How to Create a Compliant Security Awareness Program
As hackers have gotten sneakier and threats have grown more complex, making sure that your end users have received security awareness training and are following best practices is paramount. And it's not just a matter of keeping your networks safe. It's about protecting your organization's bottom line and viability. Downtime or worse, a data breach, can be devastating for an organization and for their clients, customers, and employees.
One of the most effective ways to ensure your organization's end users are on top of security threats is to implement a security awareness program, which is a formal process for educating them about computer security. But why stop there? Even better is a comprehensive program that's compliant with common security standards — because your organization's ability to conduct business could depend on it.
With that in mind, let's explore how to create a compliant security awareness program that also is embraced by your entire organization, from the CEO to the sales floor.
1. Be Aware of Common Security Training Requirements
First things first, you as the CTO or IT manager need to be up to date with the latest security requirements. For example, did you know that on February 1, 2018, the new PCI DSS v3.2 (Payment Card Industry Data Security Standards) training requirements go from best practices to mandatory?
For one, PCI DSS v3.2 has a new requirement (12.4.1) for executive management of service providers to establish responsibilities and a PCI DSS compliance program. Remember that: "The process of adhering to PCI DSS requirements is what is meant to be 'PCI compliant.'" (Troy Leach, Chief Technology Officer at PCI Security Standards Council)
Here's a sample of those requirements:
- PCI DSS 12.6 – Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.
- PCI DSS 12.6.1 – Educate personnel upon hire and at least annually.
- PCI DSS 12.6.1.a – Verify that the security awareness program provides multiple methods of communicating awareness and educating personnel (for example, posters, letters, memos, web-based training, meetings, and promotions).
Just about every business these days accepts payment cards/data, so does your organization need to get in compliance with these training requirements? You can thank us later.
You can use laws, regulations, and standards to help develop and later guide your organization's security awareness programs. Standards and best practices can overlap from training to training, so you can't go wrong!
Depending on where your organization is located, being compliant with security standards may be required by the government. This is why it's so crucial to keep abreast of security standards. For example, some states in the United States have their own training requirements, including the Texas Health Privacy Law and Massachusetts Data Security Law. There's also training that is required by various industries such as HIPAA in the healthcare field, or FERPA in the education field.
A good rule of thumb is that if your organization handles, stores, or transfers personal information, a security awareness program is a must. And don't forget that the EU's General Data Protection Regulation comes into effect May 25, 2018. If you or your data subjects are in the EU/EEA, your organization needs to be prepared for a security awareness program.
2. Make it Easy on You & Your Users
Out of the box, there are several things you can do to help your users be more compliant while making their lives easier — while keeping your network safer.
We all know that passwords (*cough* or lack of strong ones *cough*) are one of the biggest security threats facing any organization. Unfortunately, despite your best efforts, users still are using the same password across multiple sites. It's understandable, remembering dozens of unique passwords is a challenge.
So, make things easier for not just yourself, but for your users. Invest in a password manager such as LastPass or 1Password. Not only is a password manager a secure repository for passwords across the organization, they can also provide suggestions for making passwords stronger, or alert you to ones that should be changed.
Multi-factor authentication also needs to be standard within your organization. It's a low-cost, if not free, option that adds an extra layer of security to common clients and actions such as checking your Google Mail.
And the best thing about it is that it will make your users' lives much easier because they won't struggle to remember a bevy of passwords, something all of us have dealt with at one time or another.
3. Provide Security Awareness Training
If you want your users to embrace the importance of security awareness and follow best practices, you need to provide them with training — and make sure it's easily accessible.
Providing engaging on-demand training, whether it's video training or printed materials is crucial. Remove barriers to training.
Better yet, work with your higher ups to make it possible for users to set aside time during their work day to train. Take it one step further by providing a dedicated space for training, one that's not only quiet but comfortable. Make security training convenient and easy for users.
And security awareness training doesn't need to be cumbersome. Online training such as Keith Barker's recently released End-User Security Awareness course keeps things easily digestible, concise, and practical. TeachPrivacy is another good source for security awareness training. Training should be engaging, cover compliance requirements, and provide you with the ability to validate your users' training as well as document that training for compliance reporting.
In the end, finding training materials that don't require sending your users to attend conferences or boot camps is a win-win for everyone. Your boss will be happy because it saves money and keeps employees at the work site. Your users will be thrilled that they don't have to spend time away from their families and friends.
4. Enforce Security Awareness Training
This is arguably is the biggest component of building a compliant security awareness program: Ensuring that your users are not only training but actively engaged in what they are learning.
Unfortunately, there are folks who lag behind when it comes to training or embracing best practices. Even worse, there are some who just don't care. You can use the tried and true method of accountability: If possible, run reports to track progress and send reminders when needed. Or even better, have team leads send out those reminders.
While we aren't a fan of shaming people, it bears repeating that failure to be in compliance can result in actions that can hurt an organization's bottom line (i.e. losing crucial government contracts, public relations nightmares, being subject to fines and enforcement actions). So, users who don't complete required training can put their company's viability at risk. Play the guilt card, if you must.
But here's a better idea: Training Stand Downs. Sounds scary, but we promise it's not that bad (other than the logistics it might take to pull one off).
Here's how a training stand-down works. You block some time off, preferably during a downtime or slow period for your organization. Those users who have completed their training and are following best practices are rewarded with activities like paintball, ice cream parties, or a nice dinner out (or whatever fun activity that will motivate your users!).
Meanwhile, those who need to catch up or get started on their security awareness training have time to hunker down and focus. And hopefully, because most of your users have been diligent about training, the office will be quieter and less hectic.
It's a win-win because many people are motivated by rewards, while others simply will get the training done when they absolutely need to. That said, nobody wants to miss out on the fun of a training stand down, right?
On a less grandiose scale, you could always create a leaderboard and hand out gift cards or praise to the top performers at the next meeting. Here are some more tips, courtesy of our own training manager.
5. Get Everyone Involved
Don't be exclusive when it comes to security awareness. Make sure everyone understands its importance, whether it's a new member of the IT team or the front desk receptionist. Keeping networks and data safe is everyone's responsibility; it's no longer only the IT team's duty.
If you have a user who isn't as tech-savvy, be understanding and patient. Work with them to get comfortable with the processes and systems your organization will use to increase its security posture. It goes without saying — don't make people feel dumb, even if it's seemingly the most obvious point they are missing.
Making everyone a part of, and invested in, the security awareness program will lead to greater participation, and eventually, security awareness practices will become second nature for your users. Buy-in from everyone is crucial to creating a culture of security awareness and compliance.
6. OK, So How Do I Get Everyone Involved?
Half the battle in building a compliant security awareness program is getting buy-in from your users. When you go about launching your program, avoid using words like "cybersecurity" or "IT security" training. Instead, stress that this training goes beyond just keeping their computer or data safe, it's about protecting their organization and their own job.
Also, don't forget your own training. Make sure you invest in yourself and put yourself in the best position to help your organization understand and follow security awareness practices.
Building a security awareness program that's not only compliant but is embraced by your users, can be challenging. But with a little firm guidance, the right training and tools, and a dash of creativity, you can help your users play a major role in being security compliant and helping the organization thrive.