Why is it that there is always someone in the information security or privacy field who is otherwise technically astute, but insists on proclaiming awareness and training is a waste of time and money, based on only one or a few anecdotal situations, and where those situations are typically not thoughtfully looking at all the associated details? Come on, folks; you need to realize that despite all the proclamations and unfounded claims to the opposite, humans DO present the greatest vulnerabilities to information security and privacy programs, and they MUST be provided with effective ongoing privacy and information security education to enable you to have the most effective security and privacy program as possible, not to mention a very large number of legal requirements.
As time goes on, and more information security incidents and privacy breaches occur, and more information is put into the hands and care of more end-users who have no background in information security or privacy, such statements are simply bad and reckless advice. Making such statements also makes it harder for information security and privacy pros to do their job as effectively as possible when business leaders believe such hogwash and then wind up cutting funding for information security and privacy education as a result.
I’ve been in the information security and privacy compliance profession for my entire adult career, have built such programs and assisted many organizations in building theirs. I will in the near future fill a book with examples of how training and awareness activities have improved their information security and privacy efforts and outcomes.
Now is a good time to point out that there is greater need than ever before for organizations, of all sizes, to make the comparatively small investment in information security and privacy education for their workers.
Five flawed arguments against information security and privacy education
1. Using single, isolated examples as so-called proof that education in general does not work proves nothing.
Just because there have been incidents where some people have done bad security actions after receiving training does not mean that all organizations should not provide regular information security and privacy training.
Using this flawed logic, we could also say that because anti-virus software does not prevent all viruses from entering a system or network, then it shouldn’t be used at all. Bad idea.
Or, with more of this flawed logic, that since firewalls do not keep out everything then they should not be used at all. Bad idea.
Would you tell someone not to use seat belts because they do not protect everyone in all situations? No, it just doesn’t make sense.
More examples could continue on for a very long time.
2. Providing training should go beyond IT professionals.
Every individual who uses, stores, accesses, or otherwise handles information is responsible for securing that information while they go about their daily job activities. It simply makes sense that if they are using information then they must be made aware of how to protect it. This means that not only IT folks must receive training, but everyone involved with using or accessing in any way information of all forms must receive training.
Ultimate responsibility for ensuring appropriate information security and privacy practices, including training and awareness, typically falls to the information security and privacy departments, which are increasingly housed outside of IT anyway, since all forms of information (not just that on the network) must be appropriately secured.
3. All information users have responsibilities to protect the information to which they have access.
To say workers “don’t have the ability to recognize or protect against modern information security threats” is an especially arrogant and pompously inaccurate statement. Everyone who touches information within a business has a responsibility to use and protect it appropriately. Each needs to have a basic understanding of red flags that show possible security threats. Organizations are responsible and accountable for ensuring those workers have had appropriate training to do their work activities securely, and to be aware of indications of common security and privacy threats and vulnerabilities.
4. Sweeping generalizations cannot be made based upon a few narrow observations.
Some IT folks and lawyers have given information security and privacy training advice based on just one type of threat, such as phishing. Giving advice for how to provide all information security and privacy awareness and training activities based upon only one specific threat, or a few isolated situations, concerning just a very narrow activity is a bad idea. Isolated events do not support such broad generalizations or conclusions. Certainly, training for that type of event is needed, but so is training for the wide range of other data security and privacy threats and vulnerabilities as well.
5. Removing education leaves huge gaping security and privacy holes in the business.
I’ve seen many tech experts recommend that organizations put their time and budget into technology controls instead of doing security and privacy training. Hold on; that is a horrible idea! Removing all information security and privacy education activities and devoting all efforts on technology leaves enormous administrative, physical and operational security and privacy holes, not to mention it would violate numerous legal requirements requiring training. The entire lifecycle of information, in all forms, must be considered. There are many points throughout that lifecycle where there is no technology involved, and where we must depend upon employees to know how to secure the information.
In my next article I will discuss important points to address when creating information security and privacy training and awareness programs, and I’ll provide a list of legal requirements that require these types of education activities.