10 TIPS TO DEVELOP CYBER SECURITY KNOWLEDGE WITHIN ORGANIZATIONS
1. Determine cybersecurity needs. A deep assessment can help organizations consider all of the areas where cybersecurity is needed and how much of that need can be outsourced versus handled internally. Consider
Strategic plans: What skills are needed to accomplish long-term goals?
Workforce: Does the organization have the talent needed? Will we hire you or train up?
Budget: What can be spent on training. Certifications, and continuing education?
Competition: What will it take to keep on par (or ahead) with others?
Culture: How is security viewed here: Is it part of how the mission is accomplished?
2. Establishing a training cadence. For cyber basics and awareness, companies should hold cybersecurity training every four to six months, including new schemes and tactics used by bac actors. Certification requirements range from classroom hours to continuing education credits to retesting.
3. Use free resources. Organizations don't have to pay for basic training! There are some very good cybersecurity resources available free from the U.S. Government. Visit the Cybersecurity & Infrastructure Agency and the National Institute of Standards and Technology.
4. Get to the "why.” Cybersecurity training won't “stick” unless employees understand their responsibilities and take their roles seriously. Ensure the training answers, “Why is cybersecurity important to our mission?”
5. Put employees to the test! Testing is a part of education. Send the fake emails, conduct hacking exercises, and role-play a simulated attack or ransom situation. Even employees who know they could be tested slip up - and these are teachable moments to slow down, trust their gut, and verify.
6. Align training and policies. Make sure to reiterate all the best practices covered in training by creating policies and rules – and putting them in the employee handbook. Guidelines for daily activities, as well as reporting requirements, help institutionalize cybersecurity practices.
7. Explain the HOW. Make a point to explain cybersecurity stance and monitoring techniques to employees. Not as a scare tactic (“We're always watching!") but rather to demonstrate the value of data, how seriously security is taken, and to help employees feel comfortable being a part of the solution.
8. Leverage experts. Many organizations have a wealth of cybersecurity knowledgewithin their IT and leadership staff that can be shared through lunch-and-learns,webinars, hands-on mentoring, and idea meetings. Internal instruction is good forteaching procedures, and tips and tricks learned in the trenches.
9. Reach to the top. Cybersecurity is an operational task that is part of every business. It's the job of the security leader to know about it. Even if there are experts on staff or outside cybersecurity consultants 3who were hired, leaders should have a working knowledge of cybersecurity basics, the company's posture, and areas where the organization faces risk-allowing the security leader to make informed decisions. If leaders are unsure or embarrassed to admit what they don't know, they should brush up on the basics online and sit down with consultants to ask questions.
10. Keep the good going: Cyber security is not a “one and done” task. The landscape is changing so fast that it requires almost constant attention just to keep up. Training also takes time and repetition-especially for new skills or procedures. Fiercely protect the training budget, prioritize time from training, and create opportunities for everyone-f from basic users to the pros, to apply what they have learned.
This document is designed for general information only. The information presented on this document should not be construed to be formal legal or tax advice nor the formation of a lawyer/client relationship. For further information please contact
For more information on this and other topics, please contact Kevin via any of the channels listed below: 📧kevin@kmckernan.com or 📞718-317-5007