There is no doubt that everyone is tired of hearing about security breaches. From Epsilon to Sony to Sega to Citigroup, computer users wonder if anyone cares about online privacy and security. Well, there is one person who always has our interests first and foremost: Rebecca Herold. Recognized as one of the “Top Influencers in IT Security,” one of the “Best Privacy Advisors in the World,” and holder of five professional certificates (CIPP, CISM, CISA, CISSP, FLMI), Rebecca is an internationally-known author, blogger, instructor, and consultant specializing in information security, privacy, and compliance.
Rebecca’s book, Managing an Information Security and Privacy Awareness and Training Program (2nd Edition) is the definitive read on the subject, but it isn’t just for infosec professionals. It offers a wealth of data for professionals in all business units in addition to techies because as Hal Tipton wrote in the foreword, “Information security is now realized by many experts to be more of a people problem than a technical one.” Former Chief Information Officer for the US Department of the Interior, Daryl White, said in 2002, “You can’t hold firewalls and intrusion detection systems accountable. You can only hold people accountable.”
Rebecca wrote in the book’s introduction, “As time goes on, and more and more information security incidents and privacy breaches occur, I continue to hear otherwise smart people say silly and completely wrong statements about the need for (or lack of) information security and privacy training and awareness…In almost every information security incident and privacy breach, humans were ultimately the cause…I hope this (book) serves as a type of cookbook for your education efforts…tools, tips, worksheets, case studies, ideas, resources, and research on regulatory requirements for education of which practitioners must be aware.”
When security breaches occur, many things happen. Customer trust is lost. Customers go to the competition. Brand value disintegrates. Breach response activities result in significant costs to the business. The time involved for breach responses can go on for years, and resulting penalties and sanctions could extend into the millions of dollars.
There are two basic components to a security and privacy awareness training program: corporate reputation and personally identifiable information (PII). Companies succeed as a result of sales and repeat business, and if their reputation is tarnished, they may lose all of their customers. Successful companies identify their target audiences, develop media strategies, develop procedures to address customer complaints, and establish and maintain security/privacy/crisis management protocols. Further, to gain and keep customer trust, successful companies must use good judgment when collecting and maintaining customer data – and these companies also provide clear opt-out options on all communications on a constant basis.
A great take-away can be used immediately in creating your own information security and awareness training program: here are five ways in which personnel can be motivated to participate in a training program and comply with policies and procedures:
- Include security and privacy as specific objectives in job descriptions.
- Periodically require personnel (including vendors and consultants) to sign a security and privacy agreement that supports your organization’s policies and standards.
- Establish security and privacy as specific objectives within the scheduled periodic performance appraisals.
- Obtain support from executive management to commit to explicitly reviewing the security and privacy performance of all managers.
- Implement security and privacy rewards and penalties that are clearly supported by management.
Since education is so critical to the establishment and maintenance of an effective and long-lasting information security and privacy awareness training program, Rebecca also suggested that any or all of the following accompany performance appraisals:
- Participation in an annual security and privacy promotion week.
- Exemplary daily clean desk practices (e.g., no more post-its with passwords attached to computer monitors).
- No infractions found during security and privacy reviews.
- Promoting security to team members by writing memos, giving presentations, etc.
- Reading security newsletters on the company’s Intranet.
- Participating in information security and privacy training.
- Notifying team members of newly discovered security risks and how to address them.
- Viewing information security videos.
- Participation in information security and privacy contests.
The key is that information security and privacy awareness must become part of an individual’s job – something that becomes second nature like effective time management practices. When employees become lax or leaders stop focusing on the importance of information security and privacy, well, we don’t want to remind ourselves what happened with Epsilon and the other companies who have been in the news recently.
Also, the information must be clear and engaging. If it is complex, employees will avoid reading the information like the plague. As Rebecca suggests, “Make it easy for personnel to get security and privacy information, and make the information easy to understand…[And] the most important aspect to remember is that security awareness is ongoing and not just an event to do once.” Bottom line: make information security and privacy awareness training a regular occurrence.
Learn more: http://www.privacyguidance.com
Rebecca’s Blog: http://www.privacyguidance.com/myblog.html
Rebecca’s Monthly Tips: http://www.privacyguidance.com/eTips.html
Follow Rebecca on Twitter: http://twitter.com/#!/privacyprof
Connect with Rebecca on YouTube: http://www.youtube.com/user/PrivacyProfessor