How Information Security, Privacy Training, and Awareness Benefit Business
By Rebecca Herold, Posted 01/09/10
Training and awareness initiatives within organizations are like the dust bunnies hiding under your bed that you never want to think about. However, business leaders would be wise to realize that there is not a more effective information security and privacy defense than informed and aware personnel, as Part I of this three-part Executive Updateseries shows. Humans are the weakest link in the information security and privacy defense program. Building a culture of performing job responsibilities with information security and privacy in mind, every day, will help to dramatically reduce the number of security incidents and privacy breaches and will bring a much greater return on a comparatively small investment (of minimal time and modest dollars) than any expensive technology system can deliver.
CONSIDER YOUR PERSONNEL INTERNET USE
Businesses depend heavily on personnel use of the Internet to perform business activities. But have personnel received enough training and ongoing awareness communications about how to use the Internet securely? Has your staff received any training or awareness communications at all?
Probably not, according to a recent survey by the Ponemon Institute1showing that the Internet applications posing the most information security and privacy risks are, in order from the most risk:
- Google Desktop search
- Google Talk
How many of your personnel are using these Internet applications? How many in your business network? How much training has your organization provided for how to use them in a secure manner? Using just a firewall and tools that prevent malicious code will not keep your personnel from falling victim to the social engineering schemes and silent infiltration of your organi-zation’s computers that can result from using not only these specific tools but also Internet use in general. Too few organizations provide targeted training for secure Internet use, leaving the information assets vulnerable to the many real and significant threats that exist when using the Internet.
Close to half (53%) of the organizations in the Ponemon survey indicated they have a training and awareness program covering information security policies. However, this does not coincide with the numbers of respondents (41%) who did not even know there were information security policies covering the use of these Internet tools while on the company network and computers. Apparently, the training is not effective, and there is likely a lack of ongoing awareness communications about the issues.
CONSIDER MOBILE COMPUTING
Most organizations have a mobile workforce, whether they plan for it or not. Their personnel use laptops, BlackBerrys or other PDAs, cell phones, and other electronic devices to conduct business at their homes and on the road. Those devices can pose significant business threats when used without security in mind. More mobile computers and data storage devices are used in business than ever, and there will be more as time goes on. Devices that store business information include notebook computers, smartphones, PDAs, USB memory sticks, GPS units, and, yes, even MP3 players, such as iPods. Because of lack of awareness, they are also commonly involved in serious information security incidents and privacy breaches.
Outsourcing is also a growing trend, and many of those outsourced entities have mobile workforces who have your organization’s information in their hands, on their computers, and in storage devices. I’ve done security program reviews for more than 150 vendor and business partners in the past few years, and a large number of them, well over half, allowed their workers to work from home offices, or while traveling and away from the office. Very few provided those workers with information security or privacy training to help them know how to protect mobile devices and information processed away from the organization’s more secure facilities.
In addition to worms, Trojans, and the loss and theft of mobile devices, spam and phishing schemes are beginning to make their way to mobile communications devices, such as smartphones. Also known as SMiShing, these threats use SMS to transfer spam and phishing messages to mobile phones, putting confidential information at risk. Another threat targeting smartphones is spyware. Some of it, also known as snoopware, can secretly turn on the microphone and camera on a phone to record conversations and other dialogue in the immediate vicinity of the phone. This particular threat can be especially dangerous to users who discuss sensitive business and personal information.
Do your personnel know how to defend against these mobile computing and working threats? Do your business partners?
A recent Cisco report shows that insider threats, most of which result from lack of knowledge, have the potential to cause greater financial losses than attacks that originate outside a company.2The report says this about IT professionals:
- 33% were most concerned about data being lost or stolen through USB devices.
- 39% worldwide were more concerned about the threat from their own personnel than the threat from outside hackers.
- 27% admitted that they did not know the trends of data loss incidents over the past few years.
It seems that not much training about mobile computing and mobile devices is occurring. As new mobile computers and storagedevices, and their accomcpanying threats, are appearing all the time, it becomes increasingly important for the individuals using them to know the associated risks so that they may do their work in the most secure manner possible. The security and privacy risks associated with mobile computers, devices, and mobile workers are not obvious, and you cannot expect your personnel to know the related security requirements if you do not effectively communicate those them.3
BUSINESSES ARE LEGALLY REQUIRED TO PROVIDE TRAINING
If just the risks of Internet use and mobile computing alone are not enough to persuade you to implement information security and privacy training and ongoing awareness communications, perhaps it is more compelling for business leaders to understand that training is required by a growing number of laws, regulations, and industry standards. And, if you have business partners, I wouldn’t be surprised if you also had contractual obligations to provide training.
