mandatory verification steps for new tools.

2.  Embedded controls plus education

Training is paired with enforced guardrails:

Application allowlists and controlled software catalogs

DNS and URL filtering that blocks spoofed domains and known malicious distributors

Endpoint controls that prevent unapproved executables from running

Users are taught not just what to avoid, but why a blocked action is a protection signal, not an inconvenience.

3.Simulation that mirrors real attacker lures

Programs include:

Spoofed vendor and “IT utilities” campaigns, not just basic phishing emails

Exercises that test responses to fake update sites, tool downloads, and browser warnings

Immediate, concise feedback loops that show how that one click becomes lateral movement and ransomware staging

This converts abstract policy into concrete cause-and-effect.

4. Access and blast radius discipline

Even when a user is compromised:

Role-based access and strict segmentation limit what a single endpoint can expose

Conditional access and strong identity verification reduce pivot options

Training reinforces: your account is infrastructure; protect it like production.

5.  Incident-reporting culture over shame

Users are conditioned to report “I think I installed something odd” within minutes:

Clear expectations: early reporting is success behavior

Simple reporting channels baked into their workflow

This shortens dwell time and turns employees into sensors, not silent liabilities.

Nevada’s outage was not inevitable. A single download should never be able to take down 60+ agencies. When user education is precise, evidence-based, and backed by technical controls, “employee error” becomes a solvable control failure, not a convenient scapegoat.