Cybersecurity - Awareness and Training PDF

Preview

Summary

Download Cybersecurity - Awareness and Training PDF

Description

MSAC 515 Cybersecurity - Awareness and Training We are going to go over one of the most powerful defensive tools that an organization has, and that is cybersecurity awareness and training. As we've mentioned several times, humans are the epicenter of cybersecurity. They can be the first line of defense, but in many ways, they can be the most vulnerable aspect in your organization open to cybersecurity attacks. Social engineering plays on human psychological principles to try to persuade people to provide access to click on malicious links. And so cyber security awareness and training is the best weapon we must educate people about potential cyber security risks, how to identify them and how to stop them. So, cyber security awareness and training is focused on on the understanding that humans can be the biggest data security risk, when we look at the statistics and we see that 90 percent of cyber-attacks originate through phishing emails, we see how essential it is to be able to minimize this human risk of being susceptible to cybersecurity attacks. So, the strongest weapon we have is to strengthen the role of humans in defense against cyber-attacks, and that's the focus of cybersecurity awareness and training. So, what are the steps that you would take to develop awareness and training? First step is you really want to do a needs assessment. What are the goals of the organization and strategies in terms of cybersecurity? How can cyber security impact the ability of the organization to achieve its operational and strategic goals? Because it's important that awareness and training is tied to the goals of the organization. It needs to support operational strategic goals. You need to be able to talk about these goals in training and why it is so important to be able to understand these cyber security risks and prevent them and the potential damage to the organization. You need to determine roles and responsibilities. Who's going to be responsible for developing the material, delivering the material, monitoring it, evaluating it? You have to develop the training material itself. And this isn't a one size fits all. This is going to depend on your audience. Maybe different material for senior leadership than for frontline employees and certainly different material for more sophisticated technical users. You want to develop a plan. How are you going to implement this training? Is it going to be mandatory? Is it going to be voluntary recommended that it be mandatory, but it's up to the organization to determine how they're going to implement it. And then what's the mode and medium of training? Is it going to be self-paced online? Is it going to be in a classroom? Is it going to be a mix of the two? So, these are the kind of decisions you make. Before you begin to build that cyber security awareness and training program. So NIST has developed a standard NIST eight hundred dash fifty that really provides a framework for a comprehensive approach to cyber security awareness and training focuses initially on awareness for all users, letting people just alerting them to what the issues are. It goes to training so there's more skill based here. And then finally, education, which can be formal education, it can be certification. So, there's beginning intermediate and advanced. In all cases, it needs to be tailored to the audience. The employees need to understand the role they play in protecting their organization against cybersecurity attacks. So, initially, do as nice as a needs assessment and we talked about this, what needs to be covered in the training? How does that align with the goals and needs of the organization? Aviation organizations are going to have different needs then, for example, a health care organization. So, it's important not to think that you can just purchase something off the shelf and that's going to be appropriate for all organizations. You need to tailor your awareness and training program to the security risks and needs of your organization. You need to determine what's being done already and where do we want to be. Do a gap analysis. How do I get from where I am now to where I want to be? And you need to prioritize the training

needs. You're not going to be able to, in most cases, deliver it across the board to everyone at the same time. Where is the greatest risk? Where do I need to deliver it initially? How do I need to approach that train? So, the strategy you want to determine the scope and goals of the awareness and training program, identify your different targeted audiences and what are their learning objectives, determine the mode and frequency of awareness and training sessions and the training material complexity should be tied to the needs and the roles of the specific audience. So here, some course material examples that probably apply to awareness across the board, what identifying email scams and phishing, understanding, and recognizing malware, understanding why password and access control is so important. Many, many people don't realize that their password can provide a gateway to the entire organization. What are the risks of removable media? What do you do if you find a USB drive in the parking lot, in the bathroom? Because that's a common ploy of social engineers. What are some safe Internet practices? How can you use the Internet without putting you or your organization at risk? What about social networking, social networking sites? Social media sites, unfortunately, are rife with cyber security risks and challenges. What about physical security? Someone trying to tailgate in with you when you're supposed to be using a badge to get access, data management and privacy? What's your responsibility to secure information? And what about personal devices? What do you need to do to make sure that cyber security vulnerabilities on your personal device are not transmitted to the organization? So, once you've decided on your strategy, on your content, then you want to implement it. It needs to be communicated. The goals, the reason for the training needs to be communicated through the organization, expectations need to be discussed, hopefully from senior leadership on down, because without senior leadership support, most employees will not consider this awareness and training sessions to be important, support the implementation with all the tools, use posters, newsletters, emails, award programs, you know, begin to implement that cyber security culture that is everyone's responsibility. Make sure the material is regularly updated so that it reflects emerging threats. New threats offer training in several mediums, online, in class, self-paced and participation in awareness and training should not be a single event should occur at least annually, so that employees are aware of what are some of the emerging threats? What are some of the concerns that the organization has? What's at risk if a cyber-attack is successful? So, once you implement your cyber security awareness and training, you have to really assess what did it do, what it is that you wanted it to do, how effective was it? How effective was it to the participants that can be done through evaluation and feedback? How effective was it in actual practices? That's when organization will send out simple phishing email campaigns to see whether employees are alert enough to identify potential phishing emails and that it's important to continually update, improve and refine awareness and training materials. Keep it current. Keep it fresh. So, when we talk about learning, it's important to understand that it is not a one-step activity, no matter what you're trying to learn, and certainly with cybersecurity awareness and training, it's not one step. There’re three levels. It begins with an awareness. It builds through training and then can culminate in education. So, the goal of awareness is to focus attention on cybersecurity. Why is it important? Why is it important to you individually? Why is it important to the organization? In this case? Participants are pretty much the recipients of information. You're giving them information about appropriate behavior to be able to prevent cyber-attacks. Topics usually include passwords, virus protection, web usage, laptop security, mobile device management, those kinds of topics. The next level is training, and with training, you're building knowledge and skills so there is more active participation. These are really based on roles of the participants, management, technical front line employees. What are the actual skills you need them to develop and practice to be able to identify, prevent and recover from cybersecurity attacks? And lastly, there's education and

education is really the goal is to integrate skills, competencies, and it often involves formal programs such as degrees or certificate training. Once again, this is going to be based on the roles of the participant, but it's important that cybersecurity education is supported by the organization in tuition or certification testing reimbursement so that those employees that need to increase their knowledge and skills are given the support that they need by the organization. So that's a summary of how one would go about and build a cybersecurity awareness and training program....