Cyber Awareness and Training

In my last blog I examined the NIST Framework Protect function and what that means for organisations, their IT teams, Chief Risk Officers and the C-suite. In this week’s blog I examine how Awareness and training form a major pillar of the Protect function.

Part of cyber awareness and training is making sure that there is knowledge within the organisation about cyber threats that it faces. There is no point in doing all the hard work identifying (see previous blogs) all these issues and risks and potential challenges and then not communicating those within the company because that means the business not protected to maximum effect.

You should start with your new starters, as you mean to go on, and should certainly raise awareness as part of your induction process. Some organisations store up their inductions over a quarter. A business should not delay cyber awareness for an induction in those cases.

That induction and further awareness and training could be computer based training where employees receive a number of questions where they have to complete a certain pass rate, typically 70% in the insurance world, for example. These computer-based exercise can be quite simplistic, however, a little dry or not as engaging as having someone talk you through the challenges with respect to cyber security and the scenarios the company is trying to protect against or has identified in the identify phase.

Frankly, I don’t think insurance organisations take cyber training and awareness-raising nearly seriously enough. I have heard people say “oh we’re quite savvy here, our guys would never be silly enough to click on a dodgy email or someone they don’t know.” Wrong!

I recall an example where there was an attachment of a naked celebrity and people were calling the IT service desk because this attachment wasn’t opening. They couldn’t see a photo! What was actually in that mail was not a photo, it was actually a virus. The machines were very quickly infected and part of that virus was mailed to other people with the same message which spread throughout the company fast. Action had to be taken promptly in order not to overrun the company’s servers, with potentially millions of emails being sent internally and externally from within the company with this virus. Naked celebrities clearly have a lot to answer for!

Associate companies and service providers should be included in your awareness process, you want to make sure that they understand the base level of understanding that you expect them to have. The form that this awareness takes will vary according to your organisation, but should include a face to face element with your account representatives.

Organisations that deal with the evolving security risks, are those that encourage a culture where people are not embarrassed to put their hand up when they think they have seen something suspicious or unusual.

People’s instincts are hardwired and they should use them. For example, if an employee has noticed that there a number of files in this directory, which contain a number of credit card details and numbers. Raise it as an issue. Something like: “This may be a bit of a silly question but I don’t think these details should be there.”

People should feel able to report incidents quickly without fear of being labelled as alarmist even if it turns out to be a false alarm. In the U.S. on the subway system they say “if you see something say something” which is a nice turn of phrase. Raise awareness.

Darren Wray