The new Flash vulnerability and other Olympic-related hacks and exploits reinforce the importance of good cybersecurity practices and cyber hygiene. Confronted with sophisticated “cyber bandits” attempting to hold hostage information or to use it as part of wider exploits, organizations must become Cybersecurity Learning Organizations. Although the concept of a learning organization is not new, applying its precepts in cybersecurity could help organizations cultivate an environment of improved cybersecurity awareness.
A Supportive Learning Environment
Individual users continue to be the single greatest factor in cyberattacks. According to the 2017 Global Information Security Workforce Study, awareness of cyber security issues among non-technical staff is one of the top 5 factors important to securing an organization's infrastructure[i]. This means that organizations must include non-technical staff in the design of cybersecurity education and training programs. Employees must feel comfortable expressing their thoughts about cybersecurity concerns and potential solutions. This openness to new ideas is how learning organizations design innovative approaches to mitigating cybersecurity challenges.
Daily Integration of Cybersecurity Learning Processes and Procedures
Cybersecurity learning is built on regular, daily reinforcement. It involves generation, collection, interpretation, and dissemination of information[ii]. At my company, Engility, our cybersecurity team regularly sends out simulated phishing emails. We've integrated a “report phishing attack” tool button on our Outlook platform. When employees either report a phishing attack via this button or open one of these simulated phishing attacks, they're notified this was a simulated attack – and more importantly, they're given tips and techniques to better recognize these kinds of attacks in future. This example of integrating learning into daily activities also provides analytics regarding user cyber habits, which in turn informs future education and training initiatives.
A Culture of Cybersecurity Learning
It starts at the top. A strong cybersecurity culture is both a mindset and important aspect of business operation. It's often stated that organizations take on the personality of their leaders. When leaders demonstrate a willingness to entertain new points of view, the organization feels encouraged to offer new ideas. A significant part of this is leadership involvement in creating a cybersecurity training program that's periodic and consistent.[iii] Cybersecurity Learning Organizations are less interested in the number of employees completing annual refresher training, and more interested in creating a culture of cybersecurity.
Today, cybersecurity is integral to daily life. We've all seen the consequences of poor cyber hygiene. Creating a Cybersecurity Learning Organization with a culture focused on good cyber habits will help our people aware, effective and most importantly, safe.
[i] 2017 Global Information Security Workforce Study: U.S. Federal Government, Center for Cyber Safety and Education, retrieved from https://iamcybersafe.org/wp-content/uploads/2017/05/2017-US-Govt-GISWS-Report.pdf on 5 Mar 2018.
[ii] Is Yours a Learning Organization?, David A. Garvin, retrieved from https://hbr.org/2008/03/is-yours-a-learning-organization on 5 March 2018.
[iii] The Importance of a Security Culture Across the Organization, Kevin Beaver, retrieved from https://securityintelligence.com/the-importance-of-a-security-culture-across-the-organization/ on 5 March 2018.