By Dr. Kevin Harris
Faculty Member, School of STEM at American Public University
Most would agree that we need to do more to secure our technology resources. However, there is not a panacea or silver bullet to accomplish this, often requiring highly complicated, technical solutions. While these solutions are needed, education is one method to attack this problem. A large number of exploits are not malicious; some employee actions have compromised data by accident.
Cybersecurity awareness training, if effectively administered, can significantly mitigate risks. Providing non-IT college students with cybersecurity awareness training will ensure tomorrow’s workforce have a baseline understanding of cybersecurity risks and how mitigation can help. While it is common practice for IT students to be exposed to cybersecurity defense training, the same cannot be said for other majors. This is a mistake because these other students will be the largest portion of the workplace after graduation. They will handle sensitive information including banking, medical, and intellectual property, to name a few.
The training of non-technology workers is becoming paramount with the prevalence of always-connected devices. For example, my doctor uses a laptop to enter my records into their medical database. Just think if they decided to check their email on that device and downloaded malware, potentially compromising all patient medical records in the office. Another example could include a bank employee practicing good customer service as they print a document for a customer from their phone as a favor, but unbeknownst to the customer it contained malware that infected the employees’ computer, which if not detected could have a large negative impact.
An organization can be liable for large fines or be exposed to negative publicity because a well-intentioned employee downloaded confidential information to a device that becomes compromised by malware or the device is misplaced and not secured.
[Related: Cybersecurity Workforce Education]
Cybersecurity education could therefore potentially have several positive impacts, including:
- The employee would be aware of the dangers of downloading the information. This would provide an opportunity to stop the situation before it starts.
- Provide guidelines on the type of device to use if downloading data such as one that is updated with software, contains malware detection, and is not used to download other software or access unsecure sites.
- If an employee determines the device may be infected, provide guidelines for incidence response steps and who should be notified. Additionally, this step could limit the fines an organization receives.
This type of education should not be limited to students. It should be the responsibility of organizations to ensure a culture that is focused on cybersecurity defense. Awareness programs should be implemented at both the educational and professional level to train workers on cybersecurity defense. While education alone is not a silver bullet to secure systems, it is another instrument in the toolbox to protect valuable data resources. Most importantly, it must be remembered that while mobile and wireless connections provide users with expanded mobility and productivity opportunities, security cannot be sacrificed for convenience.
About the Author: Dr. Kevin Harris has over 20 years of experience in the Information Technology field with positions ranging from Systems Analyst to Chief Information Officer. He performs research and serves as faculty on collegiate level in the primary fields of information security and computer forensics. Specific interests include research on the digital divide, working with disadvantaged youth, and working to ensure a trained cyber workforce in the country.