Archived Insight | January 8, 2021

Cybersecurity Training for Employees: Know Your Role

Today, cybersecurity training is a must for all employees, as cybersecurity attacks are increasing in frequency and sophistication. If you’re like most organizations, your employees must complete basic annual training on secure business practices, covering password policies, encrypting email, spotting phishing attempts, HIPAA laws and the definitions of protected data.

But to remain truly secure, you should provide additional training that goes beyond the basics. According to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the stakeholders most in need of advanced cybersecurity training include senior executives, privileged system users, physical and cybersecurity personnel, system administrators and third party stakeholders like suppliers, customers and business partners.

Let’s look at each role separately.

Senior Executives

Besides the standard training, senior executives will also need to know:

The laws relating to cybersecurity, especially with HIPAA and the possibility of significant fines
The legal liabilities and reputational damages that exist for the organization and themselves personally if faced with a cybersecurity attack
The many types of cyberattacks possible and how to evaluate the cyber risk associated with those
The types and speed of decisions required during a cyberattack
The security questions to ask when high level ideas or strategies are discussed
An understanding of how to create a strong cybersecurity program
The governance, policies and procedures required to best protect the organization

Mature Businessman And Businesswoman Planning In Office

Privileged system-users

These are people with “super-user” access to a specific system, with the ability to view, edit and delete highly confidential data. They will need to know:

Detailed information about the system they are on and how the data can be subject to risk
Ethical responsibilities of the privileged user
Increased review of privacy laws and liabilities
Detailed training on policies and procedures relating to their role
How to protect their privileged accounts and access, including what not to do while logged in with privileged system access, such as internet browsing

Physical security personnel

These are your front desk support people and security guards. They will need to know:

What risks they should be monitoring for
How to report an incident
How to capture potential incident evidence
Daily procedures for performing their duties, such as verifying doors are locked, cameras are functioning, lighting works as expected, desks are cleared, etc.
How to handle emergency situations such as water or fire in the data center

System administrators

These are your IT personnel with full or root access to your systems. They may have the ability to install software; install or modify system processes; create or modify system configurations; create or modify system access controls and view or control the screen of the user through remote access technologies in order to assist them. They will need to know:

What risks they should be monitoring for
Ethical responsibilities
What not to do while logged in as a system administrator, such as internet browsing
Increased review of privacy laws, copyright laws and liabilities
Detailed training on policies and procedures relating to their role such as change and configuration management and user password administration

Need some personalized advice on cybersecurity?

Don't let inadequate training be the reason you fall victim to cybercrime. Talk to one of our professionals about how we can help your organization.

Cybersecurity personnel

These are the people who specifically protect against, detect and respond to cybersecurity incidents. They will need to know:

How to configure and use any cybersecurity protection software or hardware tooling
What risks they should be monitoring for
How to evaluate the seriousness of a cybersecurity attack
Where the incident response plan is located, their individual roles and responsibilities in it, and what decisions they may have to make if a cybersecurity incident is moving very quickly throughout the organization

Group Of Business People And Software Developers Working As A Team In Office

Third party stakeholders

These are the business personnel of your organization that depend on the IT systems and
data, any vendors or suppliers your organization works with, and possibly your customers. They will need to know:

What is expected of them should an incident occur
How they can report an incident to your security officer or IT organization
How you will communicate with them in all instances so they can identify real versus fake communications

See more insights

Understanding Social Engineering Fraud Insurance

Your existing insurance may not provide adequate protection.

Insurance, Technology, Cybersecurity Awareness Month, Cybersecurity consulting

Read Full Insight

A Duo Of Server Room Technicians Back At The Server Room

Mitigating Evolving Risks with Cyber Liability Insurance

With constant signs of cyber risks increasing, organizations need to move quickly to protect the private information of millions of plan participants.

Insurance, Cybersecurity consulting, Multiemployer Plans, Public Sector, Healthcare Industry, Higher Education, Architecture Engineering & Construction, ATC, Cyber Advisor, Cybersecurity Awareness Month

Read Full Insight

Two data center engineers assessing risk

Getting Started with Managing Operational Risk

Learn how to manage or mitigate operational risk when working with a workplace retirement program in the latest Retirement Plan Insider podcast.

Retirement, Technology, Cybersecurity consulting

Listen to the Podcast

This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.