Learning about information security – the hard way or through anticipation and practice?
Information security is an increasingly important part of the lives of both private individuals and companies and organisations. You can learn secure practices and ways to minimise threats in many ways. However, it is important to consider what you would need to learn and how you can best learn those particular matters.
The least you can do is learn from your own mistakes. When an information security threat is realised, it is important that, once the dust has settled, you analyse the situation. You can then draw conclusions from this analysis and improve your contingency planning in the future. Unfortunately, often such learning experiences become costly (technical repairs, penalty charges, claims for damages, trials) and awkward (reputation) for companies. The forthcoming EU General Data Protection Regulation (GDPR) may further increase the price of such lessons.
Learning from mistakes made by others is often cheaper and far less stressful. Therefore, it is important to follow media coverage related to information security within your sector and collect additional information on interesting cases and cases that best coincide with your own operations. It is also advisable to go through such coverage more extensively with the persons or parties who might have the most to learn from the cases.
Generally speaking, an organisation’s activities should be based on rational risk analysis and the measures to be applied to the most important or biggest identified risks, where threats related to information security are only part of the overall picture. The measures needed may include technical and financial measures, and steps related to the organisation’s processes. Even in a major organisation, the information security may depend on the actions of an individual IT system user. Basic information security skills belong to everyone, and they may not yet be part of general knowledge, but they certainly will be in the future. When the foundations are in order, each organisation can build its own information security guidelines and practices on top of them.
Training is useful, but it must not be the only way of trying to address information security threats. In a well-functioning information security system, technical tools support the users, help them operate correctly, and are capable of containing damage when a user makes a mistake. Despite all training, mistakes do happen – that is only human. This is good to acknowledge at all levels of the organisation. Many companies consider cyber threats a serious problem for themselves, but very few of them have provided sufficient training to their employees or practised how to operate under an imagined cyberattack situation.
This is clearly problematic, because practising is an important part of learning. Without training and practice, it may be difficult for the employees to understand why any cyberattacks would be targeted against them, what kind of attacks could be launched against companies through the mistakes they might make, and what kind of consequences these might have for the company. As realistic practising as possible is one of the best ways of learning operating models that best serve your own needs as well as those of your organisation, and to find potential weaknesses before the damage is done. Persons at every level of an organisation should practise against cyber threats.
Naturally, the content of training and practising is different for people working at different levels of the organisation, and therefore a wide range of training is provided. The courses and exercises may focus on a single theme only, such as how to limit the amount of data in public services that can be used for attacks or how to detect social manipulation. They can also teach the use of technical monitoring tools of various systems or how to conduct digital criminal investigation. Training can be given in the form of lectures or it can be hands-on training at the keyboard. In the exercises, the teaching is not always targeted to the staff of a single organisation only, but people can also practice communication both within organisations and with external actors, and cooperation between different organisations. This may include communication with information security companies, customers, partners and National Cyber Security Centre Finland of the Finnish Communications Regulatory Authority (FICORA). The largest exercises may involve several countries and organisations operating in them.
Of course, no kind of training can guarantee 100% functional protection against different attacks. And no technology can prevent all cyber threats. However, a staff with good basic skills provides better protection against many attacks, and people who have practised handling of crisis situations are better capable of managing the consequences of a possible serious data breach than an organisation that has not made any such preparations. It is important that you keep the level of your organisation’s competence and contingency planning at a sufficient level in the changing threat environment. You should also learn these things by practising them in advance rather than the hard way after a major crisis.