In my last post I covered reasons why providing information security and privacy training, and ongoing awareness reminders, is so important. Now I want to cover three important facts to keep in mind to make your education efforts effective, as well as to meet associated legal requirements.
1. Training and awareness communications must be relevant to learners to be effective.
I’ve believed and practiced this for a very long time! In fact, I created my training packages (such as Security Search and my online SIMBUS training modules) and have provided my on-site and live online training with this very concept in mind. Participants in training and awareness MUST be able to see how the issues relate to them in order to pay attention, and really understand the security and privacy issues, and then carry those lessons learned into their daily work activities.
I not only relate security and privacy issues to individuals personally, I want them to see how these issues relate to their own life away from work, and then take the awareness communications to their friends and family and share with them. This establishes a sense of ownership for that information, and then accountability for their own actions.
Unfortunately, there are many very poor, and downright horrible, training content packages and tools out there. I’ve reviewed hundreds of different organizational training and awareness programs, and I’ve seen many types of activities and content that is passed off as “training” that is absolutely the furthest thing from training! In fact, much of what organizations try to use for “training” is actually anti-training, and ultimately hurts all educational efforts. These bad training offerings make otherwise smart people say dumb things about the need for training and awareness, like saying it is a waste of money. The only waste is if you invest in something that is touted as training, but has absolutely no educational value. I’ve seen many organizations make this mistake.
There is so much more to say about this. I cover this thoroughly in my book, “Managing An Information Security and Privacy Awareness and Training Program, 2nd Edition.” I’ve often thought about putting out snippets of the book, one at a time each day or week, just to get tips out there and make folks aware of what is needed for EFFECTIVE training and awareness. Yes, such types of messages are good awareness communications.
2. Humans must know how to secure information; technology alone cannot do it.
In almost every information security incident and privacy breach, humans were the cause in some way. Sometimes because of malicious intent, but more often through lack of knowledge and awareness, or mistakes made because security and privacy were not top of mind. Even when malicious intent was involved, it typically exploited human security unawareness in some way.
Of course, computer systems and applications must be built with more robust and more transparent security capabilities than are currently found. And most apps and internet of things (IoT) devices have virtually no security or privacy protections built in at all. However, when it comes to effective information security and privacy protection, which is necessary to help dam this raging flood of privacy breaches, effective and regular information security and privacy training and ongoing awareness communications are absolutely necessary. Consider these points:
- You cannot create a computer technology so secure that no training is necessary for those using the computers. You cannot build computing devices so secure that those using them do not need to be told how to use them securely, and in ways to protect their privacy. It’s like saying you can build a car so secure that you don’t need to teach people how to drive safely. Who wants to be on the road with those folks?
- You must provide education to meet legal requirements. Besides being smart and wise to provide effective, regular training and ongoing awareness communications to help prevent information security incidents and privacy breaches, it is also a requirement in most data protection laws and regulations to provide such education. More on legal requirements in the next section.
- Education is a small fraction of the cost of security incidents and privacy breaches. Providing effective information security and privacy training and awareness is one of the most cost and results effective practices that businesses can provide to keep their information assets safe and prevent privacy breaches.
If technology-specific vendors tell you that training is a waste of time and money, it is likely they want to put their hands in your pockets, much deeper than any education investment would be, to sell you a system, service or application that is tens to hundreds of times the cost of any education program you could put in place.