The Time is Ripe for Security Consulting
In 2014, it seemed as though half of the time the news was running a story on yet another cyber attack hitting a major corporation. Target was hit first, followed by J.P. Morgan and Home Depot. The year wrapped up with the highly publicized Sony hack. These incidents raise the question:if such large corporations can fall victim to cyber attacks, how can companies be prepared enough to combat the cyber threat? The growing number of hacks in the past few years would suggest that the need for security consulting is on the rise. Companies should seriously consider security consulting as a way to address their needs for better knowledge, awareness, and training about cyber security.
While each of the attacks in 2014 was due to different issues – some of which we probably will never know – there are two fundamental steps security consultants can begin with to improve their clients’ cyber security.
Two-Way Communication on Cyber Issues
Improve Employees’ Cyber Security Knowledge’
Cyber security is only as strong as its weakest link. No matter how sophisticated a security system is, if one person makes a mistake or unwittingly makes poor cyber decisions, the system’s security is drastically impacted.
Allow me to illustrate this point with the story of Operation Buckshot Yankee, which, I admit, is a bit of a trip down memory lane. Arguably, the US Department of Defense’s (DoD) secure network has pretty impressive security measures. In 2008, a virus spread throughout classified and unclassified systems on the network. How did this happen? An unknown flash drive was connected to a computer on the secure network.
Once the cause was identified, the DoD’s immediate reaction was to prohibit the use of portable data storage devices. This solution, however, is neither scalable nor practical. In fact, the whole issue could have been prevented by not plugging an unknown data storage device into a laptop. This is where communication and training come into play.
Two-Way Communication on Cyber Issues
Communication is key to any high performing team or organization. When dealing with cyber issues, however, it is especially imperative.
Top-Down Communication
Employees need to understand the priorities of their management and the organization as a whole. Having reference materials or annual trainings containing information on security standards simply cannot replace management regularly discussing (and reinforcing) the organization’s cyber standards. Communicating why these standards are in place will positively impact employee adoption of the organization’s desired behaviors.
Bottom-Up Communication
Continuous feedback from those whose jobs are impacted by cyber standards and regulations will help to inform (and hopefully improve!) those standards and regulations going forward. Only those who interact with the policies on a daily basis will be able to tell management if the policies are too strict, too lax, easy to get around, or negatively impacting the organization as a whole. They will also be the only ones able to identify what they do and do not know about cyber security. Facilitating honest conversations about cyber security will help consultants direct the formulation of training.
An organization’s natural first instinct may be to immediately begin rolling out training if leadership thinks its employees are not cyber savvy. Without first discovering the needs of the organization, however, training will not have the maximum impact. After solid two-way communication has been established, an organization can make informed training decisions.
2. Improve Employees’ Cyber Security Knowledge
Everyone knows that developing employees’ cyber knowledge is important. In fact, it’s in the top five of the U.S. President’s cybersecurity priorities. Developing training and investing in employees can help to prevent a cyber breach rather than having to deal with the aftermath of a successful breach.
As with all training programs, a cybersecurity training program needs to be intentionally developed, targeted, and positively presented.
The training program should be tailored to the job needs of the employees
While there may be benefit for annual refresher courses, one training curriculum will not be applicable to everyone in an organization. Different departments and different roles interact with different cyber policies. A one-size-fits-all training is simply too broad to be helpful or effective for those needing to apply the knowledge on a day-to-day basis. Tailoring the training curriculum to the needs of the department, team, or job function of the employees receiving the training will ensure that it is fully effective.
The training program should be tailored to the individual needs of the employees
Every individual brings different levels of cyber savvy to the table. Those that are advanced and can demonstrate this knowledge, should not have to sit through basic cyber trainings. On the other hand, those who are unaware that writing down secure passwords to remember them or that plugging unknown data storage devices into their computers can compromise your organization’s security should definitely receive more extensive training.
According to a report from PricewaterhouseCoopers, in 2014, banking and finance respondents spent as much as $2,500 per employee (median) on cybersecurity, while retail and consumer products businesses invested up to $400 per employee (median) and education respondents invested a maximum of $200 per employee (median). Security consultants can help companies ensure they are building the strongest cyber security policies by investing in their employees, as well.
Training should be ongoing
As the cyber landscape continues to change, organizations around the world will be preparing for continuously changing threats. These changes will surely result in the improvement of cyber security software and the formulation of new policies and procedures. As threats change and new policies and procedures are implemented, additional training needs to be provided to employees. Providing a standard training every year or every six months will not provide employees with the most updated information right when they need it. Ensure they are equipped to be as prepared as possible for cyber threats.