Wes Rhea, the compliance officer and HIPAA privacy and security officer at Alere Health, recently penned an article for BankInfoSecurity.com describing any security system’s greatest weakness: its human end users.
The most sophisticated firewalls, intrusion prevention systems, antivirus solutions and encryption protocols, he explained, can’t protect every organization from human error. “Firewalls do not e-mail patient information to the wrong individual,” Rhea wrote. “Intrusion prevention systems do not leave patient information on a restaurant table. Encryption systems do not forget to follow the clean desk policy, and anti-malware software does not share participant information with unauthorized participants.”
Designing a Network Security Training Program:
Although Rhea was writing about the healthcare industry, his observations about the human factor hold true for any business, not-for-profit or public sector agency. All employees have a responsibility to protect consumer data, even the strongest cloud security solution needs to be backed up by employee vigilance. Unfortunately, companies often assume that their employees know more than they do. They also assume that employees aren’t finding workarounds for security policies. CIOs, CSOs or others responsible for cybersecurity should follow these five guidelines when designing an employee training program.
Make It Easy:
It’s tempting to let the legal department draft the organization’s data protection policy, but a policy that’s written in legalese isn’t going to connect with most employees. Let the attorneys vet the policy, but make sure that it’s written in easy-to-parse language. Keep it short, keep it specific and present the guidelines in a logical order.
In addition to writing a simple policy, make sure that the policy is easy to find. Store it on the company intranet, or put it in the employee handbook. Additionally, come up with a way to make the policy searchable. Add a simple search field to the policy’s intranet page, or utilize the company’s knowledge management system.
Train, Rinse, Repeat:
One e-mail or paycheck attachment about network security isn’t going to get the cyber security message across. Security policy training should take place during onboarding and then 30, 45 and 90 days after the initial training session. In addition, companies should always offer annual refresher. Cyber Criminals come up with new techniques all of the time, and employees need to know how to recognize new tactics. Leverage the organization’s learning management system, and get HR involved with developing training materials.
Provide Visual Aids:
Most organizations pummel employees with corporate minutiae, which means that employees are responsible for a lot of procedural information. Make retention simpler by providing visual aids throughout the building. These visual aids could include break room posters or cubicle flyers, or they could include simple infographics shared on the company intranet. Also, send out monthly network security e-mail updates, and produce a quarterly or bi-annual security-related newsletter.
Hold Them Accountable:
Talk to HR about adding a cyber security competency or competency component to all performance evaluations. For example, a competency such as “Integrity and Trust” could contain line items such as “protects customer information” and “follows security policies.” If someone who has gone through security training posts a password to a cubicle wall using a sticky note, give the employee a documented verbal or written warning. Employees have an obligation to apply the information that they’re given, and their lack of attention could be the one mistake that costs the company millions of dollars.
Ask for Executive Support:
CIOs today stay in their jobs for an average of five years, and one of their biggest mistakes is that they fail to build relationships with other executives and with the board. To get the HR executive to support cyber security training, the CIO should reciprocate by supporting the HR executive’s initiatives as well. Use hard data, such as the cost of data breaches, the percent increase in breach occurrence and other information to let the C-suite know just how much security errors could cost them. Keep them abreast of the latest threats so that they know how dangerous cyberspace can be.
The Bottom Line:
Most employees are conscientious people. They want to do their jobs efficiently, and they want to do them well. Let them know that shortcuts around security procedures ultimately put customers at risk. Every employee is some other organization’s customer. Ask them to protect each customer’s data the way they’d expect other companies to protect theirs.