Why companies need a cybersecurity training program


Published Mar 16, 2016

Co-chairs of the Jeffer Mangels Cybersecurity and Privacy Group, Robert E. Braun and Michael A. Gold, discuss why companies need a cybersecurity training program. The other videos in this 4-part series include: First steps to take when there’s a data breach at your company; Cybersecurity for middle market companies; and Impact of international privacy laws on U.S. companies.

Michael Gold: One question I have is that you majored in English in college–what do you know about cybersecurity?

Bob Braun: Well, I know it when I see it Mike – but the fact is that this is something that I have been doing for a long time, ever since I started practicing law over thirty years ago. I've been dealing with issues relating to privacy and security, starting with banks and insurance companies and other regulated entities, and it became a natural thing as my practice continued to develop to move into that area.

Michael Gold: So cybersecurity and privacy issues obviously have been around for a long time. Why are they so prominent today?

Bob Braun: I think there are a lot of things–one of them is that the ability to collect and manipulate data is huge. So, every company tends to collect and retain and manipulate a lot of data, and the more data that you have, the bigger target you are. The other thing that is particularly interesting now is there are so many vectors. There is a time, I remember, when any company would have its own internal computer system, and really it was difficult to breach. Now these systems are open, they have many vectors–people have mobile devices. They have phones, they have pads. They have all sorts of devices which allow people to get into their system, and in fact they design them so they can be accessible.

Michael Gold: What are some of the challenges that your clients are bringing to you? What are some of the common fact patterns you see?

Bob Braun: You know, one of the most common things that I've seen recently: one of my clients came to me and said they wanted to get a cybersecurity policy. They wanted to get a cybersecurity policy from their insurance carrier because they knew everyone else was getting one, and their broker said, "You know, we need to see your policies, we need to see your procedures, we need to see what tests you've run on your system." And they said that was an interesting idea, and they called me because they had no policies; they had no procedures. They had never tested their system and they asked us to work on it.

Michael Gold: If you could put it in simple terms, what would you say is the biggest challenge facing your clients?

Bob Braun: The single biggest challenge is the human factor. You can do whatever you want to create technological barriers, to create protections. You can create firewalls and DMZ's and sandboxes and whatever names we give those things, but any one person in an organization can overcome virtually every one of those protections.

Michael Gold: Well, tell us a little bit about how that works. I mean, you know you've got an organization that is spending a great deal of money on cybersecurity technology–in many cases cutting edge technology. What's a human thing? What's an end user– a person sitting at a browser at her desk– supposed to do? Are you suggesting that the companies, in effect, create human firewalls?

Bob Braun: That's exactly what we need to do, because unless we create a human firewall the technological firewalls won't work. What we really need to do, what every company needs to do, is to train its people so they can differentiate between an innocuous email and a dangerous email. So they know what kind of website they can visit and what they can't. You simply cannot block every email, you cannot block every site effectively–and frankly, doing so is going to make it very hard to work.

Michael Gold: Have you seen companies undertaking any kind of systematic cybersecurity training, awareness-raising among their employees?

Bob Braun: Well, I know one that has, and that's our firm–because as you know, you and I have been training every person in our firm in cybersecurity defenses. But that's actually something that we have been talking to a lot of clients about, and that's one of the things that we do as part of a comprehensive cyber defense program for our clients.

Michael Gold: So, in other words, we are not going to ask anybody to do anything that we are not going to do ourselves.

Bob Braun: That's right. We drink the Kool-Aid, absolutely.

Michael Gold: Okay. So, you know I have been practicing cybersecurity principally with you, probably for a couple of decades now. One of the refrains that I often run into from technology people is that it's interesting to train end users to be part of a human firewall. But the tech people tell me that the end users, the line employees, are fundamentally untrainable. It's too complicated. They won't spend the time to do it. What are some of the challenges you see in creating the human firewall?

Bob Braun: Well, I think it takes the same kind of training that anyone needs. You know a great tennis player or a great piano player doesn't just wake up and become that. Any person who wants to have a skill, who wants to become a skilled person, a skilled operator, needs training in that. That's not just training once, and it's not just an email or a message or some kind of notice on a cafeteria wall. People need actually to be trained on a regular basis, and it has to be part of the culture of the organization. It has to be a valued part of any system.