[BreachExchange] Cyber Security Awareness Needs To Last Beyond October
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Oct 31 20:02:17 EDT 2016
http://www.natlawreview.com/article/cyber-security-awareness-needs-to-last-
beyond-october
The U.S. Department of Homeland Security (DHS) has designed October as
National Cyber Security Awareness Month. But as we leave October, remember
that data security is an ongoing challenge that requires continued
vigilance not just from information system hacking, but also from employee
error and other threats. Setting up a comprehensive training and awareness
program is critical – and this outline (http://www.
workplaceprivacyreport.com/wp-content/uploads/sites/162/
2016/03/Privacy-Training-White-Paper-March20162.pdf) can help you continue
keeping your organization aware of cyber security throughout the year.
DHS’ purpose is to engage and educate public and private sectors through
events and initiatives that raise awareness about cybersecurity, make
certain tools and resources available, and increase our resiliency in the
event of a cyber incident. This is a great effort and DHS collects helpful
information (https://www.dhs.gov/national-cyber-security-awareness-month)
and a number of resources for visitors to its site. But by selecting
October to draw attention to cyber security, surely DHS did not intend that
October be the only month that we think about this important area.
Earlier this year, the FBI reported a significant increase in ransomware
attacks. Late last year, the Wall Street Journal reported on a survey by
the Association of Corporate Counsel (“ACC”) that found “employee error” is
the most common reason for a data breach. Training and creating awareness
to deal with these continued and growing risks is critical. In fact, for
many organizations, doing so will help satisfy legal requirements for
securing data. And, it is a mistake to believe that only organizations in
certain industries like healthcare, financial services, retail, education
and other regulated sectors have obligations to train employees about data
security. A growing body of law coupled with the vast amounts of data most
organizations maintain should prompt all organizations to assess their data
privacy and security risks, and implement appropriate awareness and
training programs.
Here are some questions to ask when setting up your own program, which are
briefly discussed in the FBI report above:
Who should design and implement the program?
Who should be trained?
Who should conduct the training?
What should the training cover?
How often should training be provided to build awareness?
How should training be delivered?
Do we need to document the training?
No system is perfect, however, and even a good training and awareness
program will not prevent data incidents from occurring. But in the absence
of such a program, the question you will have to answer for your
organizations likely will not be why didn’t the organization have a system
in place to prevent all breaches. Instead, the question will be whether the
organization had safeguards that were compliant and reasonable under the
circumstances.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161031/fb87a742/attachment.html>
More information about the BreachExchange
mailing list