DFARS 252.204-7012: Could a lack of training be putting you at risk?

DFARS 252.204-7012: Could a lack of training be putting you at risk?

Most people still think of cybersecurity as a technical challenge and that only the IT department needs to worry about it. This widespread misconception is exactly the reason why employees are often the weakest link in an organization’s security posture. After all, cybercriminals have a far easier time exploiting human ignorance and unpreparedness than trying to break through encryption algorithms and other modern security measures.

Achieving and maintaining compliance in line with the DFARS 252.204-7012 standard, which is based on the globally recognized NIST 800-171 security framework, establishes a baseline for information security. However, even the most stringent security policies and technological measures mean little if there is a lack of security awareness in your organization. Employees must be kept up to speed with the demands of security with a comprehensive training program.

Protection against social engineering attacks

Most data breaches involve a social engineering element, typically in the form of a phishing email or instant message. These scams take advantage of the innate susceptibility of poorly prepared employees to unwittingly surrender sensitive information, such as login, personal, or financial details.

To achieve compliance with DFARS 252.204-7012 and other standards, organizations must train their employees to better recognize potential phishing scams. Phishing simulations and testing campaigns help raise awareness by providing a hands-on approach that is relevant in real-world scenarios.

If employees have been adequately trained to recognize and call out potential phishing scams, they will go from being the weakest link in the organization’s security posture to the first and last line of defense. For maximum effect, phishing simulations and awareness training should also extend to text message phishing, voicemail phishing, and social media.

Related article: How to educate your employees so they don't accidentally leak information

Safe use of public communication channels

Instant messaging, group collaboration platforms, and social media have all become essential tools in the modern business, especially at a time when so many people are working at home or on the move. Banning the use of these channels for work is rarely practical, even if policies dictate that they are not to be used for exchanging sensitive information.

A comprehensive training program will allow employees to use these platforms without fear and without adding unnecessary risk to the organization. While internal policies should set the high standards demanded by the NIST 800-171 framework, training will help make sure people are following the rules.

Employees should also be made aware of the dangers of using social media. For example, a common problem is oversharing personal information on social networks. Social engineering scammers routinely scour social networks to profile their victims so they can personalize their attacks and make them appear all the more convincing because of it.

High accountability among employees

Insider threat is an especially serious problem for organizations in the Defense Industrial Base, which is why the DFARS 252.204-7012 initiative takes accountability very seriously. Although insider threat is not usually deliberately malicious in nature, inadequately trained employees can present a serious, albeit unintentional risk to the organization.

Security awareness training helps companies build a culture of accountability in which teams are always proactively on the lookout for threats. While prevention is, of course, an essential part of any robust cybersecurity strategy, businesses need to prioritize detection and response as such that serious threats do not even make it through the first line of defense.

Accountability basically means that people are held responsible for their actions. This involves not only having control and verification systems in place, but also having employees who are ready to report suspicious behavior, whether it comes from within or beyond the organization. This helps promote transparency and build trust between leaders and their employees.

More vigilant use of mobile devices

In the age of distributed work, many employees are accustomed to working from home or on the move. However, despite the many benefits of having a flexible working environment, there are many new risks as well. These risks are often exacerbated in cases where employees can use their own devices for work.

Mobile devices are not just inherently vulnerable to physical theft or loss. Many people do not even use a PIN code to protect their own devices, and very few use device encryption either. If there is any sensitive information pertaining to the DoD on an unencrypted device, then there could be a serious breach of compliance.

Related article: Methods to prevent breaches on employees’ devices

While technological solutions like mobile device management (MDM) can help mitigate these risks, employees should also be trained in the safe use of mobile devices, whether they belong to the company or themselves. By raising awareness of the unique risks facing mobile users, you will be doing your employees a favor as well.

Charles IT combines human expertise and cutting-edge technology to help your organization achieve and maintain compliance at scale. Get in touch today to schedule a gap assessment.

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”