COI Report – Part VII Page 276 of 425 804. Reinforce the message – Training courses are unlikely to have a lasting effect if they are one-off or only conducted infrequently. It is important for key points to be reinforced and this can be accomplished through refresher sessions, as well as through media such as blogs, posters and newsletters. 38.3 IT staff must be equipped with sufficient knowledge to recognise the signs of a security incident in a real-world context 805. Detection is a state of mind. Detection can only happen where there is awareness on the part of the staff. IT staff must be equipped to go beyond recognising obvious cyber attacks such as ransomware and website defacement. All IT staff must be equipped with sufficient awareness of cyber threats and signs of a security incident to be able to respond effectively should the need arise. In fact, as recommended by Vivek, this awareness should go even further – training in cybersecurity fundamentals must be provided to all IT staff to equip them to play a role as a member of the SIRT team in the event of a cyber incident. This would entail all IT staff participating in cyber crisis simulation exercises that simulate real-life scenarios related to advanced cyber attacks. The importance of proper training is echoed by Gen. Alexander – training does not need to be limited to personnel of a certain level of capability. Everyone should be trained and there must be a culture of constant learning. 806. When a cyber incident occurs, IT staff might be the first to notice. An organisation will beat significant risk if there is alack of initial security incident cognition on the part of its IT staff. It is not safe to assume that IT administrators are prepared and equipped to identify and manage a security incident, and to respond in the initial stages, before security personnel enter the picture. The skills, training, and mindset of an incident responder are different from that of a system administrator. To better respond to security incidents, operational-level IT staff should be provided with a sufficient degree of cybersecurity training. 807. When employees fail to report, or delay in reporting security incidents, it can lead to dire consequences and increase the overall extent of the attack. A single, unreported threat could lead to a large breach. This lesson was learnt in a
