Cyber Security Awareness Training
Increases Company Security
Cyber security awareness training provides the greatest assurance of reducing information system compromise. People remain the biggest weakness of any information system. Properly trained people on cyber security decreases the risk of system compromise by 80%[i].
Recently, an employee in another department presented me with what she considered a suspicious e-mail. She had printed the e-mail for my review. The e-mail was an alert of weather conditions affecting the Metropolitan DC area. While our organization gets weather alerts all the time, this one was suspicious.
[i] InfoSec Institute July 2018
Signs of Phishing Emails
First, it was addressed only to her. Second, it requested that the user click on a link rather than explaining the weather conditions outright. Third, the message came two days after the winter storm passed; the overall weather forecast for the area was freezing temperatures but no hazardous driving conditions. Finally, the e-mail was not signed by any service that the organization uses for such information.
Analyzing Suspicious Emails
Due to her diligence, I congratulated her on coming to me and not clicking the hyperlink. I directed her to forward the e-mail to our security organization, who issued an alert to the rest of the organization about the most likely phishing e-mail. Our security organization would then conduct a forensic analysis to determine if this was a basic phishing e-mail or a more serious attempt to hack into our organization.
Our organization is safer due to staff vigilance and awareness of phishing attempts and the need to always consider cyber security concerns as they perform their work.
Security Awareness Training and NIST SP800-171
Security awareness training is 1 of 14 security disciplines checked in a NIST SP800-171 assessment. If you are a small business and expect to process or transmit Controlled Unclassified Information (CUI), you will need to conduct an assessment of your information technology and information assurance procedures. You also must present a body of Evidence as part of your contract requirements. ASCERTIS Solutions provides the expertise to quickly help you get assessed and authorized to meet your contractual requirements.
Can You Safely Self Assess NIST Standards?
Many small businesses that provide contract work to the Federal Government have limited security expertise in-house. As such, the first questions to ask is, “Do we have in-house expertise that understands the requirements of NIST 800-171?” If the answer is “no,” then avoid any company that allows you to self assess with their software. They are setting you up for failure. Having access to a software compiler does not make a person a software engineer; similarly, having access to security assessment software does not make a person a security assessor. If your company does not have several employees with a Certified Information System Security Professional (CISSP) or Certified Information Security Auditor (CISA) certification, then you need to hire a company that will guide you through the process.
Why ASCERTIS Solutions Fits Your Needs
With ASCERTIS Solutions, your company receives a good/better/best menu of controls that meet the key requirement of the controls. The description of the control is stated in plain English so that a non-security executive of the company can understand the requirements. The independent assessor (certifier) starts out by explaining the role of the Authorizing Official (usually the CEO or the CISO) in the process as well as the timeline to conduct the initial assessment. The application is designed so that a typical small company (75 to 150 employees) can complete an assessment in less than a week.