Baseline Security Training for Small Business and Public Entities

Posted by Mark Greisiger

A Q&A with Steve Leventhal of SkillBridge
Almost every organization can benefit from additional training in security matters, but many small businesses and public entities overlook this essential. Steve Leventhal, principal of SkillBridge in Waltham, MA, explains the benefits and considerations of security training.

We are constantly at risk—the challenge is to raise the security mindset of every individual.

Which type of training (or topic) might be the most helpful to start with?Why is security training vital for small organizations?
Security training is vital for any organization, regardless of size. Every organization has a vested interest in these matters. There are real threats out there that we all need to be aware of. Think of the end user that clicks a link or opens a file that’s emailed to them, even at home, and unleashes malware on the system. With the rise of personal computing devices and remote access to corporate networks, we are constantly at risk—the challenge is to raise the security mindset of every individual.

A couple of different areas: First, user level awareness campaigns—not just a 20- or 30-minute course once a year, check-a-box type of thing, but more of an ongoing approach. In addition, most industries are working under some type of regulation and organizations need to be kept aware of the changing rules for compliance. That might mean videos once a week or once a month—whatever is appropriate. And obviously, skills training for technical personnel is high on our list of topics. We find that training is most effective when it’s targeted to the role of the participants, whether it’s management, technical personnel or any other role. This helps clarify the potential threats the employee might encounter and their specific responsibilities in keeping them at bay.

How might an organization go about engaging a course instructor for training?
There are many different ways to go about it, and no shortage of delivery methods. The key is figuring out up front what this coordinated effort should look like and how to align that with the organization’s requirements, its size, its budget and the geographic location of the workforce. Creating a security-centric culture has to come from the top so any training should involve top-level decision makers and business owners. Our offerings range from two-hour WebEx discussions to self-paced video programs to in-depth onsite instructor-led programs. For end users we have self-paced computer modules available, in either an off-the-shelf or a customized format that incorporates company-specific processes and procedures.

Is there an optimal time to begin training?
Now. With all of the hype about data breaches, it’s easy to get caught up in a cycle of addressing the issue of the moment with the latest and greatest product or service or solution, but when you’re in that reactive posture the bad guys are getting the best of you. Stop and take a look at your own organization and find out what’s most important for you right now. Be proactive and implement security from the outset so you’re not just ignoring these issues or blindly throwing resources at the problem, because that’s a losing battle.

In summary…
Steve’s comments underscore the fact that organizations experience a steady stream of cyber risk due to factors such as constant staff and technology changes, along with new malicious threats appearing on a daily basis. Given that employees are often charged with safeguarding information assets it’s prudent to implement a training program that allows staff to stay current, with timely reminders about best and baseline security and privacy practices.