Implementing strong NIST Awareness and Training standards and policies is the foundation of a proactive cybersecurity strategy, safeguarding your organization from evolving threats. Don’t wait for a breach to occur before you act; prioritize NIST compliance to protect your business, assets, and reputation.
Introduction to Awareness and Training
Awareness and Training (AT), a family of controls in the NIST SP 800-171 program serves as a guide to securing controlled unclassified information (CUI) in a business system by promoting the education and training of employees to properly prevent or mitigate security incidents.
Below are the three AT controls which represent a focus on securing CUI. Although these controls were originally crafted to secure CUI, their implementation is a benefit to security with respect to any kind of data.
-
- 3.2.1 Role-Based Risk Awareness
- 3.2.2 Role-Based Training
- 3.2.3 Insider Threat Analysis
The implementation of the three AT controls in a business system is integral to an organization’s incident response strategy. A failure to perform in this area is a failure to educate and train employees on how to recognize, assess, and deal with cyber-attacks. One could even say the implementation of Role-Based Risk Awareness (3.2.1), Role-Based Training (3.2.2), and Insider Threat Analysis (3.2.3) make or break some businesses.
The cyber incident that occurred at MGM in September 2023 was the result of the negligence of a helpdesk employee who gave away authentication information to what should have been a suspicious caller posing as a “high-value” (1) employee. Such actions qualify as failure to perform proper Insider Threat Analysis (3.2.3), which should have been part of the training of an MGM helpdesk employee. As an organization in the hospitality business, MGM employees should be aware of the security risks pertaining to their roles and associated responsibilities, abilities, and interactions (both transactional and operational). Had MGM incorporated implementation of the objectives of the Role-Based Risk Awareness (3.2.1) control in the education of their employees, the company may not have so easily leaked information to attackers, because employees would have a solid grasp of the potentially threatening situations they may experience daily. MGM should adopt the known best practice of coupling implementation of the Role-Based Training (3.2.2) control with the Role-Based Risk Awareness (3.2.1) control, so a baseline may be established to develop both more security-minded employee education and new security-minded procedures to adopt into new role-based protocols.
So companies like MGM may be better prepared for future incidents, a well-documented policy detailing the specifics of the education and training requirements of users of a business system as applicable to the users’ role within the organization must be created. The documentation must include information raising awareness about unintentional insider threats, and a declaration of a frequently reoccurring security training program users must complete as part of their job responsibilities. Also, not only will each user of the business system provide a physical signature authenticating the affirmation of their awareness of the information included in the policy and their agreement to complete said reoccurring security training, but also each user will receive a digital copy of the policy and be reminded of it periodically. If users do not participate in the reoccurring training program or sign the policy documentation, a best practice would be to reasonably penalize those users according to the possible ramifications of having improper security-minded education and training in their role within the organization.
Below is a checklist to begin developing your Awareness and Training program according to NIST-based standards. As seen with the incident at MGM, these controls are more important than ever.
References
- The MGM Resorts Attack: Initial Analysis (cyberark.com)
- Casino giant MGM expects $100 mln hit from hack that led to data breach | CNN Business
*If you don’t receive your checklist shortly, check your spam folder*
