While I was looking over sessions at RSA Conference 2020, a talk called Tackling cyber-enabled crime at scale: Moving enforcement forward caught my eye. As someone who is quite addicted to Law & Order and is also into cybersecurity, I thought it sounded like a real-world version of a bad hacker TV show, but at the New York City Police Department (NYPD).
The speaker, Nick Selby, had a great story to tell. You see, New York City has a big problem with cybercrime — a nine-figure problem. It seemed everyone from digital natives to baby boomers had fallen victim to cybercriminals, from phone scammers to ransomware, a Nigerian uncle needing a money transfer, and more.
Most times, it is the NYPD that victims call. However, any time the officers responding to a call heard tech words such as Bitcoin, their first response was something like “not my monkeys,” because, well, it was cyber. In police officers’ and detectives’ mental maps, cyber was what some other agencies dealt with. They used to advise victims to call FBI, and that was that.
For a city the size of New York City, that was a problem. Selby knew it, as did his superiors at the NYPD, who tasked Selby with helping change the culture and train officers to care about cybersecurity.
The whole presentation captivated me and discussed all of the cool things that the team did in terms of stopping cybercrime and helping get people their hard-earned money back. The story isn’t mine to retell here, but I strongly suggest watching the full talk below:
However, the thing that I couldn’t get past in the presentation was this notion: Selby had to help change this culture and train officers to care about cybersecurity.
Anyone who has led security training has probably gotten snarky questions or comments like:
I work in finance, why should I care?
I work at the front desk, why should I care?
I am on the service desk, c’mon man, I know security!
And my favorite overheard-in-the-office whine:
Ugh, security training, AGAIN?
Now, we’ve all been there and had to do something that we didn’t feel was necessary to our jobs. The problem though, is that cybersecurity touches everything. Seriously. Here are just a few from the average workplace:
- Finance — they manage the money. How many scams have we discussed involving money being sent to the wrong account?
- Reception — the first face you see, the person who lets everyone into the building. Receptionists also usually hand out guest Wi-Fi credentials. Consider the reception desk’s role in protecting companies from people like those crooks who connected malicious hardware to corporate networks?
- Service desk — they fix computers and administer devices. Who can give you a USB stick should you need to move a PowerPoint between two computers? Without IT, people might resort to hunting for abandoned drives around the office.
Do you see my point? All employees are technically attack vectors, but they are typically not thinking along the lines I mentioned above.
What can we learn from the NYPD?
Unlike corporate cybersecurity trainers, the NYPD was training police officers, but their tasks an challenges were very similar, and so were their guiding principles:
- Keep it simple. Perhaps the biggest factor in the NYPD team’s success was that they kept the training straightforward and to the point. I believe they kept the number of slides in their training sessions to fewer than 20. When planning training materials for your staff, make sure they include clear objectives to show trainees why they should care and how to succeed.
- Empower people. Another cool approach Selby and team used was offering an app to help cops code cybercrimes, facilitating appropriate investigations. Now, I’m not saying you need to create an app for your company. Instead, find ways to empower employees to put your training into practice. If they see something suspicious, how can they report it? If they get a phishing e-mail, how can they get it blocked for the whole company, or where should they send it?
- Show results. The NYPD measures everything it can, and with this program, the department started measuring “cyber” as well, so cops could see that their work was actually helping get more crimes investigated in their boroughs. They were also able to see how big the problem was and how their roles helped fight cybercrime. Your employees may not be fighting criminals, but you can show them how their awareness really helps. For example, nine ransomware attacks thwarted or 200 phishing e-mails averted in the year could be good things to share in a regular update.
Your training doesn’t need to be high tech or expensive. Sharing your internal expertise can lead to major changes for your organization.
Even if crafting a cybersecurity training plan isn’t in the cards for your business this year, we’ve got you covered. Kaspersky offers a free security education course series that you can share with your employees to get started.