In “The Lord of the Rings: The Fellowship of the Ring”, the fellowship travels to Mordor to destroy the One Ring of the Dark Lord Sauron. In one scene, the fellowship come face to face with a Balrog. Knowing they cannot all escape, Gandalf stands on a bridge and yells “You Cannot Pass” and fights the Balrog to the death.
What Gandalf did on the bridge relates to how we should handle our data. Gandalf recognized the threat of the Balrog to both his fellow travelers (colleagues) and their mission (job). Gandalf identified the threat of the Balrog like identifying the threat of mishandling sensitive data. He stopped and prevented the threat the same way we should be locking our screens, deleting unnecessary data, and securing data that is sensitive.
Your company's data is its most valuable asset - customer details, financial information, and even new product plans. Mishandling this data can result in breaches, fines, or damage to your reputation. That's why CIS Safeguard 14.4 underscores the importance of training your entire workforce on proper data handling practices.
Consider Your Data Like…
- Currency: Just as you wouldn't leave piles of cash lying around, sensitive data requires protection.
- Medical Records: Your customers trust you with their information, mishandling it would be a breach of trust.
- A Secret Recipe: If your competitors gained access to your strategic plans, it could have detrimental effects on your business.
Best Practices for Data Handling Training:
- Clear Classification: Distinguish between "Confidential" and "Public" data to ensure appropriate protection measures.
- Secure Storage: Educate users on where to store important files, encryption requirements, and what locations to avoid.
- Limit Sharing: Promote a "need-to-know" approach to minimize exposure to sensitive data.
- Beware of Phishing: Train employees to recognize and report phishing emails that attempt to steal sensitive data.
- Proper Disposal: Deleting files isn't sufficient; emphasize the importance of using proper destruction methods.
Continuous Training Efforts:
- Stay Updated: Keep training materials current to reflect evolving policies and emerging threats.
- Relatable Examples: Use real-world scenarios relevant to employees' roles to reinforce the importance of data handling.
- Cultivate a Reporting Culture: Encourage employees to promptly report mistakes or suspicious requests for data to IT.
Remember, effective data handling training is an ongoing process, essential for maintaining a secure and trustworthy business environment.
Here’s a link to the Security Awareness Skills Training Policy Template provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/security-awareness-skills-training-policy-template-for-cis-control-14
Here are some details on this specific Control/Safeguard. If you want more information, DM me.
CIS Control 14 – Security Skills Awareness & Training
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Implementation Group 1
CIS Safeguard 14.4 - Train Workforce on Data Handling Best Practices
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely.