Security Training Engineering
Security Training for Engineering Firms (Podcast)
In this podcast, Dave talks with Steve Ripper about security training for engineering firms. Steve explains what happens during a training session. Then, he outlines the benefits for engineering firms.
Dave: Welcome to PCG Industry Focus Series. I’m here today with Steve Ripper. Good afternoon Steve. How are you today?
Steve: I’m good Dave, how are you?
Dave: Excellent. Welcome. Today’s topic is about security training for your engineering firm and why it is needed and the value that will bring their firm. So let’s get started. What is security training?
What Is Security Training?
Steve: Well, security training is just as it says on the tin is basically where we come in and we train your people on security concepts. Whether we do it remotely or we come in and walk around the conference room. But the idea is that get your users, get management, get billing, get everybody in the group to understand that they are a key and important part of security. They often get forgotten. They get left out.
You do all these other things like you do antivirus and you do MFA. There’s our MFA entry, Dave. We got it in there. But they do security, MFA, spam, firewalls, all of these different things. But we leave the people out. And the people are one of the biggest concerns when we think about security as a whole. No matter what we do from the IT side, if the user lets the bad guys in, gives up their password, gives them a way into the network, there’s not a lot we can do.
They’re going to get in. So security training is a way to involve them, talk about it, teach them what they need to be thinking about and try to build cultures within the company that say this is okay. This is not okay
How Often Should Engineering Companies Do Security Training Sessions?
Dave: Because engineering firms, they’re busy with projects, deadlines. They’re in their CAD software. And I think Steve hit the point right there. They’re not thinking about training on security, but it is something that they have to embrace from the leadership down. So how often should engineering companies be running these sessions?
Steve: So they should be doing a live session annually. You could see biannually depending on how leveraged or how big they are. If you have a really large base, maybe you do biannually and you do it by groups. But if you’re a smaller medium sized company, then annually would be fine.
What Does Security Training Cover?
Dave: What is covered during these sessions? Because a lot of times we know engineers, they’re thought minded, they’re very process driven. What’s covered in these sessions?
Steve: Yes. So one of the things engineering firms have are the same types of concerns that a lot of other companies have, and communication is a big part of it.
Dave: Yes.
Steve: You have engineers who are doing a lot of AutoCAD stuff and maybe they’re designing bridges and buildings and whatever else they’re doing, but they’re still getting a lot of email from customers. They’re still sending a lot of emails. They’re still sending a lot of files.
So a lot of the concerns are the same ones that we would talk about for many other companies such as phishing, password management, MFA, when to encrypt files. What are the key things that you need to be watching out for? What is ransomware, viruses, malware, all of those times? There’s a bunch of education concepts in there, do’s and don’ts and basically how to do some of those concepts, like the MFA. So you see a lot of that.
Do All Engineering Firms Need the Same Security Training?
Dave: It doesn’t matter whether you’re HVAC electrical, mechanical or structural engineering. To me, the type of industry engineer doesn’t really matter to the training session. Is that correct?
Steve: Steve yeah. No, what we’re really focused on is the general concepts of how you deal with security, what to do with when you get files in an email, how to recognize if this email is real or is it a phishing scam. And what’s the anatomy of a phishing scam is a big topic within the training. Why passwords are important, why you need to change them, and for the love of Mike, why you need to make sure that you don’t use the same one across different types of systems, like your bank website, your laptop log in, AutoCAD. And those types of programs have multiple types of logins that you’re logging into. So you need to make sure that you’re not using the same passwords over again. We talk about password managers and how important they are to the concepts and how to use them. We’ll introduce one that we like. Things like that.
On-site Vs. Remote Training
Dave: Coming from the training industry and doing it in the past — I know when the pandemic hit, a lot of things were being done remotely – but I feel like onsite training is always the best. And I think the value to the company is the ability of the person to ask you questions, Steve, to be more engaged. But also we can record if the people aren’t there, but any of the feedback on site or remote?
Steve: Yes. So on site or remote, I personally love to do on site because I can walk the room and I can take questions a little easier. Certainly during the pandemic, we did far more remote, just for obvious reasons. I can do both. We can do both. The remote is nice because it’s not as difficult for a company to get the people together, right? So whether they’re at home, whether they’re in another part of the country, they can all remote into the session. But onsite is nice for the personal touch to be able to talk about and maybe engage the customer.
Benefits of Security Training for Engineering Firms
Dave: What do you feel some of the top benefits the engineering firm will get out of this training?
Steve: So I think there are three very quickly. There’s that top down understanding. There’s securing the communication itself between clients. And then third, of course, is the cyber insurance. So let me talk a little about each one.
When you do cyber security training, you’re hoping to get all the different groups into the same room. You’re hoping to get management in there, the engineers, that middle meat of the workforce. You’re hoping to get billing in there. And so you’re looking for a top down consistency in talking about the message of security, that you’re all a part of it from the top to the bottom. If you get email, if you sign into something, you’re a part of it regardless of where you are in the organization. And it really sets up that everybody understands that they are a key part of the security posture. Okay, so that’s number one.
Number two, you want to make the communication with clients safer in both directions. And what I mean by that is that if you teach all of the people in your engineering firm to recognize phishing attacks, the email coming into your organization is much safer, right?
So we’re being much more careful about what’s coming in because we’re recognizing it ahead of time. And on the other hand, if you’re emailing your clients, if you know when and how to encrypt emails, you’re protecting their personally identifiable data. If it has client data, if it has credit card info, whatever it might be, or even just sensitive engineering items for what might be going into your building or what you need to be worrying about if you know when to encrypt it and how to encrypt it, that’s going to be safer in both sides.
And then the last one of those three is, listen, security training is going to be a big prominent feature in your cyber insurance application, right? They’re going to ask, Are you getting training? And Dave, we haven’t talked about it in a little bit, but in addition to security training, you want to do security awareness. Are you doing quarterly sends of what are fake but controlled phishing attempts that then lead to training examples so that you can automate that and get your users used to seeing those things? So those are all things that show up on cyber insurance.
If you’ve done them, you get to mark, yes, we do that. And your quote should be lower.
Dave: Yeah, I know. We help a lot of our clients, especially in the engineering industry, fill out those forms. Steve, you brought up a good point on the form which can come from any of your providers. But answering that check off, do you do security training? Is it followed by the phishing process with which you do very well? But great feedback today. A good topic right here in our industry focus here. Thanks again to everyone for joining us. Have a great day.
