Featured Product
This Week in Quality Digest Live
Operations Features
Bryan Christiansen
Actualizing your company culture
Sébastien Breteau
How digital supply chains offer a competitive advantage
Robert Sanders
New initiative plans to scale up bioengineering to create polymers, materials, films, and other products
Amitava Chattopadhyay
How one company redefined ‘win-win’ by creating a sustainable and scalable supply chain
Eric Whitley
Purple deploys lean execution system to improve maintenance and production metrics

More Features

Operations News
Provides improved thermal stability for stored materials, risk mitigation advantages, and processes that are documented and repeatable
This book is a tool for improvement and benchmarking
Automated system processes castable metallographic samples for specialty material manufacturers
Real-time data collection and custom solutions for any size shop, machine type, or brand
How to develop an effective strategic plan and make the best major decisions in the context of uncertainty and ambiguity
What continual improvement, change, and innovation are, and how they apply to performance improvement
Incorporates additional functionality and continuing improvements to the product’s existing rich features
Good quality is adding an average of 11 percent to organizations’ revenue growth
Make it simple and direct

More News

Celia Paulsen

Operations

Creating a Culture of Security

Cybersecurity training involves more than an annual set speech

Published: Tuesday, October 27, 2020 - 11:02

October happens to be (among other things) Breast Cancer Awareness Month, Dental Hygiene Month, National Bullying Prevention Month, and my personal favorite, National Pizza Month. Plus, it’s Halloween! But I digress. We’re here to talk about cybersecurity.

Every manufacturer should hold cybersecurity awareness training for all its staff at least once a year. Many people are spooked by the mere mention of the words “cybersecurity” and “training,” so October could be an appropriate time for it. Your training should, at a minimum, cover relevant company policies such as your IT security, information security, and physical security.

Over the years many of us have taken this type of training and learned to dread it: Training where someone gives the exact same cybersecurity speech they gave last year, and then hands out a paper for you to sign saying you were there. A real snooze fest. This kind of training does its job as far as meeting the bare minimum but has little impact on actually molding employee behavior.

The real purpose of cybersecurity awareness and training efforts should be to create a culture of security, meaning that employees should view good cybersecurity practices as good business and as part of “how we do business here.” Employees should feel enabled to make good cybersecurity decisions and understand what makes a good decision. Awareness and training should focus on the following elements.
• Stopping risky behavior. Help employees know what decisions can lead to a bad outcome. For example, opening email attachments from unknown sources.
• Encouraging less risky behavior: Help employees understand and care about implementing processes that increase security. For example, how to make strong passwords.
• Turning employees into sentinels: Help employees recognize and respond to a cybersecurity event. For example, what to do if a guest plugs an unauthorized USB drive into a machine.

Ideally, training should be a continuous effort. Some ideas on how to include cybersecurity training in the everyday workings of your business include:
• Regularly emphasize cybersecurity as an important goal of your company.
• Integrate one cybersecurity tip, trick, or reminder into every meeting.
• Post reminders around the workplace about appropriate security practices.
• Hold regular meetings to discuss possible process improvements, which can make it easier for employees to make better security decisions.

There has been a lot of research into what good employee cybersecurity training looks like. In general, it can be summed up using the acronym RAINSTORMS. (Yes, I just made that up just now.)
• Real: Using real-world case studies or realistic scenarios help bring home the lessons.
• Actionable: Include something that employees can do immediately. This might be changing their passwords, making an inventory of their IT assets, or making sure they have contact information in their phones for the person or organization they should report an incident to. Sometimes a long-term homework assignment is appropriate as well, but having an immediate goal is always helpful.
• Interactive: Role-playing, small group discussions, or hands-on exercises are some great ways to make training more interactive. Ideally, the interactions should include bidirectional conversations involving all levels of management to ensure everyone knows that everyone has the same responsibilities, and everyone is on the same page.
• New: Some repetition is appropriate in training, especially when talking about policies, but it shouldn’t get stale. Different training formats (e.g., lecture, role-playing, videos) can help.
• Small: Bite-size chunks of information are much easier to digest than an entire computer-science-degree worth of information forced upon employees. One topic at a time is generally preferable.
• Testable: There should be a measurable, testable goal for the cybersecurity training. If it’s general awareness, perhaps a quiz can be developed. If a goal is to mitigate phishing attacks, perhaps a fake phishing email can be sent both a few weeks before and a few weeks after the event. This will help show how effective the training was.
• Owned: Employees should leave the training feeling a sense of ownership and that cybersecurity is their responsibility; they should feel empowered to make good cybersecurity decisions.
• Relevant: Most companies have different types of users. Tailoring training to each type of user makes it more real. This may mean having different training for shop-floor employees vs. office employees.
• Memorable: Use acronyms, pithy mnemonics, or my personal favorite, humor. Humans remember funny things—puns, bad music videos, ridiculous memes of cats—much better than a boring lecture. Don’t be afraid to make it unconventional and have fun.
• Simple: Above all else, training should be simple. Overly technical lessons full of technobabble are only good for putting people to sleep.

The National Initiative for Cybersecurity Education (NICE) has a small list of free and low-cost resources to help with employee training. There are many additional resources available online. Just do an internet search, and you’ll be bombarded with options; evaluate those using the RAINSTORMS template above.

Throughout the month of October, NIST MEP has posted a series of blogs loosely following the theme and outline provided by the National Cybersecurity Alliance (NCSA). The theme for this year is “Do Your Part. #BeCyberSmart.”

The outline presented by the NCSA is as follows:
• Week of October 5 (Week 1): If You Connect It, Protect It
• Week of October 12 (Week 2): Securing Devices at Home and Work
• Week of October 19 (Week 3): Securing Internet-Connected Devices in Healthcare
• Week of October 26 (Week 4): The Future of Connected Devices

Not sure where to start? You can learn more about how to implement an effective cybersecurity training program by contacting your local MEP Center. You can also access cybersecurity resources for manufacturers on the NIST MEP website.

First published Sept. 28, 2020 on the NIST Manufacturing Innovation Blog.

Discuss

About The Author

Celia Paulsen’s picture

Celia Paulsen

Celia Paulsen facilitates efforts to improve the cybersecurity posture of small and medium size manufacturers throughout the United States as the National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) cybersecurity services specialist. She has been at NIST for about 10 years doing research and developing guidance in areas such as cyber supply-chain risk management, small business cybersecurity, and cybersecurity for additive manufacturing. Prior to joining NIST, Paulsen was an analyst for the National Security Agency in the U.S. Army. She has an MBA in information security from California State University, San Bernardino, and bachelor’s degrees in information technology and business management.