Critical for IT Network Security and Regulatory Compliance
This post will outline how to build effective cyber security training programs for employees. Here’s why it’s important for you to read on and then take action if you haven’t already done so:
For regulated financial entities, cyber security attacks can compromise corporate data as well as client assets. And the increase in cyber security threats and invasions have further impact for these companies: on regulatory compliance. The SEC’s Office of Compliance Inspections and Examinations (OCIE) in its Cyber Security Exam 2 Initiative (which began in late 2015), among other things, began defining cyber security roles for all employees.
This is because employee error has been identified as one of the most significant areas of cyber security risk. You can invest in firewalls, secure servers and websites, patch your software and applications against new vulnerabilities and any number of other measures. Yet one employee can click on a link or download a file put enticingly in front of them by a hacker and all of your protection efforts can come tumbling down like a house of cards.
OCIE wants firms to demonstrate that they have a proactive, all-encompassing stance regarding cyber security. There is more focus on written policies and procedures, including validation that these are implemented and followed firm-wide.
Training is only one of a number of areas that must be covered in policies and procedures, but it is high on the list. And it must be extended to third party vendors who have access to your network as well as employees. Not only must you provide training, but you must also create an audit trail of that training and its impact on minimizing risk.
What Does an Effective Training Program Look Like
An obvious first step is to train employees about your overall cyber security policies and procedures, which should cover the areas of Governance and Risk Assessment, Access Rights & Controls, Data Loss Prevention, Vendor Management, and Incident Response. They need to be aware of all the areas where you are protecting against cyber threats, including how you are implementing, managing, monitoring and reporting on these areas so that they can understand their roles.
If employees understand what the company is doing and why, they’ll know, for example, why you want to have IT wipe their personal phone of all company data when they get a new one or leave the company. They’ll have an easier time complying when they feel some ownership of cyber security.
In addition, you need to do practical testing and training in the following areas to prevent that fatal click or download.
- Current threat awareness is a key training area. Cyber threats evolve and this training helps your staff keep an eye out for schemes that may come to their inbox, phone or snail mail box.
- In earlier posts we’ve discussed phishing schemes, criminal cyber activity that takes many forms – emails, SMS messages, file downloads, etc., and how to train your employees to recognize it. Phishing in a number of forms aims to fool people into providing passwords, credit card and personal information by mimicking a trusted source – like a bank, a retailer, a social network, a credit card company, or even your own HR department.
- Social engineering refers to manipulative hacker actions to entice people to click or download. For example, hackers often send emails followed by phone calls to encourage recipients to click and share passwords and personal or confidential information.
- Link clicks and downloads from messages sent by hackers can put code into your network that installs malware that can siphon off your client database including personal data, or ransomware that locks down all of your data until you pay the hacker to unlock it.
- Bad actors are also putting bad code onto USB drives (aka flash or thumb drives) and distributing them in offices, other public places and via the postal service in the hope that people will pick them up and use them, infecting their devices in the process – even if they reformat the drive.
If the hair on the back of your neck is beginning to tingle, then we assume you agree that your employees need to know what to look for and what to do when (it’s unfortunately not an “if”) they encounter a cyber scam of any kind.
Your cyber security training programs for employees need to cover all of these areas and they need to evolve with the threat landscape.
How Often Should You Train?
We recommend that at an absolute minimum you provide a mandatory annual training workshop. It should be long enough to adequately cover the risks and to teach people how to reduce them.
For most of our clients we combine periodic onsite and online training sessions. Training should be often enough to keep up with new threats and regulatory requirements. At least some training – particularly about your written policies and procedures – should be part of all new employee onboarding.
Considering that training is only one aspect of a comprehensive set of cyber security policies and procedures it is not advisable to treat it as a stand-alone effort. You would do well to enlist a cyber security specialist team, whose business it is to assess and identify weaknesses in your environment, fix the problems and teach staff and management how to avoid them before they arise, while keeping you on the right side of OCIE auditors.
If you’d like to speak with Soundshore Technology Group’s cyber security experts send an email to firstname.lastname@example.org. We’ll be happy to help. While you’re here, please take a look at our full array of cyber security services.