Today's NIST Topic is - "Implement a Security Awareness and Training Program"
This is something very near and dear to Bob's and my heart. We talk on this and write on this and plead on this. Security awareness and training is one of those areas where we are never done and always continually trying to improve.
One of the frustrations is that we do presentations on this topic, write about it, and talk to people in person. And yet, we are still being told with, "No one ever told me that!" Or, "No one ever tells us what is going on!"
One of my favorite examples was a former tech director who was planning a major district office server upgrade. He consulted with Superintendent and senior district staff and picked a date. He sent out emails. He sent out written, paper correspondence. He personally visited the key people in the district office to directly discuss the migration schedule face to face. He called them on the phone to remind them. He reminded everyone again the day before the migration. The day came to do the migration and we took the old server down and began to do what we needed to do. He was angrily greeted by many disgruntled district office staff who "had no idea this was going on!" We had already started a migration process we couldn't stop and he was then greeted with the business office desperately needed access to their files as they had scheduled the auditors to come to the district on Monday and they decided previously decide to work through the weekend to prepare for the audit! They never told the tech director any of this in all the repeated discussions on the schedule and expectations, We smiled and quickly shifted our entire work plan.
The business office got their data.
The auditors had what they needed on-time.
The migration was successful.
It is what we do.
However, sometimes despite our best efforts, we just can't win, but we have smile and dust ourselves off and try again.
The bad guys are absolutely counting our busy user base's limited attention span.
It is said that if you want people to remember what you are telling them, you have to endlessly repeat the information over and over again - monthly. For us as the insiders, it is mind numbing to keep telling them what you told them, but it isn't about us. It is about the "no one ever told us" folks that are a significant part of your user base.
Here are some items that need to be on your perpetual radar:
- Implement a security awareness program. This really needs to be part of your Superintendent's Conference Day and in-service training programs. CSI has put together a general staff Cybersecurity awareness presentation suitable for Superintendent Conference Days. There are other home grown or prepared programs as well.
- Train staff in secure authentication. This includes turning on multi-factor authentication wherever it is offered, not re-using passwords, not using district email addresses for non-district systems.
- Train staff in social media/social engineering attacks. This is phishing and phone and social media scams. There are many subscription products to help with phishing attack education.
- Train staff in sensitive data handling - Ed Law 2D and GDPR have brought these issues to the forefront. There is a lot to unpack here, but it all starts with making sure sensitive data isn't exposed to unauthorized users either in district, on the internet, or at home. This could be as simple as a password protected screen saver with a timeout value or banning cached passwords or training staff not to use shared logon IDs at home.
- Train staff in the causes of unintentional data exposure. This is a continuation of the previous topic, but also includes cloud based shared folders, unencrypted laptops, and mobile devices. Remember the SolarWinds hack of an estimated 18,000 organizations including a significant part of the US government has been alleged to be attributed in a significant way to an intern putting a generic, simple password on a critical system and pasting the password onto their personal share folder in an insecure way.
- Train your staff in how to identify and report security incidents in your district. Do you have have an incident response plan? What is it?
We are happy to talk to you about our Superintendent's Conference Day Cybersecurity staff awareness presentation. We have been working with a number of districts on formalizing their Disaster Recovery and Incident Response plans.
If you need assistance, give us a call.