Should we make Cyber Security part of WHMIS in 2020?

Should we make Cyber Security part of WHMIS in 2020?

So there’s a health and safety type course that is required in Canada called WHMIS (Workplace Hazardous Materials Information System). its intended to help people understand what products in their workplace are hazardous in a uniform way through labelling and information sheets. Its a requirement to train your staff on it.

It strikes me that in 2020 many workers are more commonly using the Internet and IT Applications than they are using Solvents and Pesticides. And that there is no standardised requirement for training on the dangers of the World Wide Weirdos.

Perhaps it is time to standardise on training and labelling around risks and make that a national educational requirement for the workforce. How to recognise Phishing, how to use 2-factor authentication, how to report a problem. How to avoid the temptation to insert that USB flash you found in the parking lot into the payroll server.

What do you think? We could probably come up with a 1/2 hour self-paced training course. A standard taxonomy using some of the great work that NIST has done (https://www.nist.gov/cyberframework). Make it mandatory to take it within 30 days of starting work, and annually, for any company with more than 20 team members. I’m not talking PhD multi-year SANS level material here, I’m talking Cyber Security best practises 101 for the front-line.

I think the payback to the national economy would be large. It would reduce effort in policing (less incidents, more standardised reporting of the ones that occur). Cyber espionage would go down, productivity would go up.

Who’s in? I’ll help develop and deliver the material.

5 Comments on “Should we make Cyber Security part of WHMIS in 2020?

  1. I think it’s a great idea – but cybersecurity is fundamentally different than other risky things like explosives based on the incentives in play. When everyone is wise with USBs they merely pivot to another infiltration vector. The WHIMIS content is relatively static, but cyber hygiene is necessarily dynamic. I’m sure we can all agree on a few standards, but very quickly those will shift and be 2020 standards.

    Dystopian thought of the day (near certainty to occur): Major cloud provider breached, cloud provider has read access to corp e-mail to all of its customers (e.g performing DLP). Marry that dataset with what we’ve got going on in the AI space (GPT3) – consider the ramifications to spearphishing the very next day. Your very blog could already be harvested to mimic you to spread fake news to your customers, to your investors, to manipulate your stock. Will we begin to see 2FA on all communications…curious your thoughts (btw I have no idea why, but when I read your headline this was exactly what came to mind..)

    • the thing w/ security… it never hurts to uplevel.
      just like taking WHMIS doesn’t make me an expert in explosives or corrosives, but merely makes me more aware and know when to ask for help…
      a little bit of preventative up-front training on phishing on the basics can be a good thing.
      sure, you won’t address complex, targetted attacks, but, you can create a scorched-earth policy for the low hanging ones.

      just like locking the door on your car is not a guarantee it won’t be broken in to, but it does knock out an entire class of criminal, so to can having that cybersec 101 in all staff, creates some herd immunity, etc.

      Defense in Depth is not a panacea, not a single activity, but many.

      if we made simple cyber threat awareness training in all disciplines, it would help us to have more time to spend on other threats.

      as to multi-factor for all, I agree!

  2. I’m on board if could lead to an update of Forklift Driver Klaus (youtube it) showing the cyber security dangers of compromised industrial systems.

Leave a Reply to Antoine Cancel reply

Your email address will not be published. Required fields are marked *

*