Information Security Training: Learning From the “Sony Hack”

Information Security Training: Learning from The “Sony Hack”

Information Security Training: Learning From the "Sony Hack"

November 24 this year marks the anniversary of one of the biggest hacks of the century. On this day in 2014, a mysterious group of hackers, who called themselves the “Guardians of Peace (GoP)”, attacked Sony Pictures Entertainment’s computer systems and started revealing many of Hollywood’s secrets; from unreleased movies to the personal data of its employees, their salaries and performance reviews.

According to Gary Miliefsky, an information security specialist and founder and president of Snoop Wall, a cyber security firm, “The biggest weakness of Sony Pictures was their employees”.

When your employees ignore (and thereby violate) security policies; either intentionally or because of poor education on them, it can have a high degree of negative impact on your information security strategy. However advanced the cyber criminal organization may be, all it takes to initiate a major cyber attack can be as simple as one of your employees clicking a malicious link in an email (spear phishing), which happened with Sony.

Therefore, it becomes essential to make your employees aware of such malpractices and how to avoid them. One of the ways to facilitate this is through training.

There are various fields in which the employees need to be trained on. Some of them are:

1. Level of security needed for a particular type of data:

The employees need to know what to with various types of data or information. They must be able to acknowledge what data goes where and how to protect it.

2. Strong password security:

The employees must understand the importance of good password practice to the company. A sound password policy will be helpful to protect the company’s data. Moreover, the passwords must not be kept for other accounts like on social media (Password Reuse).

3. What to share and what not to share on social media:

Companies need to ensure that employees follow certain social media practices with regards to company specific information. The employees should be able to differentiate between what can be shared and what cannot be shared on the social media.

4. Differentiate between confidential data and easy to go data:

Employees must be able to differentiate confidential data from easy to go data and what to do when handling them. They must know the procedure and steps to be taken when handling data of different levels of importance.

Now that we know what training to be provided for the employees, let us see how to deliver these trainings. There are essentially three ways to deliver trainings:

1. Instructor Led Training

Instructor-led training or classroom training is a method of training, wherein, a trainer or Subject Matter Expert (SME) provides training to the learners in a classroom like environment.

2. Virtual Instructor Led Training

In virtual instructor led training, the training is delivered by the trainer or SME virtually using tools like Webex.

3. E-learning

E-learning is the use of electronic media to deliver interactive training courses to learners in a self paced learning environment. It enables the learners to learn anytime, anywhere and on any device.

Though employee training does not guarantee that they are safe from attacks, it reduces the effect of the attack to a great extent.

What are your views on this? Please share your thoughts in the comments section below.

View E-book on  How to Capitalize Technological Resources to Enrich Workplace Training