Featured Product
This Week in Quality Digest Live
Operations Features
Emily Newton
With Industry 4.0 technology, businesses can enable new equipment testing, monitoring, and maintenance techniques
Jason Chester
Exploring essentials to manufacturers’ present and future success
MIT News
Two-part transaction would turn edX into a public benefit company while funding a nonprofit dedicated to strengthening the impact of digital learning
Bruce Hamilton
Boundaries between production, inspection, and engineering obscure opportunities for process improvement
Matt Fieldman
In addition to attraction and recruitment, U.S. manufacturers must also focus on keeping and cultivating the workers they already have

More Features

Operations News
Counters and linear gages enable real-time measurement and data management in any type of work environment
Both quality professionals and their business leaders agree that openness and communication is essential to moving forward
Voxel8 patented technology will provide printed lattice structures to be used as inserts in midsoles
JEP181 standard is ideal for emerging technologies that demand increased power dissipation density
New offering addresses cost efficiency and reliability requirements of urban security screening
Optimized operating efficiencies for more accurate flow measurement under diverse conditions
Engineered to cover the core business needs of smaller companies and projects
Purpose-built for cannabis analysis

More News

Celia Paulsen


Creating a Culture of Security

Cybersecurity training involves more than an annual set speech

Published: Tuesday, October 27, 2020 - 12:02

October happens to be (among other things) Breast Cancer Awareness Month, Dental Hygiene Month, National Bullying Prevention Month, and my personal favorite, National Pizza Month. Plus, it’s Halloween! But I digress. We’re here to talk about cybersecurity.

Every manufacturer should hold cybersecurity awareness training for all its staff at least once a year. Many people are spooked by the mere mention of the words “cybersecurity” and “training,” so October could be an appropriate time for it. Your training should, at a minimum, cover relevant company policies such as your IT security, information security, and physical security.

Over the years many of us have taken this type of training and learned to dread it: Training where someone gives the exact same cybersecurity speech they gave last year, and then hands out a paper for you to sign saying you were there. A real snooze fest. This kind of training does its job as far as meeting the bare minimum but has little impact on actually molding employee behavior.

The real purpose of cybersecurity awareness and training efforts should be to create a culture of security, meaning that employees should view good cybersecurity practices as good business and as part of “how we do business here.” Employees should feel enabled to make good cybersecurity decisions and understand what makes a good decision. Awareness and training should focus on the following elements.
• Stopping risky behavior. Help employees know what decisions can lead to a bad outcome. For example, opening email attachments from unknown sources.
• Encouraging less risky behavior: Help employees understand and care about implementing processes that increase security. For example, how to make strong passwords.
• Turning employees into sentinels: Help employees recognize and respond to a cybersecurity event. For example, what to do if a guest plugs an unauthorized USB drive into a machine.

Ideally, training should be a continuous effort. Some ideas on how to include cybersecurity training in the everyday workings of your business include:
• Regularly emphasize cybersecurity as an important goal of your company.
• Integrate one cybersecurity tip, trick, or reminder into every meeting.
• Post reminders around the workplace about appropriate security practices.
• Hold regular meetings to discuss possible process improvements, which can make it easier for employees to make better security decisions.

There has been a lot of research into what good employee cybersecurity training looks like. In general, it can be summed up using the acronym RAINSTORMS. (Yes, I just made that up just now.)
• Real: Using real-world case studies or realistic scenarios help bring home the lessons.
• Actionable: Include something that employees can do immediately. This might be changing their passwords, making an inventory of their IT assets, or making sure they have contact information in their phones for the person or organization they should report an incident to. Sometimes a long-term homework assignment is appropriate as well, but having an immediate goal is always helpful.
• Interactive: Role-playing, small group discussions, or hands-on exercises are some great ways to make training more interactive. Ideally, the interactions should include bidirectional conversations involving all levels of management to ensure everyone knows that everyone has the same responsibilities, and everyone is on the same page.
• New: Some repetition is appropriate in training, especially when talking about policies, but it shouldn’t get stale. Different training formats (e.g., lecture, role-playing, videos) can help.
• Small: Bite-size chunks of information are much easier to digest than an entire computer-science-degree worth of information forced upon employees. One topic at a time is generally preferable.
• Testable: There should be a measurable, testable goal for the cybersecurity training. If it’s general awareness, perhaps a quiz can be developed. If a goal is to mitigate phishing attacks, perhaps a fake phishing email can be sent both a few weeks before and a few weeks after the event. This will help show how effective the training was.
• Owned: Employees should leave the training feeling a sense of ownership and that cybersecurity is their responsibility; they should feel empowered to make good cybersecurity decisions.
• Relevant: Most companies have different types of users. Tailoring training to each type of user makes it more real. This may mean having different training for shop-floor employees vs. office employees.
• Memorable: Use acronyms, pithy mnemonics, or my personal favorite, humor. Humans remember funny things—puns, bad music videos, ridiculous memes of cats—much better than a boring lecture. Don’t be afraid to make it unconventional and have fun.
• Simple: Above all else, training should be simple. Overly technical lessons full of technobabble are only good for putting people to sleep.

The National Initiative for Cybersecurity Education (NICE) has a small list of free and low-cost resources to help with employee training. There are many additional resources available online. Just do an internet search, and you’ll be bombarded with options; evaluate those using the RAINSTORMS template above.

Throughout the month of October, NIST MEP has posted a series of blogs loosely following the theme and outline provided by the National Cybersecurity Alliance (NCSA). The theme for this year is “Do Your Part. #BeCyberSmart.”

The outline presented by the NCSA is as follows:
• Week of October 5 (Week 1): If You Connect It, Protect It
• Week of October 12 (Week 2): Securing Devices at Home and Work
• Week of October 19 (Week 3): Securing Internet-Connected Devices in Healthcare
• Week of October 26 (Week 4): The Future of Connected Devices

Not sure where to start? You can learn more about how to implement an effective cybersecurity training program by contacting your local MEP Center. You can also access cybersecurity resources for manufacturers on the NIST MEP website.

First published Sept. 28, 2020 on the NIST Manufacturing Innovation Blog.


About The Author

Celia Paulsen’s picture

Celia Paulsen

Celia Paulsen facilitates efforts to improve the cybersecurity posture of small and medium size manufacturers throughout the United States as the National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) cybersecurity services specialist. She has been at NIST for about 10 years doing research and developing guidance in areas such as cyber supply-chain risk management, small business cybersecurity, and cybersecurity for additive manufacturing. Prior to joining NIST, Paulsen was an analyst for the National Security Agency in the U.S. Army. She has an MBA in information security from California State University, San Bernardino, and bachelor’s degrees in information technology and business management.