Debating if your business should invest in privacy training? If your organization handles personal information it should be a no-brainer. Privacy training, which should include lessons on information security, is critical in protecting and defending important information assets.
Every day organizations trust staff to handle sensitive information, from personal details to finances, health data, past employment and competitive intelligence. Yet so often, we give access to this data and assume they'll know how to care for it. Not all valuable information will be self-evident to staff, and security teams must share their safe habits. Proper training helps employees recognize signs of a problem in progress, and how to prevent accidents from happening. It takes expectations laid out in policies and reinforces the expectation of taking action. Privacy training assists staff identify personal information, use proper safeguards and avoid malicious traps.
Need more evidence? Here are five reasons why your team needs privacy training, now.
When privacy training is a requirement by law
If your organization collects or processes personal information, pay attention. Many privacy legislations require staff training to be in compliance with the law. This can be an explicit requirement, or oversight can be included under the responsibilities of privacy officers. Lack of training not only increases your risks of error, but it can have a heavy impact on post-breach penalties. The Office of the Privacy Commissioner of Canada specifically equates lack training as unsatisfactory safeguards when investigating an incident.
Legislations where training is mandated include:
- PIPEDA: Under Principle 1, Accountability: “Organizations shall implement policies and practices to give effect to the principles, including c) training staff and communicating to staff information about the organization’s policies and practices.”
- GDPR: implicit; Article 37 requires controllers to monitor compliance with the regulation, including "the assignment of responsibilities, awareness-raising and training of staff involved in processing operations."
- HIPAA: ‘Security Awareness Training’ is required under section 164.308, Administrative Safeguards.
- Payment Card Industry Data Security Standards (PCI-DSS): Requirement 12.6 states “a formal security awareness program must be in place”.
Training: your best defence against phishing attacks
Social engineering is at an all-time high. According to the 2019 Data Breach Investigations Report by Verizon, 90% of breaches start with a social engineering or phishing attack. That’s bad news for those who rely on technical security solutions alone. Gone but never forgotten is the scamming email full of spelling errors asking for money. Now, hackers use every bit of information they can find to make their messages look legitimate, innocent and/or urgent. They 'phish' by sending an email that appears legitimate, trying to get the user to click a link and enter access credentials, or download malware. From templates that merge name and acquired data, to sophisticated copycats from your best friend, family member or boss. The reality of information security is that using legitimate credentials to steal data is much easier than trying to find code exploits. Hackers increasingly aim to have users hand over access keys.
Training remains your best defence against phishing. stopping phishing attacks by not clicking malicious links, or sending sensitive data, including access credentials, to waiting parties.
Preparing actions in the event of an emergency
Chances are you office has an individual designated for taking the lead in the event of a fire. Your office performs evacuation drills, and prepares for the 'what if' scenarios to ensure when sparks start everyone gets out safely. Emergency training is common practice. For instance, we're all accustomed to evacuation rehearsals at the school yard, and expect firefighters to engage in regular drills. Preparing for a data breach requires the same discipline. If you want organized troops when things go wrong, you’ll need to engage in regular exercises. A little time invested early that saves time when actions are critical.
Training installs confidence, cutting back on questions of what to do and reminding all staff what they need to be aware of. Ideally, privacy and security training stresses appropriate reactions. Stop panicking and analyze the situation. Can everyone spot the signs of danger and immediately contact a higher officer? Do you need a full staff alert, or are there steps to isolate the malicious activity right away before it evolves into crisis? Many times damage can be mitigated or severely limited by performing the right actions right away.
Go with the data: training's positive impact on security efforts
If you need something to take to the board, there's lots of data out there that supports the positive impact of training. Be careful, however, of only using an ROI formula: as the Defence Works points out, there are a lot of intangible variables in training that don't lend well to ROI calculations. Instead, consider the following:
- Changing employee behaviour reduces data breaches from 45 to 70%
- Phishing and malware have been the top cause of data breaches for 8 consecutive years; they're not going away.
- Think you need less training for younger cohorts? In fact, ages 18-34 are the most careless with their passwords.
- 43% of attacks are directed at small business. As a result, privacy and security awareness are needed no matter what size!
Odds are high you haven’t done enough
According to MediaPro, 78% of Healthcare workers showed lack of data privacy and security preparedness. That's more than a little disturbing. Health data can be extremely sensitive personal information. Worse, it's also a high target for attacks: Medical information can be sold for as low as .50 cents to thousands of dollars per record on the dark web.
So why the lax training? For starters, against other responsibilities workforce education can be easier to put off. It requires time: both in set up and delivery. Unfortunately that often delivers it to the back burner. “We’re in a crunch",“ We’ll do it later” come the cries, or even “it’s a waste of time”, although the data above argues differently.
One more item as you go forward, and hopefully start planning: it's also critical to keep a record of training. Do you have a evidence that asserts who was in attendance, when was training delivered, and what topics were covered? Organizations must have documentation that demonstrates accountability to privacy, and this should always include hard evidence of staff learning. By keeping track of dates, attendees and topics we have records that the safeguards are in effect. Bonus: by keeping track it becomes easier your team to identify areas that you're overlooking. In other words, SWOT analysis: the ability to analyze where new learning opportunities are.