Teach Employees Cybersecurity Skills, Even If They Resist!
By Dale Penn
We’ve become comfortably numb to the daily barrage of cybersecurity attacks, leaks, threats and mutations that each of us face here on the digital frontier. The never-ending drip, drip of hacks and attacks appears before our eyes like the elements of a sci-fi thriller that simply couldn’t happen in the real world, let alone happen in our personal homes and businesses.
Worldwide cybercrime will cost $6 trillion annually by 2021 according to analysts at Cybersecurity Ventures. This will effectively become the greatest transfer of wealth in history.
Our daily routine of meeting deadlines, solving pressing problems or reaching short-term goals leaves us with exposure to threats we didn’t realize were knocking on the front door. More often than not, these cyber-privacy and compliance threats come in through the side door or the back door. Often, we’re too focused on daily tasks to even notice. Some of us are so distracted, that we don’t realize the cyber criminals are already inside our digital home, stealing our most valuable information!
Pew Research studies have consistently revealed that a majority of Americans have personally been breached in one way or another. Most fear they have literally lost control of their personal information and they doubt the government’s ability to protect them.
Cybersecurity technologist, author and Harvard fellow Bruce Schneier has long warned that the dominant threats to our personal and business privacy and security are “the back-doors and inherent vulnerabilities” in every piece of software we purchase, download or use. That’s not great news, but it doesn’t mean there’s no hope or that we can’t effectively fight back against the connected acceleration of this digital era.
It should come as no surprise that the adversary here is no longer a bored teenager or the loser couch potato living in his parent’s basement with a laptop. This new breed of cyber-criminal actually commutes into the office each day, has monthly or quarterly goals and incentives and makes daily anonymous cybercrime his life’s work. The organized fraudsters do this without fear of detection, retribution or prosecution and of course, it’s all done without remorse.
Surprisingly, the information security industry that we expect to protect us, is experiencing a tremendous shortage of new recruits coming into the job market. Companies with plenty of room in their budgets still find it virtually impossible to fully staff their information security teams with qualified candidates.
The underlying worldwide shortage of IT talent makes it difficult for organizations to protect themselves in the never-ending and accelerating race to fight data breaches, avoid compliance offenses and to minimize the losses associated with relentless, sophisticated cyber attacks.
Blinky Boxes With Pretty Lights
According to the nonprofit IT security organization ISC2, there are nearly 3 million cybersecurity positions that remain unfilled around the world. Business leaders, senior managers and privacy consultants have warned us for years that the proverbial “weak link” in the armor of every organization is the human being. That means you. That means me. That means us.
Despite our reliance on human awareness, human vigilance and human engagement, cybersecurity threats can very easily penetrate any and every organization. Attempting to solve the problem by purchasing more “blinky IT boxes with pretty lights” has become a predictable and ineffective band-aid for a menacing privacy wound.
I believe that training, testing and certifying individuals, organizations and entire industries with cloud-based, on-demand, interactive privacy awareness learning modules will create the cyber-resilience mindset that every team needs. Once an organization of any size takes time to identify, monitor and protect their unique assets, the goal of reducing cyber risk becomes not only doable, but repeatable, scalable and effective.
A Watching World Cares About How You Treat Their Privacy
Corporate boards, C-level executives, HR professionals and management executives should lead the way by mandating enterprise-wide privacy awareness training. This makes it possible to effectively manage the threat of cyber security intrusion throughout the organization, no matter how large or small it is.
According to analysts at the National Cyber Security Alliance, 60% of SMB’s (businesses under $1 billion in revenue) will fail or literally go out of business within six months of experiencing a cybersecurity breach.
Most hard-working and often understaffed IT teams are consumed with the daily task of putting out fires. They don’t have time to create, deploy and manage cybersecurity awareness training courses for the entire workforce from the C-suite to the loading dock.
The creation, curation and maintenance of effective, affordable training content for the entire employee roster is the goal that our company, the Privacy Awareness Academy is committed to. We believe that every person and every organization has a God-given and constitutional right to privacy in the physical, financial, reputational and cyber-domains.
