You Cannot Pass ft. Bryon Singh, RailWorks Corporation

You Cannot Pass ft. Bryon Singh, RailWorks Corporation

By Steve Gold
Posted in Security
On July 09, 2024

In “The Lord of the Rings: The Fellowship of the Ring”, the fellowship travels to Mordor to destroy the One Ring of the Dark Lord Sauron. In one scene, the fellowship come face to face with a Balrog. Knowing they cannot all escape, Gandalf stands on a bridge and yells “You Cannot Pass” and fights the Balrog to the death.

What Gandalf did on the bridge relates to how we should handle our data. Gandalf recognized the threat of the Balrog to both his fellow travelers (colleagues) and their mission (job). Gandalf identified the threat of the Balrog like identifying the threat of mishandling sensitive data. He stopped and prevented the threat the same way we should be locking our screens, deleting unnecessary data, and securing data that is sensitive.

Your company's data is its most valuable asset - customer details, financial information, and even new product plans. Mishandling this data can result in breaches, fines, or damage to your reputation. That's why CIS Safeguard 14.4 underscores the importance of training your entire workforce on proper data handling practices.

Consider Your Data Like…

  • Currency: Just as you wouldn't leave piles of cash lying around, sensitive data requires protection.
  • Medical Records: Your customers trust you with their information, mishandling it would be a breach of trust.
  • A Secret Recipe: If your competitors gained access to your strategic plans, it could have detrimental effects on your business.

Best Practices for Data Handling Training:

  • Clear Classification: Distinguish between "Confidential" and "Public" data to ensure appropriate protection measures.
  • Secure Storage: Educate users on where to store important files, encryption requirements, and what locations to avoid.
  • Limit Sharing: Promote a "need-to-know" approach to minimize exposure to sensitive data.
  • Beware of Phishing: Train employees to recognize and report phishing emails that attempt to steal sensitive data.
  • Proper Disposal: Deleting files isn't sufficient; emphasize the importance of using proper destruction methods.

Continuous Training Efforts:

  • Stay Updated: Keep training materials current to reflect evolving policies and emerging threats.
  • Relatable Examples: Use real-world scenarios relevant to employees' roles to reinforce the importance of data handling.
  • Cultivate a Reporting Culture: Encourage employees to promptly report mistakes or suspicious requests for data to IT.

Remember, effective data handling training is an ongoing process, essential for maintaining a secure and trustworthy business environment.

Here’s a link to the Security Awareness Skills Training Policy Template provided free of charge from the fine folks at the Center for Internet Security:

Here are some details on this specific Control/Safeguard. If you want more information, DM me.

CIS Control 14 – Security Skills Awareness & Training

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Implementation Group 1

CIS Safeguard 14.4 - Train Workforce on Data Handling Best Practices

Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.