A well-informed workforce is essential to securing electronic data and IT systems. Local governments and schools cannot protect the confidentiality, integrity and availability of their data and systems without ensuring that the people who use and manage IT understand IT security policies and procedures and their roles and responsibilities related to IT security. While the IT policies provide guidance to computer users as to what the governing board expects them to do, IT security training provides them with the skills to do it.
Educational agencies are required to annually provide data privacy and security awareness training to their officers and employees with access to student, teacher or principal PII.7 The training must cover the federal and State laws governing confidentiality of student, teacher or principal PII, and how employees can comply with those laws.
There have been many accounts of users whose actions caused significant IT system harm or financial losses. They may have been fooled via social engineering scams8 into providing their passwords, opening harmful attachments or visiting malicious websites. Even system administrators, who are typically regarded as having advanced IT knowledge, have been tricked into performing actions that threatened or caused harm to their systems. The success of social engineering, coupled with the never-ending flow of new and innovative threats, underscores the importance of including all users in IT security training. It is also important to update the training material periodically to address new technologies, threats and any changes to your computing environment.
IT security training should explain the proper rules of behavior for using your IT systems and data and communicate the policies and procedures that need to be followed. The content of training programs should be directed at the specific audience (e.g., user or system administrator) and include everything related to IT security that attendees need to know to perform their jobs. IT security awareness efforts should reinforce your IT policies and training and can focus attention on security in general or some narrow aspect of security (e.g., the dangers of opening an unknown email or attachment or how to maintain laptop security while traveling).
The failure to provide IT security training and raise awareness increases the risk that users will not understand their responsibilities, putting the data and IT resources with which they have been entrusted at greater risk for unauthorized access, misuse or abuse. For example, without training and awareness, employees may not understand how their Internet browsing could cause their computers to become infected with malicious software that may compromise any personal, private or sensitive information residing on them.
Local government and school officials sometimes say that they cannot afford the cost of IT security training and awareness. Fortunately, there are a number of no-cost or low-cost solutions available from a variety of sources. The following organizations offer free or low-cost IT security training and awareness materials:
| Center for Internet Security | https://www.cisecurity.org/ |
| New York State Education Department | http://www.nysed.gov/data-privacy-security |
| New York State Office of Information Technology Services | https://its.ny.gov/ |
| New York State Office of the State Comptroller | https://www.osc.ny.gov/ |
| United States Cybersecurity and Infrastructure Security Agency | https://www.cisa.gov/ |
Municipal and school associations (e.g., New York Conference of Mayors, New York State School Boards Association) also periodically offer low-cost IT security training.
Lastly, developing and delivering IT security training and maintaining IT security awareness does not have to be a formal, elaborate and expensive endeavor. It can be as simple as gathering staff together to review your policies collectively and having a roundtable discussion on security matters applicable to your computing environment. The discussions could center on one or more of the following issues:
- Emerging trends in information theft and other social engineering reminders;
- Limiting the type of personal, private and sensitive information collected, accessed or displayed to that which is essential for the function being performed;
- The dangers of downloading files and programs from the Internet;
- How to respond if malware or an information security breach is detected; or
- Other key IT security controls such as strong passwords, malware protection or wireless security.
Awareness efforts could also include disseminating the free security alerts from the organizations mentioned above or sending out periodic security reminders via email that address some aspect of your IT security policy.
IT security training and awareness is an essential part of protecting computer systems and data. Your personnel should understand their IT responsibilities, be knowledgeable about potential threats and be prepared to respond appropriately to everyday challenges, as well as less frequent events, such as the loss of personal information. The growing availability and ease of obtaining free and low-cost training and awareness materials eliminates excuses for not having a well-informed workforce.
7 8 NYCRR 121.7
8 Social engineering refers to the methods attackers use to deceive victims into performing an action such as opening a malicious webpage or running an unwanted file attachment. Many social engineering efforts are focused on tricking users into disclosing usernames and passwords.
The Information Technology Governance LGMG can be downloaded at https://www.osc.ny.gov/files/local-government/publications/pdf/information-technology-governance.pdf