We have worked for many years to protect our companies and its employees from safety issues, and even physical security issues. This is a common practice across the board. I remember going to a new job when I was 19 years old and just in college. The company hired some college students to work part-time in certain parts of their small factory. We were put in front of an old movie projector and asked to watch a safety film. Then we had some items to read and several pamphlets on security and safety. That was decades ago and virtually every job white collar or other has had a similar process.
But today in 2017 we are still not following this lead when it comes to cybersecurity. Why is that? Is it because we do not have a need for it? Certainly, not cybersecurity is slated to cost $2.2 trillion by 2019. Is it because it is too hard to do? Not at all, it is very doable. Is it because there is too much resistance to it? Not really people willingly participate in security training.
Why Is It?
I believe the reason why is because cybersecurity is such a new and elusive issue that it does not always lend it to our top of mind issues. It changes constantly and is so hard to pin down. I also believe it is largely due to the IT Security Fallacy that I have talked about before here. But it simply is not going away.
Take a look at the entire nation was under threat of attack during WWII. And what did the civil authorities do to help with the situation? Well, one of the things they did was to institute an information and training campaign to warn the American citizens to not speak about anything that could be considered sensitive information to anyone. Notice they did not tell them to not tell strangers or foreigners but if it wasn’t necessary to talk about sensitive information at the airplane factory or the steel works that you worked at then you simply did not talk about it. Remember the campaign “Loose lips sink ships?” It was on posters all over the country. And it worked. Not perfectly but it certainly helped. And that is all you can ask for.
How Do You Do It?
Like many things in cybersecurity, it starts at the top. Here are five things you can do today to help with your cybersecurity training effort.
- Lead by example. Talk with your direct reports and employees about how you prepare for cybersecurity.
- Disabuse all people within your organization of the myth of IT is going to protect you. They certainly have a role to play, but they are only part of the solution.
- Give your training or HR department or your security authority the task of coming up with both a management track and an employee track for getting all employees trained within 6 months.
- Make sure your top cybersecurity people are going to the best training and conventions to stay current on latest cybersecurity issues.
- Finally, ensure that you are reporting back to your board of directors on your efforts to have everyone trained. And get their buy-in. This will be essential in budgetary as well as cybersecurity effectiveness issues.
The most important thing is to do something now. If you need help get help but get started today.