In the wake of the WannaCry incident where the National Security Administration (N.S.A.) was hacked and exploited, both public and private companies recognize the crucial need to continue evaluating their cybersecurity programs. Incidentally, state governments are passing laws that require data security training, sending a signal to private companies that they should do the same.
Current Cybersecurity Threats Out There
Many data security risks arise from the hands of insiders, which include employees, contractors, and third parties. Verizon’s 2017 Data Breach Investigations Report shows that social engineering attacks, such as phishing and pretexting scams, are the most common data security risks created by insiders. The data suggests that only 20% of insiders who do fall prey to social engineering attacks would report them to their employer.
Human data security risks also implicate ransomware, which Wired explains as “malware that locks your keyboard or computer to prevent you from accessing your data until you pay a ransom.” According to the Verizon Report, social engineering scams were found in 21% of all recorded ransomware attacks. Even worse, ransomware attacks have steadily risen from the 22nd most common attack to 2014 to the fifth most common attack in 2016.
Finally, gaining unauthorized access to sensitive information is a data security risk created by insider actions, especially employees. “The insider threat, while not as common in breaches as external actors, is still very significant, accounting for 15% of breaches,” the Report maintained.
Regardless of intention, employees are getting access or allowing others to access sensitive information, leading the Report to recommend security awareness training as an essential control.
Cybersecurity Awareness Training Mandates
Perhaps as a result of the risk of insiders, states are mandating cybersecurity awareness training for state government employees. For example, three states—Oregon, Illinois and Nevada—passed laws that require the employees and staff of each state’s agencies to take cybersecurity awareness training, among other requirements. As will be explained, private-sector businesses should do the same.
Oregon – S.B. 90
Oregon law now requires the state’s executive agencies “[c]onduct and document the completion of annual information technology security awareness training for all agency employees.” The law is part of a large effort to overhaul the entire information technology program of Oregon agencies and became effective on July 1, 2017 as an “emergency” measure.
Illinois – H.B. 2371
Illinois law directs the Illinois Department of Innovation and Technology to provide employees of the executive branch to take cybersecurity training at least once a year. The training content must include (1) detecting phishing scams, (2) preventing spyware, infections, and identity theft, and (3) preventing and responding to data breaches. The bill expressly mentions that the training may be delivered online. The law is effective on January 1, 2018.
Nevada – A.B. 471
The bill creates the Nevada Office of Cyber Defense Coordination and requires it to coordinate cybersecurity awareness and training for state agency employees. The law has been in effect since July 2017 and requires the Office to publish its report by January 1, 2018.
Why State Data Security Training Mandates Impact Companies
While the laws do not affect private employers, they may affect them in the near future. The New York State Department of Financial Services is requiring all banks under its stead to provide cybersecurity awareness training to bank employees by March 2018.
The cybersecurity regulation impacts a large portion of the banking industry that is already under considerable data security regulation given the Gramm-Leach-Bliley Act, FFIEC examination protocol, and international laws such as the General Data Protection Regulation and the UK Privacy Shield.
Following the law is necessary. However, laws and policies do not always regulate human actions. As my colleague Steve Treagus explains,
Insider negligence is the leading cause of data loss or theft, and unauthorized data sharing can undermine your best efforts at data security — even if employees are otherwise trained in cybersafety protocols. Training in cybersecurity awareness is extremely important — but no training can stand alone. Employers need to also shore up cybersecurity policy, balance security with productivity needs, and bolster their security infrastructure to secure data in whatever form it takes and wherever it’s stored and used.
Data security awareness training is a critical facet of a company’s cybersecurity program. While many companies are not required to provide cybersecurity training, new laws and data security trends show the benefits of doing so regardless of requirement.
Learn More About Our Data Security Training
EVERFI can help support your managers with online compliance and ethics training for employees and supervisors. Additionally, EVERFI will deliver a robust, cloud-based learning management system to help you easily deploy and track our growing library of compliance training courses, including code of conduct and ethics, anti-harassment, data security, and much more. Contact us today for a free demo.