Cybersecurity Training & Education by Industry
by Arina Smith Business Security Systems 17 October 2017
An organization will never be able to eliminate all cybersecurity risks, but it can minimize those risks with a regular program of cybersecurity training and education for its employees. Many aspects of cybersecurity training are applicable to all industries, but employees in specific industries will benefit more from an emphasis on risks that are more prevalent in their industries.
In many businesses and industry niches, a lot of professionals do not get access to confined spaces training courses. This is important especially in some industries like oil and gas. What happens when some natural or unnatural emergencies take place are issues that require professionals to take confined spaces training courses.
Small and Medium-Sized Businesses (SMBs)
SMB employees often feel insulated from cybersecurity attacks on the mistaken belief that hackers prefer to target large businesses that maintain larger troves of data. SMBs, however, are likely at a greater risk of cyberattacks than are larger businesses that erect more technical defenses and have larger IT staff. SMB cybersecurity training should focus on identifying and protecting the SMB’s assets that are most at risk, creating and maintaining a high level of awareness of the kinds of cyberattacks that are likely to be launched against an SMB, and emphasizing that no business, regardless of size, is immune to cybersecurity risks.
The regulatory environment in which healthcare providers operate naturally encourages a focus on HIPAA compliance in cybersecurity training. HIPAA compliance is critical, but healthcare organizations should also understand the many other cybersecurity risks they face, including malware and ransomware attacks that can freeze a hospital’s information systems and prevent the delivery of critical care. Hackers that launch ransomware attacks typically target organizations, like medical centers, that have a zero-tolerance for downtime. Awareness of this cybersecurity risk level is a critical step in preventing an employee, for example, from clicking on an email link or attachment that can launch a ransomware attack.
Accounting firms have access to or maintain valuable information about their clients’ finances, including bank account numbers and balances, and identifying information to access those accounts. The AICPA has identified several aspects of cybersecurity training that are crucial for CPAs and employees of accounting firms, including regular system and antivirus updates, strong password protection, device tracking and management, backup and encryption policies, data breach response plans, and procuring cybersecurity insurance to protect against direct losses and third-party liabilities that flow from a cyberattack. It is not possible or practical to charge every employee with responsibility for all of these matters, but maintaining awareness through cybersecurity training and education will establish an atmosphere of checks and balances that lowers overall cybersecurity risks.
Companies that engage in any form of online commerce operate in a state of high cybersecurity risk on a daily basis. Much of that risk is generated internally, with employees who either intentionally or negligently expose data and information that is held by their e-commerce employer to hackers who target them with phishing scams and other cyberattacks. Cybersecurity experts recommend that ecommerce companies train their employees in recognizing social engineering attacks, including, for example, fraudulent emails that purport to be from a company officer and that direct an employee to forward confidential information to the officer or to transfer funds to an outside account. Ecommerce employees should also be trained to use strong passwords for all accounts and to change those passwords regularly.
Banks and other financial services companies face a cybersecurity risk level that is similar to the CPA environment. Training for financial services employees should emphasize the importance of each employee’s individual responsibility for cybersecurity, including strong passwords, limiting or precluding the use of personal devices for work-related access to a financial service company’s internal network, heightened awareness of phishing scams, and implementing a cyberattack response plan that all employees can understand and follow in the event of an attack. As with all industries, a good cybersecurity insurance policy should be part of that plan. Insurance is the final failsafe aspect of every training and education program to stem the damages that can accumulate in the event that employee training and education fail to prevent an attack.