Should companies train their employees on security? I am still amazed at how many companies do not do this today. Cybersecurity training is such a simple and fundamental part of having a successful cybersecurity posture. Many times I go into a client location and I notice the most obvious of security errors. I will see things like people shouting passwords over the top of cubicles, people surfing on suspicious sites with company computers, lax physical security in and out of their buildings, unsecured phone closets, or phone closets shared with the cleaning staff, etc.
These are problems that can be corrected so easily. And I have seen a lot of strange things after 30 years in this business. I remember one time many years ago doing an inspection of a manufacturing plant of a very large high tech company. And as the IT guy took me around to all of their sites. He would let me into locked closets data centers and other facilities. It was a mess. I had never seen anything like it. Tangled messes of cables, equipment unsecured on the floor, cables falling in from the ceiling. He even asked me not to enter one room it was so bad. Now, this was a multi billion dollar company considered one of the leaders of its industry. There just was no excuse.
Some of the fundamental aspects of cybersecurity is that a strong secure environment will engender a strong and secure cyber environment. What we do in the physical world can translate into the cyber world. Let me ask you this. When a burglar goes down a row of houses which house is he most likely to rob? The one that looks like it is well maintained, well lit, and has activity around it. Or one that is dark and not so well maintained? He is going for the soft target.
And this is where training comes in. It is not just about training people on their physical environment, it is also about proper procedures on their cyber world. This culture of knowledge and awareness, a system of policies that can be followed by everyone is key to getting you to a secure environment. This cybersecurity training should be frequent, and ongoing, keeping up with the latest cyber and physical security techniques.
Who Is Watching
So to answer the question at the beginning companies assume that the IT department is watching their backs. I have talked about what a fallacy this is several times on this blog. And here. But simply put management does not always get the whole picture. So the concept of the IT department or if you have them security specialists watching what all of the employees are doing is just not possible. Sure they should be monitoring the network for threats. But they are not going to tell the folks in accounting which data is classified and which is sensitive. They are not going to go down to HR and inspect their handling of sensitive documents. The IT department is not going to be everywhere watching everyone.
But your employees will be. They will know what is sensitive within their own sphere. They will be your eyes and ears. Get them trained, with good consistent cybersecurity training. Engender a sense of personal responsibility in every employee, and they will serve as your most important layer of protection for your company.