Teaching employees about cybersecurity
How businesses can educate workers about cyber risks and threats
Today’s cyberthreats are complex and constantly evolving, and all businesses are potential targets. That’s why teaching employees about cybersecurity is becoming a priority for many organizations.
“Anyone in the business — from accounting to sales to senior management — who touches a computer, or interacts with systems on the company’s network, should have some basic cybersecurity education,” says Seth Hanford, manager of the Threat Research, Analysis, and Communications (TRAC) – Outreach team at networking provider, Cisco Systems, Inc. “Cybersecurity is everyone’s problem and responsibility.”
But where do you find someone to teach your employees? First, you have to determine what kind of security your business needs, says Ernest McDuffie, Ph.D., lead of the National Initiative for Cybersecurity Education at the National Institute of Standards and Technology (NIST).
“Management needs to coordinate with the IT department to ensure cybersecurity education for the workforce is aligned with the goals of the company,” he says. “What is our mission? How does technology support that? What does our infrastructure look like? Where does it need to be? These are the types of questions that can help businesses assess not only where cybersecurity skills gaps are in their workforce today, but also where they’re likely to emerge in the future.”
“Establishing a tie between your business and one or more academic partners helps you to understand what cybersecurity skills today’s students are learning and where you sit as a business,” he explains. “It’s also a great way to build up a pool of talent specifically for your organization.”
McDuffie recommends looking to the Centers for Academic Excellence (CAE) and Information Assurance Education to find a university partner that has earned a CAE designation granted jointly by the National Security Agency and Department of Homeland Security.
University of Maryland University College (UMUC) is a CAE institution. It offers Cybersecurity Workforce Development and Training as part of its Corporate Learning Solutions program that serves employers in the private and nonprofit sectors, and in government. “We work with everyone from senior-level executives to network administrators and web developers,” says Jeff Tjiputra, academic director for Computer Networks and Security and Cybersecurity Programs at UMUC. “Employers come to us because they want to develop a new cybersecurity capability or expand one. The cybersecurity education they choose for their workforce is typically based on the strategic plan for the business.”
Tjiputra recommends that employers search for a university that attracts skilled faculty who have relevant industry experience. Employers also should take a flexible approach to classes that allows busy professionals to learn at their own pace, he says.
“Look for courses that offer a technical component — even for beginners,” he says. “Cybersecurity is complicated, and if an instructor isn’t requiring students to bring a laptop, or providing equipment, it’s a good indication they’re not going to impart a lot of deep or practical information to your employees.”
And just as there is no single solution to cyberthreats, there is no one-size-fits-all approach to education and training, says Steve Durbin, global vice president of the nonprofit risk management organization, Information Security Forum: “Cybersecurity education is about providing frameworks and guidelines that can be adapted by companies so they can grapple with cybersecurity and its implications for the business. The educator is the channel, the conduit for learning, and the coach who ensures appropriate adaptation of cybersecurity [best practices] to the needs of the business.”
“Anyone in the business — from accounting to sales to senior management — who touches a computer, or interacts with systems on the company’s network, should have some basic cybersecurity education,” says Seth Hanford, manager of the Threat Research, Analysis, and Communications (TRAC) – Outreach team at networking provider, Cisco Systems, Inc. “Cybersecurity is everyone’s problem and responsibility.”
Ernest McDuffie of NIST says management needs to coordinate with the IT department to ensure cybersecurity education is aligned with company goals.
“Management needs to coordinate with the IT department to ensure cybersecurity education for the workforce is aligned with the goals of the company,” he says. “What is our mission? How does technology support that? What does our infrastructure look like? Where does it need to be? These are the types of questions that can help businesses assess not only where cybersecurity skills gaps are in their workforce today, but also where they’re likely to emerge in the future.”
Partnering with academia
McDuffie suggests that once organizations figure out their needs, they look to people they already know to provide training. That would include the IT service providers that supplied the company’s core technology as well as risk consultants who are advising the business. Academia is the next stop, McDuffie says, and it offers benefits beyond helping employees learn cybersecurity best practices.“Establishing a tie between your business and one or more academic partners helps you to understand what cybersecurity skills today’s students are learning and where you sit as a business,” he explains. “It’s also a great way to build up a pool of talent specifically for your organization.”
McDuffie recommends looking to the Centers for Academic Excellence (CAE) and Information Assurance Education to find a university partner that has earned a CAE designation granted jointly by the National Security Agency and Department of Homeland Security.
University of Maryland University College (UMUC) is a CAE institution. It offers Cybersecurity Workforce Development and Training as part of its Corporate Learning Solutions program that serves employers in the private and nonprofit sectors, and in government. “We work with everyone from senior-level executives to network administrators and web developers,” says Jeff Tjiputra, academic director for Computer Networks and Security and Cybersecurity Programs at UMUC. “Employers come to us because they want to develop a new cybersecurity capability or expand one. The cybersecurity education they choose for their workforce is typically based on the strategic plan for the business.”
Tjiputra recommends that employers search for a university that attracts skilled faculty who have relevant industry experience. Employers also should take a flexible approach to classes that allows busy professionals to learn at their own pace, he says.
No one-size-fits-all
Hanford cautions employers against “cybersecurity boot camps” that attempt to cram a lot of information into a short course or classes that don’t provide hands-on training.“Look for courses that offer a technical component — even for beginners,” he says. “Cybersecurity is complicated, and if an instructor isn’t requiring students to bring a laptop, or providing equipment, it’s a good indication they’re not going to impart a lot of deep or practical information to your employees.”
And just as there is no single solution to cyberthreats, there is no one-size-fits-all approach to education and training, says Steve Durbin, global vice president of the nonprofit risk management organization, Information Security Forum: “Cybersecurity education is about providing frameworks and guidelines that can be adapted by companies so they can grapple with cybersecurity and its implications for the business. The educator is the channel, the conduit for learning, and the coach who ensures appropriate adaptation of cybersecurity [best practices] to the needs of the business.”
After reading the article on teaching employees about Cybersecurity, I agreed on every aspect of the article especially about people need some basic education about cybersecurity and finally it is out there and it is everyone’s responsibility to find out what they can due to prevent it from happening because someone is careless. Now you will not stop every security threat, but we need to make people aware of things that can be done to stop it or at least slow it down. I believe that educating big and small business is crucial. At one time a boss of a big company would say to his head of I.T, I do not need to worry about this, isn’t this what I pay you to do. I do agree on certain I.T. issues it is their responsibility for fixing, maintaining and keeping your network in tip top shape and safe from many different types of attacks on your network. But being educated on Cybersecurity is what I think will kill the beast or at least slow it down. No one or no company has all the answers about this problem, but the internet is a wonderful tool or read a book about it. There are resources out there such as Threat Research, Analysis and Communication or (TRAC) for short and also the National Institute of Standards and Technology (NIST) for more information on this subject. I believe that a little knowledge goes a long way.
ReplyDelete