Creating a Culture of Security

October is National Cybersecurity Awareness Month.

It also happens to be (among other things) Breast Cancer Awareness Month, Dental Hygiene Month, National Bullying Prevention Month and my personal favorite, National Pizza Month. Plus, it’s Halloween! But I digress…we’re here to talk about cybersecurity.

Every manufacturer should hold cybersecurity awareness training for all their staff at least once a year. Many people are spooked by the mere mention of the words “cybersecurity” and “training,” so October seems like an appropriate time for it. Your training should, at a minimum, cover relevant company policies such as your IT security, information security, and physical security.

Over the years many of us have taken this type of training and learned to dread it. Training where someone gives the exact same cybersecurity speech they gave last year and then hands out a paper for you to sign saying you were there. A real snoozefest. This kind of training does its job as far as meeting the bare minimum but has little impact on actually molding employee behavior.

The real purpose of cybersecurity awareness and training efforts should be to create a culture of security, meaning that employees should view good cybersecurity practices as good business and as part of “how we do business here.” Employees should feel enabled to make good cybersecurity decisions and understand what makes a good decision. Awareness and training should focus on:

• Stopping risky behavior: Help employees know what decisions can lead to a bad outcome. For example, opening email attachments from unknown sources.
• Encouraging less risky behavior: Help employees understand and care about implementing processes that increase security. For example, how to make strong passwords.
• Turning employees into sentinels: Help employees recognize and respond to a cybersecurity event. For example, what to do if a guest plugs an unauthorized USB drive into a machine.

Ideally, training should be a continuous effort. Some ideas on how to include cybersecurity training in the everyday workings of your business include:

• Regularly emphasize cybersecurity as an important goal of your company.
• Integrate one cybersecurity tip, trick or reminder into every meeting.
• Post reminders around the workplace about appropriate security practices.
• Have regular meetings to discuss possible process improvements which can make it easier for employees to make better security decisions.

There has been a lot of research into what good employee cybersecurity training looks like. In general, it can be summed up using the acronym “RAINSTORMS.” Yes, I just made that up right now.

• Real: Using real-world case studies or realistic scenarios help bring home the lessons.
• Actionable: Include something that employees can do immediately. This may include changing their passwords, making an inventory of their IT assets or making sure they have contact information for the person or organization they should report an incident to in their phones. Sometimes a long-term homework assignment is appropriate as well, but having an immediate goal is always helpful.
• Interactive: Role-play, small group discussions or hands-on exercises are some great ways to make training more interactive. Ideally, the interactions should include bi-directional conversations involving all levels of management to ensure everyone knows that everyone has the same responsibilities, and everyone is on the same page.
• New: Some repetition is appropriate in training, especially when talking about policies, but it shouldn’t get stale. Different training formats (e.g. lecture, role-play, videos) can help.
• Small: Bite-size chunks of information are much easier to digest than an entire computer science degree worth of information forced upon employees. One topic at a time is generally preferable.
• Testable: There should be a measurable, testable goal for the cybersecurity training. If it’s general awareness, perhaps a quiz can be developed. If a goal is to mitigate phishing attacks, perhaps a fake phishing email can be sent both a few weeks before and a few weeks after the event. This will help show how effective the training was.
• Owned: Employees should leave the training feeling a sense of ownership and that cybersecurity is their responsibility; they should feel empowered to make good cybersecurity decisions.
• Relevant: Most companies have different types of users. Tailoring training to each type of user makes it more real. This may mean having different training for shop floor employees versus office employees.
• Memorable: Use acronyms, pithy mnemonics, or, my personal favorite, humor. Humans remember funny things – puns, bad music videos, ridiculous memes of cats – much better than a boring lecture. Don’t be afraid to make it unconventional and have fun.
• Simple: Above all else, training should be simple. Overly technical lessons full of technobabble are only good for putting people to sleep.

The National Initiative for Cybersecurity Education (NICE) has a small list of free and low-cost resources to help with employee training. There are also many additional resources available online. Just do an internet search and you’ll be bombarded with options. Evaluate those options using the RAINSTORMS template above.

Throughout the month of October, NIST MEP will be posting a series of blogs loosely following the theme and outline provided by the National Cybersecurity Alliance (NCSA). The theme for this year is “Do Your Part. #BeCyberSmart.” Now, personally, I’ve never been a fan of self-promoting a hashtag, but if you tweet or blog about cybersecurity during this month, consider using the #BeCyberSmart hashtag – we’ll see how far it goes.

The outline the NCSA has put out is as follows:

• Week of October 5 (Week 1): If You Connect It, Protect It
• Week of October 12 (Week 2): Securing Devices at Home and Work
• Week of October 19 (Week 3): Securing Internet-Connected Devices in Healthcare
• Week of October 26 (Week 4): The Future of Connected Devices

Not sure where to start? You can learn more about how to implement an effective cybersecurity training program by contacting your local MEP Center. You can also access cybersecurity resources for manufacturers on the NIST MEP website.

This blog is part of a series published for National Cybersecurity Awareness Month (NCSAM). Other blogs in the series include If You Connect It, Protect It by Zane Patalive, Suspicious Minds: Non-Technical Signs Your Business Might Have Been Hacked by Pat Toth, Securing Internet-Connected Medical Devices by Jennifer Kurtz and The Future of Connected Devices by Erik Fogleman and Jeff Orszak.