Ad Image

Cybersecurity and Training Needed Today

Cybersecurity and Training Needed Today

Cybersecurity and Training Needed Today

Vinicius Perallis, the CEO of Hacker Rangers, outlines what he believes the cybersecurity training market needs to thrive. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

Companies commonly focus on capability when constructing cybersecurity programs. They ensure businesses have components that assess and address risks, implement access management, and respond to incidents. However, a cybersecurity program must also address regulatory compliance to be complete. A comprehensive program will keep organizations safe from unauthorized access and prevent costly damage that regulatory penalties can cause.

Training is a top consideration in cybersecurity compliance. A growing number of requirements mandated by government agencies and third-party providers hold organizations accountable for training their employees on cybersecurity controls. The following explores some key regulatory duties and presents some steps that should be taken to stay in compliance.

Understanding the Global Regulatory Net

Most companies in today’s marketplace conduct cross-jurisdictional business. Online activity allows anyone from any jurisdiction anywhere in the world to become a customer. Consequently, companies must consider the controls that apply not only to where they are located but also those that might be triggered by the location of their customers.

The General Data Protection Regulation (GDPR) is an example of a cybersecurity measure that addresses the cross-jurisdictional nature of today’s business dealings. Considered the world’s most stringent privacy and security law, the GDPR was implemented by the European Union to protect its citizens from cyber attackers and other threats to data security. Any company, no matter where it is located, is subject to the regulation’s requirements if it processes the personal data of EU residents.

Complying with the GDPR requires a sound mix of technical and organizational controls. Controls such as firewalls, encryption, and intrusion detection and prevention systems are critical for compliance but insufficient. Programs must also address the human—or organizational—element.

In organizational controls, the GDPR requires companies to provide “the appropriate data protection training to personnel having permanent or regular access to personal data.” Employees must be trained on the skills needed to identify and prevent attacks, how to know when defenses have been breached, and the proper methods for reporting those breaches.

The California Consumer Privacy Act (CCPA) addresses the same concerns covered by the GDPR but applies them to data provided by California residents. It specifies the need for companies to implement “reasonable security procedures and practices” to protect consumer data. Training programs are considered essential to those procedures and practices, providing companies with the skills they need to repel attacks.

On the US federal level, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to take steps to ensure patient data security. It calls for “appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information” to be implemented by the companies subject to the act. Cybersecurity training related to HIPAA must also help healthcare employees understand the vulnerabilities introduced by giving patients access to secure information.

As companies seek to stay compliant, they must also address third-party providers’ security and training requirements. For example, Visa, Mastercard, and American Express require companies that use their services to comply with the Payment Card Industry Data Security Standard (PCI DSS). The standard requires “security awareness training,” which it specifically says should address threats like phishing and other social engineering attacks.

Developing Training That Ensures Compliance

Cybersecurity training is unlike most other forms of compliance training because it must involve every employee. Simply training the chief information security officer or his department is not sufficient. A cyber-attack can target any employee, from a new hire on his first day to the CEO, meaning everyone must be included in efforts to ensure systems are kept secure.

Certain cyber-attacks target technical controls. Brute force attacks, for example, seek to gain unauthorized access to systems by using computing power to identify working passwords—many more attacks target employees through social engineering. Recent statistics show that 98 percent of cyber-attacks use social engineering to gain unauthorized access. If employees are unaware of tactics like phishing, pretexting, or scareware, they can easily fall victim to a social engineering attack.

The overall goal of cybersecurity training should be creating a culture in which everyone understands and is committed to contributing to security. Neither compliance nor cybersecurity success can be achieved strictly through technological means. The human element must be addressed through effective training if companies are to provide “reasonable security procedures and practices” and “security awareness training.”

Regulators worldwide have made it clear that companies must commit to strict security controls if they expect to participate in the global digital economy. They have also clarified that providing ongoing, engaging, and extended cybersecurity training to all organizational members is critical to those controls. Companies that fail to effectively foster awareness will not be considered compliant.


Share This

Related Posts

Insight Jam Ad

Insight Jam Ad

Follow Solutions Review