Training Employees for Industrial Cybersecurity
A well-trained staff in the cybersecurity space gives you the most bang for your buck when considering the best ways to protect your sites from cyber attacks. Training employees has a comparatively low capital expenditure cost and is extremely effective. However, cybersecurity training is not a destination; it is a process of continuous improvement. This guide will hit on a few key aspects to get your organization moving in the right direction.
Getting Everyone On Board
The important first step in improving the cybersecurity of your industrial site is 100 percent buy-in for the entire organization. This should be easy, since it affects everyone in the organization, from janitors to CEOs, because improving cybersecurity practices will also lead to improvements in a plant’s reliability, profitability and safety.
According to Security Incidents Organization, the majority of cyber incidents come from within an organization, and the majority of those internal incidents are unintentional! Is it clear how important training your staff is yet?! We argue that training and improvement programs for cybersecurity should be handled similarly to safety improvement programs. We’ve probably all heard (or maybe even partaken in) grumbling about ‘dang IT’ making password changes to strings that are too hard to remember, etc. When cybersecurity policies are rolled out to your organization, they should be rolled out with the why and how they affect everyone in the organization so that employees won’t be so tempted to stick passwords on sticky notes by their machines!
Cybersecurity Training Guide
Once your staff understands the importance of cybersecurity, here are some aspects that should be touched on:
- Password management
- Should passwords be hard to guess? Yes
- Should passwords be written on tape at the machine that requires them? No. Let’s move on.
- Access and application management
- Make sure that your staff has access to the places and applications that they need to do their job effectively, but not to places and applications unrelated to their jobs. If network cabinets don’t need to be accessed by plant operators, don’t give them a key (or leave them unlocked!) The same holds true for applications to change network settings or programming of your facilities devices.
- Train your staff on escalation management and to ask questions
- The IT and network security group should be transparent and easy to work with. They should not be seen as a bunch of red-tape to be skirted around, but as an asset to help them accomplish their goals. When an engineer has a contractor in to do some control-system changes, they should be able to get a quick and easy response from IT on how the contractor can acceptably access the parts of the network that they need to.
- Recognize threats or attacks
- Employees should be able to recognize a threat or attack and have a clear path on how to escalate situations. This could be something like forwarding a spear-phishing attempt to the cybersecurity group for clarification, or reporting unknown or unescorted personnel on site.
- Visitor management and escorts
- Recording, identifying and giving clear directions to contractors and visitors is vitally important, especially if they are going to access or add any assets to the network. This will help your visitors be more efficient on your site and reduce your risk of them inadvertently causing a cyber event.
We hope that you’ve found this guide helpful. If you have any comments or suggestions, please send to INS@anixter.com.