“ All human beings have three lives: public, private and secret.”
Gabriel Garcia Marquez
Recently, my nephew discovered that he had become a victim of a senseless, anonymous cybercrime. As a smart third-year student at a prestigious law school, he had never faced a brazen, eye-opening privacy invasion of this sort. “Uncle Dale”, he said. “This is the most annoying and time-consuming thing that has ever happened to me.” Well at least he wasn’t too overwhelmed to reach out to me for guidance. I told you he was smart!
Training that focuses on technical skills or legally mandated compliance laws like HIPAA, PCI, GDPR, GLB, FINRA or other regulations governing data safety or employee behavior often falls short in one vital area and that is …“stickiness.” There is a difference between sticky “training” and simplistic “exposure to training.”
Much of the so-called training content that is widely available from assorted allied industry vendors or on YouTube, is dispensed with no insight into the best teaching strategies for modern adult learners. Retention isn’t necessarily the goal of sub-par training providers, but simply checking a “completion box” is all they’re after. Most inadequate training offerings are too tired, too boring, too dated and are created with one dimensional slides that do nothing to capture attention or improve retention and engagement. No testing, no feedback, no repetition, no growth.
Cybersecurity and privacy awareness training are too important to relegate to what basically amounts to a PowerPoint with a voiceover. This failed training approach is more commonly referred to as “death by PowerPoint.”
Mere “exposure” and real “engagement” create two entirely different outcomes for employees. The former leaves the organization no better off in the war against social engineering, intrusion and financial or legal exposure. The latter, helps to create a healthy, ongoing corporate culture of privacy awareness and cybersecurity.
Demanding schedules, short attention spans and employee turnover point to the need for most organizations to outsource interactive, engaging, accessible training that can be tailored to meet specific needs and can be consumed on-demand, 24 hours a day on any device. Short bursts of micro-learning modules which are 5 to 7 minutes long will create engagement with built-in interactivity and accountability. Engagement is what leads to permanent behavior-change.
There’s also the added bonus of making learning fun to consume, fun to share and fun to discuss. There is no cookie-cutter PowerPoint that can engage learners with deep retention. Personalized interactivity makes the difference between just “seeing” the training and actually “understanding” and “employing” it on a daily basis.
There are two key groups of employees who should climb the training ladder to build a lasting, effective organizational culture of privacy awareness. The first are existing staff and the second are newly hired employees. By making privacy awareness training and reinforcement a part of your on-boarding process and their regular routine, you can build an internal dialogue among employees that reinforces a safety perimeter often referred to as the “Human Firewall”. Former FBI special agent and cybersecurity expert John Iannarelli reminds us: “Just taking a few moments on the front can save you a lot of time and heartache and finances on the back end.
Finding Human-Centered Balance
A Harvard Business Review study found that firms need to balance essential technological or IT Investments with a menu of agile human-centered defenses. During a Berkshire Hathaway annual meeting, the iconic investor Warren Buffett highlighted cyber-risk as one of the gravest concerns facing humanity!
The privacy goals for your organization shouldn’t anticipate the total elimination of privacy risks because after all, we cannot expect privacy or cybersecurity perfection. Instead, realistic achievable goals should be designed to identify, quantify, reduce and manage the risks that your honest assessments have uncovered. There’s no such thing as zero-risk, but organizations should adopt and embrace a posture of high awareness, vigilance and preparedness.
Organizations of every size have a unique list of stakeholders who expect you to be cybersecurity resilient. Stakeholders include your board or ownership, your industry’s compliance regulators, your customers, your vendors, your employees and the public at large.
All of your stakeholders expect your organization to be resilient, trained, prepared for adversity and committed to keeping your data secure, accurate and accessible at all times.
Your stakeholders have placed their trust in you, just as you place your trust in an airline every time you step onto an airplane. We often don’t give our own vulnerability much thought, but the stakes are high for everyone connected to your business. Do your customers deserve any less?
