Why don’t companies train employees on cybersecurity? This is a valid question that I have been asking for a long time. It seems like such a simple solution to a very serious problem. Your employees are out there in the trenches, they are the ones that are handling your sensitive data. Why not train them? Why not teach them to handle the company’s data and your customer’s data with greater care and a greater sense of security?
After all, they are the ones touching it the most. Why is something so sensible and so effective and not really all that costly being implemented worldwide? First of all, we have to go back and see who is responsible for cybersecurity at a company. Many times it is an IT guy. And we have already talked extensively about why this is a problem. But to summarize, your IT guy or even your IT security guy does not have the authority to implement or to even write cybersecurity policy for a company. They may not even have the ear of management to even recommend cybersecurity policy changes. So if we are not relying on the IT guy then who?
If Not IT Then Who
There may be a manager responsible for security in the company overall but this is not common and if your company does have one. Many times they do not have any specialized knowledge of cybersecurity. This may be a person in charge of physical security and they can certainly help but they are really lost when it comes to handling specific cybersecurity issues.
Then, of course, there is the CISO or Chief Information Security Officer. This person is perfectly suited for the task of making sure all employees are trained on cybersecurity. However many times a CISO is not tasked with policy level problems and decisions. Many times they do not have the authority or the executive’s ear to be able to handle these all important issues.
So for whatever reason, they are not able to get the job done. I have worked in many client organizations public and private sector and I can tell you for a fact that unfortunately most of the time the CISO is not getting the seat at the table they need to do the job effectively. Another reason is a bit more insidious and hidden. Let me ask you a question. When is the last time a cybersecurity vendor of any type recommended to you that you get your employees on a comprehensive ongoing cybersecurity training program for everyone in the company?
I know I worked with many of these cybersecurity vendors inside them, as a client of theirs and even side by side with them. And one thing that almost never seems to slip from their mouths was to suggest that their client gets all of their own rank and file employees trained to be looking out for their cybersecurity threats and issues on an ongoing basis. It just never seems to come up. No one asks and few people ever suggest it. But it is without a doubt one of the most effective strategies you can encourage within your company.
This is not a foreign concept. In fact, it has been around for a very long time. Look back to the world wars of the last century and how posters were circulated all over the US to encourage the population to not divulge information they have that could be picked up by spies. This is the very same thing with cybersecurity today.
The simplest and most effective thing you can do today is to begin a cybersecurity training program immediately throughout your company. By the end of the months, everyone in your company should be trained at least to a rudimentary level. It does not need to be perfect. You will make it better along the way. Even more short term. You as a corporate leader should be speaking to your management, and have them speak to their employees to start a conversation about this all too important issue within the next two weeks. When you train employees this will accomplish two things first it will get you on the road to safety and security and second it will show everyone you do business with that you are serious about cybersecurity.