Many laws and regulations require awareness and training as part of compliance. The most commonly discussed current US regulations are HIPAA, SOX, and the Gramm-Leach-Bliley Act (GLBA). However, personnel education has been a requirement under other guidelines and regulations for several years. For instance, the US Federal Sentencing Guidelines enacted in 1991, used to determine fines and restitution for corporate convictions, have seven requirements, one of
which is for executive management to educate and effectively communicate to their personnel the proper business practices with which they must comply.
Consider just some of the training and awareness requirements. Not an exhaustive list, the items in Table 1 include some laws, regulations, and an industry standard that require personnel education.
Include your legal counsel in discussions regarding information security and privacy, especially the education program activities. It is important to have knowledge of the legal ramifications and requirements for training and awareness activities. Additionally, this is a great awareness-raising opportunity for you to have with your lawyers, who often do not understand all the implications related to information security and privacy activities. Growing concerns for managers, lawyers, and human resources personnel are the legalities of information security and privacy risks as well as managing legal compliance with applicable laws and regulations. A plethora of international, federal, and state laws govern how personnel and individuals with access to personal and confidential information must be trained.
The legal consequences of inadequate training span a wide spectrum, from regulatory penalties and fines all the way to lawsuits for failure to show due diligence by not effectively training personnel and establishing an environment that clearly has a standard of due care that is known to all personnel. In general, an organization legally establishes the duty to train and make personnel aware in three ways:
- Certain industries have a minimum standard of care that applies to organizational training and awarenessprograms. The standard is considered the level of activity and conduct expected of similarly trained professionals within similar organizations or industries; for example, in the healthcare and financial fields.
- A statute or a regulatory requirement may establish a standard of care that governs a specific type of information or specific type of industry.For example, the US Children’s Online Privacy Protection Act (COPPA) governs specifically how information must be handled and controlled, establishing a standard of care over that information. Such expected standards of care, often in combination with an organization’s policies and published promises, can result in judicial decisions beyond applicable regulatory fines and penalties.
- An organization’s own policies, procedures, and other practices can establish a standard of due care, especially when the organization clearly exceeds any applicable minimum regulatory or statutory requirements.Exceeding requirements can certainly help to draw more customers, establish a better public perception, and increase business competitiveness by showing concern about security and privacy, which is possibly greater than a competitors’. However, keep in mind that exceeding requirements may establish a new, higher standard of due care for your organization with which you must comply. This higher standard could be considered within any potential and related legal action within which your organization is involved.
Table 1 — Laws, Regulations, Standards
PROVIDING PERSONNEL EDUCATION IMPROVES BUSINESS
Information security incidents and privacy breaches often result from risky behavior by personnel who are unaware that the way they are handling information is unsafe. A significant factor for this problem can be attributed to a lack of security policies, along with inadequate or nonexistent training and lack of awareness communications. According to the previously referenced Cisco study:
- 43% of IT professionals said they are not educating personnel well enough.
- 19% of IT professionals said they have not communicated the security policy to personnel well enough.
While these numbers are significant, I believe they are too low and do not represent reality.
How much effort and planning has your organization put into information security and privacy training and awareness efforts? Do you know who does your information security and privacy training? Have you taken a look at it lately? Is it effective, or just a token act to barely meet legal requirements? And do you have ongoing awareness communications about information security and privacy? Are they engaging and actually read by your personnel? If not, maybe it’s time for a change.
A rising tide of studies confirms that internal data theft and loss are far more costly to business than external attacks. All it takes is one user clicking on one phishing e-mail to compromise confidential information. Regular training and ongoing awareness communications will result in large savings of time and money from not having to deal with information security incidents and privacy breaches.4
To recap, effective, carefully planned information security and privacy training as well as ongoing communications not only supports but also improves business in many ways. Training and awareness:
- Reduce the number of information security incidents and privacy breaches that would have resulted from personnel unknowingly doing nonsecure activities.
- Comply with a wide range of laws, regulations, industry standards, contractual requirements, and corporate policies.
- Establish an established and documented standard of due care.
