Cyber-Back to School Basics

As we are all preparing for the “most wonderful time of the year”, i.e. back to school for the kids, it makes me reflect on how much things have changed from when we were kids in school.  For example, I am currently on the hunt for a ½ inch three-ring binder with interior pockets in chartreuse for my 7 year old. When we were kids we showed up with a back-pack, a lunch box and some pencils. Not so anymore where we are provided a detailed list as long as my arm of school supplies for my pre-schooler.  So many of you are probably asking what this has to do with cybersecurity.  Well, it actually has everything to do with cybersecurity.

I was speaking with a colleague the other day and we were exchanging our usual horror stories about cybersecurity issues we face with clients.  You know the ones: the company doesn’t require passwords; or if they do, people share them; or if they don’t share them, they write them down or use the same password for everything.  The stories that make cyber-geeks like us cringe. Anyway, my colleague was talking about how, in order for cybersecurity to really be appreciated, we should start training on security at an early age.  She was saying how we teach our children to look both ways before they cross the street, or not to speak with strangers, but we aren’t really teaching them about cyber-strangers or good cyber-hygiene when they are young.  This got me to thinking that good cyber policies, education and the like should be part of our everyday “training” for kids and for employees.

One of the things XPAN tries to impress on our clients is that on-boarding employees with good cyber policies and habits when they begin at your company is a great start.  In fact, it is better than most; but it really needs to be a daily, weekly and yearly part of an employment.  Education is key for cybersecurity because your first line of defense against a cyber attack is conversely your biggest weak point- your employees. Training and making cybersecurity a daily reality to your employees is key if you want them to practice what you are preaching.  Just like children, when you teach them to stop at the corner and look both ways (even though you can see that there are no cars coming) so that it becomes second nature for them to stop and the corner AND LOOK BOTH WAYS, you have to make cybersecurity second nature for your employees.

Each click of the mouse, every email they get and each time they log into their computer they need to LOOK BOTH WAYS. Good cybersecurity habits are not an accident.  They don’t just happen.  In fact, the only way to make cybersecurity a natural reaction of your employees is to make it a part of your business.  Companies that take cybersecurity seriously incorporate it into every aspect of their business and they reinforce it regularly.

So how does that happen?

First, your should have cybersecurity policies and procedures.  Those policies and procedures should be written with your company’s technology, work flow and risk profile in mind (tune in later for another post on risk profiles).  That risk profile should directly align with your business plan and fit organically into its workflow.  Second, those policies and procedures should be regularly reviewed, discussed and reinforced. It isn’t enough to have them if your do not live (or more accurately work) by them. And in that vein, the policies need to include accountability.  There is no point to a policy that you aren’t going to police and enforce.

Next, you need to have regular training and tabletop exercises on cybersecurity issues.  You also need to make it clear that cybersecurity is important and WHY it is important.  Just saying not to click on a link is not enough.  I cannot tell you how many times I am told that the person clicked on the link because they wanted to see what would happen.  Well, I will tell you what will happen: you will be locked out of your system and your company will be paying hundreds of thousands of dollars to comply with breach regulations. Oh yeah, and cost of a breach can cause everyone to lose their jobs because 60% of all small businesses go out of business within 6 months of a breach. Explaining and training on the why is just as important as the actual tips and techniques.

Finally, have an ongoing conversation about cybersecurity.  It shows your employees that you have buy-in from the very top.  That is important.  When your employees see it is important to you, it becomes important to them.  Involve them in the conversation, the problems and the solutions.  Make them invested in the cybersecurity of the company.  The more you involve and include your employees, the more likely they are to think before they click.

Cyber training needs to be on a teach, test and repeat cycle.  Just like school, the more you do the more you know, the better you get at something. Practice makes perfect and that applies to cybersecurity just like it applies to anything else. Proper training and cyber-education is proactive and one of the easiest cost-effective things you can do for your business. Because remember, in the world of cybersecurity, luck favors the prepared.

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.