Even large multinational conglomerate corporations have proven to be vulnerable to cyberattacks, exemplified by the information breach suffered by Sony Pictures Entertainment. This attack led to the release of confidential information and a number of unreleased films and caused considerable damage to the company, as well as an uproar in the film industry. However, as noted by the Forbes article “What The Sony Hack Can Teach About Cyber Security”, the companies are unlikely to return to the old ways of managing IT security by closing their information off entirely, due to the public demand for digital openness (Dawson, 2015). This means that the companies have begun to focus their attention on developing other methods of cyber protection.
Developing a company training program to educate employees on cybersecurity policies, procedures, standards, and guidelines to ensure state and federal cyber law compliance is a difficult and a meticulous task, which needs to take into consideration both present and future dangers, the nature of the business itself, and other individual needs and vulnerabilities.
The first step in developing a sound cyber training program requires creating a training program, which would define objectives, within reasonable deadlines. A special group would need to be dedicated to designing and implementing such a program.
The second step would be to establish the conditions of successful cybersecurity programs. To maximize the result the right people need to be selected for the job would. Besides possessing essential IT skills and experience, the personnel involved in the training needs to go through extensive background checks, to ensure no conflicts of interest or even potential malicious intent (Eastton & Taylor, 2011).
The resulting participants will be provided a tool-based and a narrative-based training. Tool-based workshops will focus on mastering the software and hardware used by the company to protect itself against both internal and external attempts of cyberattacks. This training will also provide the staff with information about the types of software that can be used against the company and will be given a chance to acclimate themselves with their functions. This training will include workshops, practices, and role-playing exercises, aimed at reaffirming the learned practices and routines.
The narrative-based training will focus on the theory of cyber dangers and security, and teach them about the tactics used by cyber attackers, the cybersecurity policies, procedures, standards, and guidelines they need to understand and adhere. This would include both internal policies within the company, and external, which include state and federal cyber law. This training will include presentations, lectures, and case studies (Stevens-Adams et al., 2013). Besides dedicated groups, focused on cybersecurity, regular narrative training would need to be provided to regular staff to increase their preparedness. The content of the training would be identical to the narrative training of the dedicated groups and would consist of the same practices.
The cybersecurity training will be conducted upon induction into the company, followed by regular “refresher” training, drills, and assessments. While many sources show companies perform annual assessments, in the rapidly developing cyberspace it would be better to conduct total testing of the staff cybersecurity familiarity at least twice a year and hold briefings once in one-two months, depending on the staff turnover and frequency of attacks (Egan, 2014).
To maximize the effectiveness, the training needs to consist of knowledge, skill, and experience building, and be supported by continuous evaluation of the participants, to ensure their full comprehension and eliminate the risks of vulnerabilities due to gaps in knowledge. The level of employee comprehension and dedication to the cybersecurity policies would need to be regularly monitored, in a way that is ethical, legal, and to which the employees have knowingly consented (Yerby, 2013).
References
Dawson, F. (2015). What The Sony Hack Can Teach About Cyber Security. Forbes.
Easttom, C. & Taylor, J. (2011). Computer crime, investigation, and the law. Boston, Mass.: Course Technology PTR/Cengage Learning.
Egan, G. (2014). What’s Your Frequency of Security Training vs. Frequency of Attack?
Stevens-Adams, S., Carbajal, A., Silva, A., Nauer, K., Anderson, B., Reed, T. & Forsythe, C. (2013). Enhanced Training for Cyber Situational Awareness. Foundations Of Augmented Cognition, 90-99. Web.
Yerby, J. (2013). Legal and ethical issues of employee monitoring. Journal of Applied Knowledge Management, 1(2), 44-55.