- Demonstrate to personnel and business partners the importance of incorporating information security and privacy practices into daily work activities, and supports a culture of security and privacy preservation.
- Visibly show your customers you care about their information and are taking all steps necessary to protect it. Happy customers will remain yours, improving customer retention numbers.
In the next Update in this series, I will discuss information security and privacy training and awareness for personnel. The final installment will focus on information security and privacy training and awareness for vendors and business partners.
1“2008 Study: Uncertainty of Data Breach Detection.” Ponemon Institute, 2008.
2“Data Leakage Worldwide White Paper: The High Cost of Insider Threats.” Cisco, 2008 (www.cisco.com/en/US/ solutions/collateral/ns170/ns896/ns895/white_paper_ c11-506224.html).
3On 31 October 2008, the National Institute of Standards and Technology (NIST) released Special Publication 800-124: “Guidelines on Cell Phone and PDA Security” (http://csrc. nist.gov/publications/nistpubs/800-124/SP800-124.pdf).
4For details about how to create an effective program, see my book: Managing an Information Security and Privacy Awareness and Training Program.Auerbach Publication, 2005.
ABOUT THE AUTHOR
Rebecca Herold, CISSP, CISA, CISM, FLMI,CIPP, is a Senior Consultant with Cutter Consortium’s Enterprise Risk Management & Governance practice and a contributor to that advisory service. She has been an information privacy, security, and compliance consultant, author, and instructor with her own company, Rebecca Herold & Associates, LLC, “The Privacy Professor” since mid-2003. Ms. Herold has more than 20 years of privacy and information security experience and has provided information security, privacy, and compliance services to organizations in a wide range of industries throughout the world. In 2008, her blog was named one of the “Top 50 Internet Security Blogs” by the Daily Netizen. In both 2008 and 2007, Ms. Herold was named one of the “Best Privacy Advisers” as well as “Best Privacy Firm” by Computerworldand, in 2007, she was named one of the “Top 59 Influencers in IT Security” by IT Security. She is also an Adjunct Professor for the Norwich University Master of Science in Information Assurance program.
Over the past decade, Ms. Herold has been delivering one-and two-day information security and privacy training workshops that help organizations learn how to effectively manage their information security, privacy, and legal areas in order to most effectively assure privacy and regulatory compliance while efficiently implementing security controls. She has created customized one- and two-day training for the specific needs of many different organizations. Ms. Herold is the creator and editor of Protecting Information, a multimedia security and awareness quarterly publication, the training tool “Security Search #1,” and is releasing a series of online information security and privacy training modules.
Ms. Herold has served as a board and council member of various organizations. In addition, she is frequently interviewed and quoted in Wired, Popular Science, CUinfosecurity, Bankinfosecurity, SearchWinIT, Consumer Financial Services Law Report, Computerworld, hcPro Briefings on HIPAA, SC Magazine, SearchSecurity, Information Security, Business 2.0, Disaster Resource Guide, Boston Herald, Pharmaceutical Formulation and Quality, IT Business Edge, Fortifying Network Security, IT Architect, CIO Strategy Center, Physicians Weekly, IEEE’s Intelligent Systems, Cutter IT Journal, Health Information Compliance Insider, Baseline, Western Michigan Business Review,and others, including the “Privacy Piracy” California radio broadcast and the “Michigan Technology News” radio broadcast.
Ms. Herold is currently working on her twelfth book. Other books she has written include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Privacy Management Toolkit, and she cowrote The Practical Guide to HIPAA Privacy and Security Complianceand Say What You Do. She has also authored chapters for dozens of books along with more than 100 published articles, including contributions to Cutter Benchmark Reviewand Cutter IT Journal(as Guest Editor). Ms. Herold has been writing a monthly information privacy column for the Computer Security Institute’s Computer Security Alertnewsletter since 2001 and contributes articles to other publications regularly. Ms. Herold has a BS in math and computer science and an MA in computer science and education. She can be reached at email@example.com.
The Executive Update is a publication of the Enterprise Risk Management & Governance Advisory Service. © 2009 by Cutter Consortium. All rights reserved. Unauthorized reproduction in any form, including photocopying, faxing, image scanning, and downloading electronic copies, is against the law. Reprints make an excellent training tool. For information about reprints and/or back issues of Cutter Consortium publications, call + 1-781-648-8700 or e-mail firstname.lastname@example.org.