The NIST Framework lists “awareness and training” as a key component of network protection. But how do you go about it? For its part, NIST recommends role-based training. In theory, your company should incorporate its most important physical, administrative, and technical control requirements into customized privacy and security training. That training should be broken down into five different classes of users: general users, privileged users, senior executives, physical and information security personnel, and third-parties (such as customers and vendors). In terms of frequency, training should be continuous, starting with new users, recurring at least annually, and providing out-of-cycle instruction in the event of significant information systems changes or policy revisions.
In practice, however, companies need to clarify their training goals and keep them manageable. A brief story might help. I recently attended a roundtable consisting of corporate directors. One of them pronounced, “Our employees are our first line of defense.” For him, that meant they needed significantly more training. I was skeptical about the rationale. After all, cybersecurity has grown far too complex for a company’s general users to defend the frontlines. Better to leave that to the experts, both in terms of IT specialists and advanced technical controls.
Rather than expect awareness and training to turn all of our employees into a first line of defense, perhaps it’s enough if it serves to discourage each individual employee from intentionally breaking the rules and committing a security offense. Following this line of thinking, better awareness and training can be accomplished using these three steps:
- Inform Them. Let employees know the reasons for your controls. To the extent any of them make business tasks more difficult, acknowledge it during training. Companies would do well to proactively determine business demands, ask how current or proposed security requirements might interfere with those needs, and figure out how to accommodate users so they can be productive without bypassing security. As an example, companies with file size and storage limitations should address the increased risk of users turning to personal email, cloud storage accounts and thumb drives.
- Scare Them. It’s important for users to know they can lose their jobs for breaking certain rules. It’s even more important to explain what the company (and those who depend on it) stand to lose based on real-world cyber risks to your organization’s sensitive data and critical services. There’s no substitute for actual examples, and everyone is relying on everyone else to do the right thing.
- Help Them (Help You). Encourage employees to rate and constructively comment on your security training, and take their feedback to heart. In order to promote the underlying security principles found in the training, have easy mechanisms in place both to report security concerns (such as a phish@company.com account for users to forward suspicious emails) and to report known security violations (perhaps anonymously).
Training should mean more than checking a compliance box. Done correctly, it can even drive an organization’s security practices to become further aligned with its business needs.