Tuesday, March 22, 2016

Cyber Security Training: Way of Business, Not a Compliance Checkbox


Cyber Security Training: Way of Business, Not a Compliance Checkbox


Written by Anthony Goodeill, POWERNET America

With Cyber Security intrusions threatening businesses and NIST 800-171 at our doors, most contractors have it in the back of their minds.  I find most businesses though are sticking their head in the sand, and hope cyber security doesn’t hit them.  Well one of the first lines of defense is preventative, not reactive.  The NIST Framework lists “awareness and training” as a key component of network protection. And I get a lot of small businesses asking me “how do you go about it?”  One of the elements in preventative is training your employees to be your first line of defense.




For its part of the future of business, even though a lot of business owners or executives don’t want to tackle it “right now”.  The bad part is if they don’t, they will pay a LOT more when they are hacked, and one of the cyber companies like ourselves has to come in and fix the issues.  So preventative is less expensive.  I did not say cheap, for the specialist that are used to implement are not cheap either.  Since NIST recommends role-based training. In principle, your organization should integrate its most imperative physical, administrative, and technical control requirements into tailored privacy and cyber security training. At POWERNET America, when we define this training for the organization, we suggest that the training be broken down into seven different classes of users:


  1. General Users
  2. Privileged Office Users
  3. Privileged Admin Users
  4. Senior Executives
  5. Physical Security Personnel
  6. Information Security Personnel
  7. Third-Party Customers & Vendors




The next question is asked is: “How often do I need to do this?”  Personally I tell them that training should be continuous, initial training with new users during the on-boarding process, then recurring training at least annually, and if there is an incident, or in the event of significant information systems changes or policy revisions, provide the employee with one-on-one instruction.


The hard part is not every organization is operated the same way, so in practice we have to coach the companies to clarify their training goals and keep them manageable. A good example: I had been working with a non-profit to get them up to par in their policies and procedure.  As I talked with the executive team, and listened to them, I realized they had no idea what could happen.  I was told that this executive, never thought they would be under attack.  I asked if any of his employees had been trained, I got asked “Why?”   Now you must realize by now, this is probably the norm in organizations across the country.  And you would be right!   




So reasonable expectations would conclude you to not expect awareness in everyone, but not to train them, would be just as devastating.  So we attempt to training everyone, so it does turn all of our employees into a first line of defense, perchance it’s adequate if it functions to discourage each individual employee from intentionally breaking the rules and committing a security offense. In my opinion, better awareness and training can be accomplished by using four steps:


  • Educate Your Employees. A well-educated employee that knows the reasons for your controls is less likely to hurt your business, and may protect it! People hate change, but if a good reason is provided, they will adapt to complex changes. Businesses should be proactively determining the business demands, ask the hard questions, like how current or proposed security requirements might interfere with those needs, and figure out how to accommodate users so they can be productive without bypassing security.
  • Shock Your Employees. I hate to say this, but fear is a great motivator.  It’s important for employees to know they can lose their jobs for breaking certain rules. It’s even more important to explain that a lot of the information, may be their information you are protecting, and what they stand to lose based on real-world cyber risks to your businesses sensitive data and critical services.
  • Support Your Employees. Embolden your employees to ask questions, evaluate and productively comment on your cyber security training, and then reevaluate your training program.  Make a system to allow them to be proactively report security concerns such as an email they can send issues to if they come across them.  Something like securityrisk@yourcompany.com and this will allow them to report everything from virus detection to phishing emails, or even a suspicious action from a vendor. 
  • Reward Your Employees. If you reward those who do find issues, you will soon get more and more doing it. It will become a way of breathing, not a task.




I will leave you with this thought, cyber security should be embedded into your company, not just a compliance checkbox. If it is embedded into you organizations culture, your business model will be much healthier and it can even be self-aligning with your business needs.