On April 15, 2019, a flame ignited Notre Dame Cathedral in Paris and many watched as roughly 500 firefighters struggled to contain the fire. The cause of the flame still remains unclear. According to a recent report, the security guard in charge of watching and protecting the Cathedral may have accidentally sent his fellow colleague to the wrong building when the fire first sparked. This was a major communication error; had the guard gone into the right building, some of the fire damage could have been contained.
The report also found that the employee who notified the position of the fire to the guard was only on his third day of work and was still very new to the alert system. The alert system was complicated, alluding to questions whether the employee even understood the alert in general.
According to the New York Times, “The first hour was defined by that initial, critical mistake: the failure to identify the location of the fire, and by the delay that followed. The second hour was dominated by a sense of helplessness. As people raced to the building, waves of shock and mourning for one of the world’s most beloved and recognizable buildings, amplified over social media, rippled in real time across the globe.”
As stated in The New York Times, many factors that compounded the errors:
- The alarm system was highly technical but so involved that employees had trouble understanding where the fire was located
- The new employee manning the station was likely not fully up to speed
- The guard was sent to the wrong location due to a possible miscommunication
- No sprinklers or firewalls were in a crucial part of the building
- There was a lack of water pressure, so the firefighters had to resort to a strategy that was much riskier in terms of their safety in order to contain the fire
These factors triggered finger-pointing over who was at fault for untamed fire for so long.
So, you may be asking, what does this tragic incident have to do with IT security?
The Notre Dame Cathedral staff thought through a lot of the technical aspects of fire protection, but they didn’t think about how humans factor into their security. You can spend a lot of money to detect a fire but, in the end, the outcome was the result of clumsy human response. It begs the question, were their employees properly trained? Did they understand how to read the alert system? Were there measures put in place in case an employee messed up? Had they conducted training exercises or trial runs?
The best technology in the world is only effective if your employees are properly trained and you have a well-thought-out crisis plan in place.
Data breaches and other security incidents can be contained if employees know how to recognize issues and raise the alarm. If they don’t, it can become devastating to an organization. The word of a data breach can spread the same way the fire at the Cathedral was spread: via social media, where the message is not within an organization’s control.
Employee education and security awareness—including crisis training--are an important factor in your business security ecosystem. In order for employee education and security awareness training to be effective, it must be flexible and not rely on a cookie-cutter approach. To allow a flexible, non-cookie-cutter approach to education and training, content presented needs to be adapted to each of the attendees. Training needs to incorporate not only the latest information available in cybersecurity, but also employee scientific adult learning and neuroscience principles to not only make learning more effective but also to better combat social engineering exploits.
If you have questions regarding effective security awareness training or if you want to learn more regarding how to ensure your colleagues are confident in their ability to recognize the underlying forms of attacks common to social engineering and data breach exploits, please reach out.