Congressional Cybersecurity Training Resolution of 2019

American Government Building

Congressional Cybersecurity Training Resolution of 2019

Cybersecurity Training for Members of the House of Representatives

In an attempt to improve government cybersecurity, new legislation was proposed that would require all House Members to participate in annual cybersecurity and information security training. This is already a requirement of House officers and employees, but is a necessary step to ensure a more complete cyber defense. As we know, it only takes one person’s ignorance to undo security measures that have carefully been put into place.

The legislation, proposed on May 10thby U.S. Representative Kathleen Rice, is titled Congressional Cybersecurity Training Resolution of 2019. The legislation will require the Chief Administrative Officer to lead training that certifies all House Members, employees, and officers are aware of various cyber threats and the approved policies in regard to such. In addition to annual training, new employees and Members will be required to participate in training within 30 days.

See the resolution here.

Why Cybersecurity Training?

At an employee level, one mistake can put an organization at risk. According to a report by iapp, “Ninety-two percent of all incidents are, and 84 percent of all data breaches were unintentional or inadvertent in nature.” Of those percentages, only 2.2% of all incidents were intentional and malicious. I know this shatters the idea that there are masked hackers out there trying to steal information, and there are, but far fewer than you would think.

Understanding that employees are the greatest cause for data breaches is the first step to understand why cybersecurity training is so vital, in a government setting or otherwise. When you calculate this, organizations should really be devoting a large portion of their budget towards making sure employees are knowledgeable of and compliant with all cybersecurity policies.

What Are You Protecting?

Though different types of data pose different risks to each organization, each loss is problematic across the board. The main risk and need for training is losing personally identifiable information (PII) such as social security numbers or addresses. Financial data and health information that may be stored about employees or outside individuals is also expected to be completely protected as this data would likely be sold and used for identity theft or extortion. As the responsible party for keeping information safe, there is a certain degree of trust that should not be violated, regardless of the impact to business.

There is, however, data that could cause financial and operational problems should it be exposed. Intellectual property such as security policies or internal software could be deleted or held for ransom, including valuable information on court cases and rulings. What’s really monumental, is picture the loss of IT Security Data, such as passwords, security strategies, and network structure. A simple mistake such as falling victim to a phishing attack can result in escalated data loss before you recognize what’s happening.

Is Yearly Training Enough?

While it’s great to see the push for improved government cybersecurity awareness, is it too little too late? Yearly training is very basic that we should have expected several years ago. As a comparison, this is already standard among many retail stores. Shouldn’t we hold the government to a higher standard than Walgreens?

Unfortunately, yearly training sessions have minimal impact. It’s been studied that about 90%of what we learn in these sessions is forgotten. Typical annual trainings involve long days with speakers trying to pack as much information into your brain as possible before sending you back to work. This is simply not effective as we lose most of that information and don’t practice implementation. Christo Popov, CEO of FastTrack suggests breaking down trainings into around a dozen sessions, of which your leader should, “devote about 10% of employees’ time to training, 50% to implementation, 30% to repetition and 20% to analysis of results.”

For those of you still hosting annual training sessions, are you measuring the impact or employee retention? Utilize our CyberWatch solution to evaluate the effectiveness of your training and see if your employees are compliant with your security policies and standards.