As education is becoming an increasingly vital tool in companies’ security toolboxes, the question arises: How can they effectively implement security awareness training?
If you had told me a few weeks ago that many business leaders were unaware of a major piece of privacy legislation that’s set to go into effect in a few months, I might not have believed you. But after talking to business leaders at ChannelCon in Las Vegas earlier this month, I see things very differently. While this situation may seem problematic, I see it as an opportunity for education.
At the recent ChannelCon event – CompTIA’s annual conference for VARs, MSPs and IT solutions providers from the SMB sector – I helped present a few sessions. One of these sessions was a panel discussion about the California Consumer Privacy Act (CCPA), which also included ESET experts Cameron Tousley and Tony Anscombe. The other two sessions were part of the IT Security Community: one of which featured a more in‑depth presentation from Tony about CCPA, and the other was a panel discussion about implementing security awareness training.
While only two of these talks were explicitly about CCPA, even the security awareness training session ended up wandering back into discussion of this upcoming legislation. The general sense I got, especially from the questions asked by practitioners in attendance, was that few people did indeed know much about this major piece of legislation. Those who did have an awareness of the new regulations assumed it would not affect them.
The first of these sessions was the panel discussion with Cameron, Tony and me. We addressed some frequently asked questions about CCPA, including how it differs from similar European privacy legislation called the General Data Protection Regulation (GDPR). One major difference that Tony highlighted was the absence of a requirement to designate a Data Protection Officer: someone who coordinates and oversees all activities related to the protection of data within a business.
While the title of this position would seem to imply that it’s primarily about bits and bytes – making sure that security and privacy are maintained on all of a company’s devices – much of the job is also about making sure that the humans who interact with the data understand their responsibilities as well. It’s very much about ensuring that people are educated and taking full responsibility for their roles in maintaining the privacy and security of data and devices.
In the second session, we discussed exactly that: how companies – especially MSPs – can effectively implement and then market security awareness training. We discussed the benefits of implementing training, as well as the challenges, to find ways to address and overcome those difficulties.
The general consensus amongst the panelists, as well as the audience, was that it was imperative for MSPs to make sure they’re implementing regular training exercises and documenting the results. While the suggestion to participate in training may seem obvious, the documentation itself has unexpected benefits. Having a record of trainings can be very helpful with legal challenges in the aftermath of a breach, to show that your organization has done its due diligence to secure sensitive data. It also helps establish trust with customers, as MSPs can show they’re actively working to mitigate risks to their company as well as to their customers. And, finally, it can be a business differentiator for MSPs to have some “best practice” suggestions to share with customers who may be having challenges implementing their own training.
Our final session at ChannelCon was Tony’s presentation about CCPA and GDPR, which had a wealth of valuable information on the implications and importance of this privacy legislation. Some of the data he shared is available in this ESET blogpost, and we’ll be expanding on that information with a number of other resources that will be available in the coming weeks. (Watch this space!)
It’s refreshing to hear so much interest from practitioners in making sure that everyone is included in efforts to educate staff on ways they can better protect themselves and their organizations. It wasn’t long ago that the prevailing sentiment within the industry was that non-security-experts were considered forever unreachable, and that we shouldn’t really bother. While technology will always play a crucial role in securing data and devices, leaving the human factor out is a recipe for disaster.
There’s now a much better understanding that we really need to meet people where they are. To do this, we need to use current, data-driven education methods to make sure our message is not only heard, but also understood. We can’t effectively force our staff to take security training to heart; we also need to explore the many ways to encourage them. We must offer them the proverbial carrot, not just the stick.
Part of this encouragement can be offering incentives to participate in training early and often. That can either be targeted to individuals (e.g. “the first 15 participants get a gift card!”), or groups (e.g. “the team that gets the most people to participate gets a catered lunch!”), or both.
You can also identify the “influencers” within your organization, who are the most effective source to send the message about training. One panel attendee noted that in one organization, after a particular senior manager talked about their training experience, there was almost 100% participation. Previous methods of encouraging attendance got less than half of recipients to attend.
And last, but certainly not least, panelists and audience alike agreed that short, regular trainings were much more effective than a single, longer session. This helped keep training material manageable, it kept topics fresh and relevant, and it kept the information in participants’ minds for longer.
As more countries and states adopt privacy legislation, education will become an increasingly vital tool in companies’ security toolboxes. We can all stand to learn more about how to secure our data and devices (including yours truly!). This will always be an area of study that changes rapidly, as threats, technology and our understanding of “best practice” evolves.