IT Cyber Security Training

You'd think by 2016, with decades of experience, corporate executives would have cyber security as a "top of mind" issue.  There's plenty of research documenting the rise of electronic crime, but the CEOs of the world have to get up to speed on threats and preventive measures -- or their companies are going to get burned, and burned badly.

By 2019, the bill for cybercrime is expected to hit $2.1 trillion, according to Juniper Research (News - Alert).  That's serious money and something executives can understand as a direct hit to the bottom line. But what's the issue?

CEOs are being bogged down in a flurry of details and recommended to lock the doors, according to Steve Morgan, a contributor at Forbes.  A recent report from NASDAQ and end-point security vendor Tanium says more than 90 percent of corporate executives say they can't read a cyber security report and aren't prepared to handle a major attack.

Experts speaking at the Cyber Investing Summit last week said C-level executives need security education, but the biggest challenge is finding the time and training problems specifically set up for executives that need to get up to speed on active threats.

Cybervista, a cyber security training company cited by Morgan, says C-level security training needs to have two main components.  Everything needs to be in plain english and business terms – not jargon – so it can be easily understood.  Education also needs to be delivered in small blocks of 15 to 20 minutes at a time so it can be realistically be worked into an executive's busy schedule.

But will this be enough? I think there are both near-term fixes and long-term solutions that need to be applied.  Loss education is a near-term fix, directly linking cyberattacks to disruption of business and the damage done to the bottom line.  Recent case studies "ripped from the headlines" (apologies to Dick Wolf) abound. 

Target (News - Alert)'s December 2013 security breech dragged on for months, with up to 42 million people having credit or debit information stole, with another 61 million people having personal data stolen, including names, mailing address, phones, and email addresses.  The company offered $10 million to settle a class action suit, $34.9 million to settle with banks, untold amounts of money to Verizon (News - Alert) and other security consultants to evaluate controls between electronic systems and for penetration testing. Add on purchasing new chip-and-pin systems and "hundreds of millions of dollars" in additional security people and new infrastructure for cyber-security, according to Krebs on Security. And that's before we get into intangibles, such as damage to the company's reputation.

More recently, so-called ransomware attacks on hospitals and health care systems this spring left hospitals unable to access patient data and sometimes having to turn patients away.  What's the liability to the hospital if patients die due to the fact critical systems weren't properly secured?  Once again, it's the trifecta of unexpected expenditures in terms of 1) Immediate expenditures to fix and secure compromised systems to restore business processes to working order 2) Remedial and proactive measures to secure systems to prevent future breeches and 3) Settlements due to the effect on customers and business partners.

Insurance companies, having to pay out on policies for losses, will (if they haven't already) start looking at "cyberrisk" as a part of premiums.  If your business has obvious weaknesses, expect higher premiums the first time and having certain losses denied if proactive measures aren't taken to fix documented risks.

Longer term, cyber security education will be a bottom-up rather than top-down tasks.  Business majors need to get at least a semester on cyber security while mid-level employees will need to get their own cyber security education and awareness.  The CEO may establish direction and allocate resources, but it is the worker bees who will ultimately implement and protect the business.