In my last post I covered reasons why providing information security and privacy training, and ongoing awareness reminders, is so important. Now I want to cover three important facts to keep in mind to make your education efforts effective, as well as to meet associated legal requirements.
1. Training and awareness communications must be relevant to learners to be effective.
I’ve believed and practiced this for a very long time! In fact, I created my training packages (such as Security Search and my online SIMBUS training modules) and have provided my on-site and live online training with this very concept in mind. Participants in training and awareness MUST be able to see how the issues relate to them in order to pay attention, and really understand the security and privacy issues, and then carry those lessons learned into their daily work activities.
I not only relate security and privacy issues to individuals personally, I want them to see how these issues relate to their own life away from work, and then take the awareness communications to their friends and family and share with them. This establishes a sense of ownership for that information, and then accountability for their own actions.
Unfortunately, there are many very poor, and downright horrible, training content packages and tools out there. I’ve reviewed hundreds of different organizational training and awareness programs, and I’ve seen many types of activities and content that is passed off as “training” that is absolutely the furthest thing from training! In fact, much of what organizations try to use for “training” is actually anti-training, and ultimately hurts all educational efforts. These bad training offerings make otherwise smart people say dumb things about the need for training and awareness, like saying it is a waste of money. The only waste is if you invest in something that is touted as training, but has absolutely no educational value. I’ve seen many organizations make this mistake.
2. Humans must know how to secure information; technology alone cannot do it.
In almost every information security incident and privacy breach, humans were the cause in some way. Sometimes because of malicious intent, but more often through lack of knowledge and awareness, or mistakes made because security and privacy were not top of mind. Even when malicious intent was involved, it typically exploited human security unawareness in some way.
Of course, computer systems and applications must be built with more robust and more transparent security capabilities than are currently found. And most apps and internet of things (IoT) devices have virtually no security or privacy protections built in at all. However, when it comes to effective information security and privacy protection, which is necessary to help dam this raging flood of privacy breaches, effective and regular information security and privacy training and ongoing awareness communications are absolutely necessary. Consider these points:
You cannot create a computer technology so secure that no training is necessary for those using the computers. You cannot build computing devices so secure that those using them do not need to be told how to use them securely, and in ways to protect their privacy. It’s like saying you can build a car so secure that you don’t need to teach people how to drive safely. Who wants to be on the road with those folks?
You must provide education to meet legal requirements. Besides being smart and wise to provide effective, regular training and ongoing awareness communications to help prevent information security incidents and privacy breaches, it is also a requirement in most data protection laws and regulations to provide such education. More on legal requirements in the next section.
Education is a small fraction of the cost of security incidents and privacy breaches. Providing effective information security and privacy training and awareness is one of the most cost and results effective practices that businesses can provide to keep their information assets safe and prevent privacy breaches.
If technology-specific vendors tell you that training is a waste of time and money, it is likely they want to put their hands in your pockets, much deeper than any education investment would be, to sell you a system, service or application that is tens to hundreds of times the cost of any education program you could put in place.
Business leaders, be smart; invest in information security and privacy education for your personnel. If you don’t, personnel ignorance resulting from your education leadership dumbness will probably lead to information security incidents and privacy breaches that could have been prevented with effective training and awareness practices in place.
3. There are many legal requirements for information security and privacy training.
I’ve covered this topic many times over the past few decades. As mentioned earlier, there are growing numbers of laws and regulations that include requirements for organizations to provide some type of information security and/or privacy awareness and training to not only their personnel, but also in some instances to their customers and consumers. For example, the fines and penalties applied under HIPAA have increased dramatically when there was no training provided.
The following is not an exhaustive list, but these laws and regulations include the following (I provide full details for most of these within Chapter 3 of my book “Managing an Information Security and Privacy Awareness and Training Program.”)
Specific legal requirements for information security and privacy education
Philippines Data Privacy Act of 2012
Singapore Personal Data Protection Act 2012 (PDPA)
The EU General Data Protection Regulation (GDPR)
California Consumer Privacy Act of 2018
New York State Financial Services 23 NYCRR 500
U.S. Health Insurance Portability and Accountability Act (HIPAA)
U.S. Health Information Technology for Economic and Clinical Health (HITECH) Act
U.S. Fair Credit Reporting (FCRA) Act
U.S. Red Flags Rules
U.S. 21 CFR Part 11 (Electronic Records/Electronic Signatures)
U.S. Bank Protection Act
U.S. Computer Security Act
U.S. Computer Fraud and Abuse Act (CFAA)
U.S. Privacy Act
U.S. Freedom of Information Act (FOIA)
U.S. Federal Information Security Management Act (FISMA)
U.S. 5 U.S.C. §930.301 (for federal offices)
U.S. Appendix III to OMB Circular No. A-130 (2)
U.S. Digital Millennium Copyright Act (DMCA)
U.S. Gramm Leach Bliley Act (GLBA)
U.S. Department of Transportation DOT HM-232
U.S. Sarbanes Oxley (SOX) Act
The Organization for Economic Cooperation and Development (OECD) Security and Privacy Principles
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
Many more at the local, state, federal and country levels world-wide
Additional legal requirements for information security and privacy education are also found within organizations’ contracts and established by their own promises they make within their posted privacy and security notices.
Bottom line for all organizations, from the largest to the smallest:
Humans have always been, and will always be, the weakest link in information security and privacy. Too many organizations either provide for no training and awareness communications or provide completely inadequate or ineffective (bad) types of training and awareness. Every organization of every size needs to invest some time and resources into regular training and ongoing awareness communications. Besides being a smart and wise business decision to provide effective regular training and ongoing awareness, with a comparatively low input cost and tremendous return on significantly better security practices, it is also a requirement in most data protection laws and regulations to provide such education.
More on security and privacy education
I’ve written about this topic often over the past two decades. For example, here are just a few of my articles and one of my books: