Should we make Cyber Security part of WHMIS in 2020?
So there’s a health and safety type course that is required in Canada called WHMIS (Workplace Hazardous Materials Information System). its intended to help people understand what products in their workplace are hazardous in a uniform way through labelling and information sheets. Its a requirement to train your staff on it.
It strikes me that in 2020 many workers are more commonly using the Internet and IT Applications than they are using Solvents and Pesticides. And that there is no standardised requirement for training on the dangers of the World Wide Weirdos.
Perhaps it is time to standardise on training and labelling around risks and make that a national educational requirement for the workforce. How to recognise Phishing, how to use 2-factor authentication, how to report a problem. How to avoid the temptation to insert that USB flash you found in the parking lot into the payroll server.
What do you think? We could probably come up with a 1/2 hour self-paced training course. A standard taxonomy using some of the great work that NIST has done (https://www.nist.gov/cyberframework). Make it mandatory to take it within 30 days of starting work, and annually, for any company with more than 20 team members. I’m not talking PhD multi-year SANS level material here, I’m talking Cyber Security best practises 101 for the front-line.
I think the payback to the national economy would be large. It would reduce effort in policing (less incidents, more standardised reporting of the ones that occur). Cyber espionage would go down, productivity would go up.
Who’s in? I’ll help develop and deliver the material.