It started out so innocently, as most relationships do. A request for a disaster recovery plan.

It didn’t seem like she was asking too much – after all, it was just after 9/11 and we were responsible for sending out very important daily communications for them.

But it didn’t stop there. Next she wanted an information security policy. A what? I thought. But we figured it out. The basics at first: we have a firewall; our access is need-to-know. Or was it? Well, it quickly became so once we considered it, came up with a plan to implement it (we were a small company and able to adapt quickly) and documented it.

In the beginning, we weren’t even thinking about information security best practices or frameworks. We were reacting. We’d get a request from this very important client or that very important client and we’d figure out a way to comply with what they were asking for.

Turns out, it’s the way most organizations start their relationship with information security. Maybe it’s a client request, or vendor questionnaire, or a regulation that gets handed down that we must comply with. It’s typically very reactionary at first. We do what we are told and very little else beyond that.

Eventually (hopefully), the light bulb turns on and we get it. This whole “information security thing” isn’t a one-and-done checklist we can tackle and move on from. After all, the rules keep changing, because the threats keep changing. This is a relationship that requires just as much energy from us as from those making the demands (and, really, they are only doing it because they understand the risks and want to make sure we are addressing them).

But I digress… While I was still in the throes of reactionary information security I got another request. User training. User training? Why would my users need to know about my information security policies? Still, I was an obedient partner, so I trained. And it was admittedly tough at first — for all of us. “Here is this policy and here is what it says” I’d share with a glossy-eyed staff where the majority never even touched a computer. If they wanted me to train on my policies, I was now doing it.

Eventually I got it.

It’s like learning to drive. No one gets super excited about Drivers Ed classroom training – except for the fact that it means you are one step closer to driving. But it’s that foundation that gives you the rules you need to know in order to travel safely on the roads. It’s the same with information security policies. These are the rules that every user should know about before we allow them free reign to travel on our network.

Now consider that, still today, most companies give their users a username, a password and a workstation and say “Good Luck!” No rules, no best practices, no training. And we wonder why they keep falling for the same old phishing attacks.

Training on policies doesn’t (and shouldn’t) mean reciting policy statements verbatim. They can (and should) read through the policies on their own. Training is about bringing those policies to life and explaining what they mean to the users and why they matter. So instead of reading your policy statement on “Passwords must contain the following complexity requirements…”, train them on how to make strong passwords and the value of a strong password in a potential attack.

It’s all relevant now

The beauty of the last 15 years is that information security now effects everyone EVERYWHERE. Topics I used to train on (even when my training got better) – like email safety and computer hygiene – still only had practical application for about half my staff. Many people didn’t yet have a home computer and smart phones were a thing of the future.

Today it’s hard to find anyone who isn’t online. Even my almost 90-year-old grandma has a tablet and a Facebook account.

We are now administering our home computers and managing our own personal network of devices. So now everything in your information security polices is game for training. Your users will want to pay attention because, if nothing else, it helps keep them safer at home (where they don’t’ have an IT support desk to reach out to for every question). And truly, regardless of the motivation, we all win if everyone is smarter about information security, no matter where they log in from.

Let’s get training!

So if you aren’t training, start. Your users want, and need, to know how to traverse your network and the internet safely. Developing strong passwords isn’t an innate skill that we are born with, it’s something we have to be taught. Same with account sharing – we have to explain the risks involved with handing over log-in information to another staffer to “just” turn on their out-of-office or grab a file that can’t be accessed remotely so our users aren’t erring on the side of convenience.

And if you are training, think bigger. In addition to training on very important things like email best practices, remote access, BYOD  and safe traveling, you can also start talking about things like:

  • Asset Management: why you need to maintain an inventory of all your devices and what information is contained on them, especially come vacation time – someone has to ensure that all the electronics that leave the house make it back to the house. And if they don’t, you’ll want to know what important information is now in someone else’s hands.
  • Access Control and Privileged Access: the importance of making sure only Mom has administrative access to the computer and the kids all have to have their own log-in with a password with just standard user access to ensure no malicious software gets downloaded while watching the latest SURPRISE EGG! video on YouTube.
  • Backups: see above on asset management. If one of your devices does go missing, you want to be sure that your important documents, photos and other data are all stored somewhere else so you aren’t losing your only copy.
  • And, yes, even Patch Management: why you can’t ignore operating system and application updates and how you put your systems at risk by not implementing an effective patch management program. Check out this great podcast from Radiolab (http://www.radiolab.org/story/darkode/) on one person’s experience with ransomware on her home computer and the effort it took to get the issue resolved. THIS is why we need to patch all of our systems!

It’s time to integrate

We’ve long stressed that information security is not just an IT issue and I’m here to say it’s not even just a business issue. Information security is part of our new normal. It’s an EVERYBODY issue (at least everybody who connects in any way to the internet). It may seem strange to say but remember once now commonplace things that introduced risk into our lives like driving, indoor plumbing and cooking with fire were once new too and we had to spend a lot of time figuring out how to integrate them safely into our lives.

Information security training. You got this.

(and if you don’t, let us know and we’ll help get you there!)  Contact Us Now!


Michelle Killian
Michelle’s experience as a business leader and master communicator uniquely position her as a highly-effective virtual CISO. Her ability to drive security initiatives that align with business needs and cultivate buy-in from all areas of her client organizations are well-renowned from our clients. Building strong, sustainable security programs and training are Michelle’s security passions.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *