Getting Your Troops Ready: Training Your Employees in Cybersecurity
In our previous blog post, we discussed the importance of taking stock of your firm's confidential information and evaluating whether or not it's necessary to store or transmit that information. However, this information is meaningless unless it’s distributed effectively and understandably amongst your team so you’re all on the same page when it comes to protecting your firm’s confidential information. You can think of these training procedures as like the hero’s inspirational speech in the action thriller we talked about in the last blogpost: you want to make sure your team understands the goals of your cybersecurity policy, what their role is in your cybersecurity plan overall, and what to do next.
In this blog post, we'll provide a checklist for establishing employee training procedures to ensure that your employees are just as ready as you are to face any threats to your firm's data.
- Identify who has access to PII or firm sensitive information, and to what extent:
Do your employees, independent contractors, vendors, or clients have access to PII or other sensitive and confidential information?
If so, make sure you evaluate the following:
☐ Is access to PII or other sensitive information necessary for the employee’s or third-party’s ability to perform their role at the firm?
☐ Do employees, contractors, vendors, or clients only have access to the level of PII they need to fulfill their firm-related responsibilities?
☐ When business is terminated with employees, contractors, vendors, or clients, is their access to the data terminated immediately?
☐ Are employees’ and vendors’ system access monitored? If so, how?
☐ Are account credentials (login and password) used only by the person for whom it is created? In other words, do people on your team or third-parties who have accounts on your systems ever share accounts or account credentials?
- Define cybersecurity training needs
To develop effective training procedures, you need to define the specific cybersecurity training needs for your employees. In addition to making sure your employees and other parties who have access to data-holding systems understand the answers to the previous checklist, consider:
☐ Does training take into account firm-specific risks, systems, and loss incident history?
☐ Is training generally applied to all employees, or is it tailored to their level of access to PII?
☐ Is your training regularly updated to take into account developments in technology that might affect firm-specific risks and systems?
☐ Do you conduct training in regular intervals (e.g., quarterly or annually)?
- Evaluate the effectiveness of your training procedures
To ensure that your employees are prepared to handle cybersecurity threats, it's important to evaluate the effectiveness of your training procedures. Consider the following:
☐ Have your employees completed cybersecurity training?
☐ Do employees understand the explicit and specific goals of cybersecurity training from the training itself?
☐ Is your training interactive?
☐ Have your employees demonstrated an understanding of the cybersecurity policies and procedures?
☐ Have you received feedback from employees on the effectiveness of the training?
☐ Have you conducted any simulations or drills to test your employees' ability to respond to cybersecurity threats?
By following this checklist, you can establish effective employee training procedures to ensure that your employees are prepared to handle cybersecurity threats. This is the remediation stage, or the stage where you’ll be editing or drafting your training procedures based on your responses to this checklist. Remember, cybersecurity is an ongoing process, and it's important to regularly review and update your policies and procedures to stay ahead of evolving threats. We’ve also compiled a packet of printable versions of all the checklists in this series to help you assess your organization’s cybersecurity status and come up with a comprehensive set of policies to set your organization up for success.