ACC Cybersecurity Summit: Employee Training Panel

Mar 2, 2021 12:22:05 PM / by Ryan Short

This morning we kicked off the Association of Corporate Counsel's annual Cybersecurity Summit by moderating a panel on Employee Training. 

 

Our experts discussed training programs, network design, and what to do with limited resources and big threats.

 

Below are some key takeways and quotes, but it doesn't do justice to the ground that was covered. At the bottom of this article you'll find links to the panelists if you would like to continue the conversation.

Key Takeaways

The hour-long discussion generated lots of good insights, including:

  1. Breach fatigue is real, and training can be overwhelming: be specific and realistic about what you expect from users
  2. Enable multi-factor authentication (MFA)
  3. When vendors have access to your network, contracts are critical
    • Security standards
    • Indemnification
    • Sufficient cyber-insurance policy 
  4. Password managers are fine, and can even promote good practices
  5. Role-based access and network segmentation is crucial
  6. Pick up the phone and call (the alleged sender or your IT team) if something doesn't seem right 

acc panel

 

Selected Quotes

"Normally what we find is the user is the weakest link. I would say in 95% of ransomware attacks we see, the hackers utilize user credentials and weak passwords and the user did not have MFA, which could have prevented the attack. You want to make yourself the hardest target by using things like MFA, complex passwords, and following policies and procedures."

     - Billy Evans

 

"An incident can be really traumatizing, but in a surprising number of cases you get resistance [about implementing more stringent security measures], usually from senior leadership. They'll say 'oh, that will be really inconvenient for people, we'll just train them better.' You can lead a horse to water, but you can't make it turn on MFA."

     - Jena Valdetero

 

"I think many of these comments go to the pace of work. People don't even stop to think 'why would my boss ask me to buy 10 gift cards?' And that's human behavior, which is hard to train."

     - Amy Yeung

 

"Tech staff should be doing system monitoring and have backups that are tested. Because if you haven't tested the backups, you don't actually have backups. For users, you have to tell your IT staff is something happens. Don't hide it because you think you'll get in trouble or you think can fix it... Pick up the phone and call your IT team right that second."

     - George Lyle

 

"We did an audit one time and looked at all the passwords and  the CEO's password was 'cat.' You have to have buy-in from the top."

     - Billy Evans

 

"When you have a finite budget, training is important but technical measures is where you should focus your resources."

     - Jena Valdetero

 

"Set expiration dates, or at least a reminder, on network access for your vendors. We all have vendors that come in for one-time or consulting work, but access continues even after the work is done. Set it so that it has to be an intentional affirmation that they should continue to have access."

     - Amy Yeung

 

"We try to remove humans from the equation. So one of the ways we do that is role-based access. If someone doesn't need access to it, they don't have it. And if they ask for access and can't produce a good business case for it, the answer is 'no.'"

     - George Lyle

 

The Panelists

 

Build Your Team

The importance of a proactive plan for an cyber incident response cannot be overstated.

Insurance providers, consultants, IT forensics firms, outside counsel, and eDiscovery vendors are all commonly engaged. For example, at Proteus our data breach response service focuses primarily on analyzing compromised databases and developing required disclosure programs.

A small team of complementary experts can be the difference between a frustrating hiccup and a disaster for a firm's reputation and bottom line. If you have questions about your firm's response plans, let me know. We can help.

ediscovery blog

Tags: Information Governance, Forensics, Cybersecurity, Data Breach

Ryan Short

Written by Ryan Short

Ryan joined Proteus in 2020. He previously spent a decade providing consultative enterprise solutions in transportation and medical equipment, and is surrounded by 3 daughters under 5 years old. Consequently, his wife won't let him buy a dog.