Promises Made and Promises Kept
I have a question. Does your organization’s “brand-promise” include mandated internal training and readiness to keep all your customers, vendors and investors safe? If not, one day you’ll face regulators, plaintiffs attorneys and an unforgiving press who are all wondering what you’ve done to protect the integrity and privacy of your data.
Boardrooms and governance teams around the world are now examining their risks, their technical controls, their industry best practices as well as their internal readiness. They’re also considering their employee training options like never before.
Crippling data breaches are becoming more virulent. Privacy intruders are getting savvier and the number of compromised data files has grown every year for the last decade. Sadly, many companies and service organizations mistakenly believe that they are not big enough, visible enough or important enough to be targeted by aggressive cybercriminals.
Know Thine Enemy
CNBC tech-reporter and author Kate Fazzini outlined the work habits of cyber-crime fraudsters in a recent article. According to her reporting, researchers at Google and IBM point out that cyber-crooks often practice their attacks by mimicking the behavior of the companies that they’re targeting, including the one you might happen to work for.
Criminal fraudsters know they’re competing with other global criminals for victims and targets. They also hire seasoned executives to oversee their operations and to help keep them focused on stealing as much of your data and cash as possible. Cybercriminals work regular hours, enjoy weekends off and hire subcontractors to share the workload. Ironically, many criminal CEOs spend more time thinking about the vulnerability of your organization’s data than your own CEO!
Despite the seemingly unlimited cybersecurity budgets of the large enterprises, they continue to be aggressively targeted by this new generation of organized cyber criminals, but small to midsize businesses (SMB’s) are not out of the crosshairs either.
The truth of the matter is that “obscurity does not ensure security.” No matter the size of your team, creating a culture of risk awareness and employee training can protect you from unnecessary reputational and financial exposure.
It’s Time To Deploy A Legally Defensible Privacy and Cybersecurity Training Program
An unsettling reality is that all organizations must address the real risk of punitive legal action brought on not by damaged consumers or overly zealous regulators, but by their own employees!
In 2018, it was reported that a Florida-based company, Lincare Inc. signed an $875,000.00 settlement of a class-action lawsuit brought by their own employees. The employees (both current and former) claimed that their personal information had been harmfully disclosed by an incident involving an earlier business email compromise (BEC) breach at the company.
Unfortunately for Lincare, a human resources worker allegedly fell for a phishing scam involving a fake email pretending to have been sent by a Lincare executive. Under the settlement, Lincare agreed to perform a regular risk assessment to identify both internal and external risks.
Additionally, Lincare agreed to provide training on both cybersecurity and incident response issues. The lawsuit said that better information security training might have potentially prevented the data breach.
Cybersecurity and Privacy Awareness Governance Questions
No matter the size of your organization, there are several important questions for your board and senior executives to examine:
- Is your organization (despite its size) conducting year-round privacy skills and awareness training for team members? If not, why not?
- Do you conduct company-wide, realistic, unannounced simulated phishing attacks?
- Have you designated an interactive cybersecurity education provider who can deploy, manage and adjust a scalable privacy awareness training and accountability plan for your team?
- Do you recognize, acknowledge, reward or certify fully trained employees?
- Have you relegated cybersecurity training to a vendor who still uses old-fashioned non-interactive PowerPoint slides with a voice over?
- Do you consider your company too small or obscure to be targeted by anonymous, ruthless cybercriminals?
- Is data safety an important part of your organization’s brand promise?
- How well is your team equipped to deal with spear-phishing emails, CEO fraud or the various social engineering threats?
One of the first steps in risk management is to examine the likelihood and impact that a cybersecurity or privacy event could have on your organization. The governance questions above can give you insight into some of your risks and can provide initial clues toward minimizing those risks. All risks cannot simply be avoided or transferred to an insurance company. Now is the time to measure your organization’s level of “security maturity”.
Protect Your Data. Train Your Team!
Insurers, lenders, vendors, employees, OEM’s, plaintiff’s attorneys and industry regulators all have questions about your organization’s demonstrable cybersecurity hygiene, posture and readiness. How will you answer them?