U.S. Military Must Step Up Top Brass Training to Thwart Phishing
He did this with rigorous training, careful selection of personnel, and mutual oversight by the people involved in the program. He also put his trust in the people, so that anyone, no matter how junior, could stop a procedure in process if he or she detected a safety problem, while requiring any task that could create an accident to be accomplished by at least two people. The result of this nearly fanatical attention to detail is that so far the U.S. Navy has never had a nuclear accident. One legacy of this practice made its way to the U.S. Cyber Command, which has been highly effective in turning aside the millions of attacks sustained by military computer systems on a daily basis. But outside of the Cyber Command, things haven't gone so smoothly."You'd expect the Joint Chiefs [of Staff] to have had that training in place—and they hadn't. That was borderline criminal oversight," Sjouwerman added. It was also highly surprising that the White House server was hacked, he said. "You'd expect that especially with Obama having a focus on cyber-attacks, they would have given security training a very high priority." In fact, the military does give security training a high priority, but as in many organizations, there are weak spots. One has to guess (since the JCS isn't discussing the breach) that the Joint Chiefs followed a familiar pattern in which the guys at the top were too busy to get the security training everyone else got. The fact that they had to have an emergency training session on phishing after the breach points to this explanation. But what's being overlooked even as the military fixes this problem is the similar issue at companies where the C-level executives are apparently immune from corporate security training requirements. They're too busy, you see. Their time is too expensive to waste with training. But, in fact, it's the data held and used by the C-suite that's likely the most critical to the success of the business. Even if hackers can't hack the cash registers, they can still hack the CEO's email. This is a blind spot in corporate governance if there ever was one. The authors of the Harvard Business Review article point this out. Unfortunately, I suspect the people who need it the most will also be too busy to read it.
"You don't do [the training] after the problem has occurred," said Stu Sjouwerman, founder and CEO of security awareness training company KnowBe4. "You want to do that before someone clicks on a compromised site."