Training is the cornerstone of successful privacy and cyber security programs use of technology fixes and credit and identity monitoring certainly play a large role, but programs and policies are only effective when implemented properly by employees. It’s an ongoing challenge to ensure employee and partner compliance with data security policies and procedures. Organizations need to take their employee training program to the next level, before a data breach occurs.
Training provides the kind of security equity no money can buy here are a few basic considerations necessary to create a training program that’s comprehensive, compliant, and relevant to employees.
- Research your regulatory requirements.
Training is generally the impetus that’s needed to foster the proper implementation of data security policies and procedures and it’s also a requirement under certain state and federal laws. For instance, Massachusetts 201 CMR 17.00 requires organizations to develop a security plan that incorporates ongoing employee training, including temporary and contract employees. Knowing these requirements often provides the impetus necessary for stakeholder buy-in.
- Identify the positions or entities responsible for educational program implementation.
Who handles proper implementation of the training program is it your privacy or security officer? Your chief information officer? Or does training get implemented by human resources? It could be any one of these or all of them. In any case, make certain that all positions work together to govern a timely and coordinated training program.
- Make sure all employees are trained.
It’s a best practice to train all of your employees, regardless of position or status (full-time, temporary, contract). A data breach can easily originate from any part of an organization—if the employee can access PII in any way, they can cause a breach.
- Utilize roles-based training.
Everyone needs training, but not everyone needs the same program. Data security best practices dictate that training should be roles-based and weighted by the volume and sensitivity of the PHI and PII that the individual has access to. This can be determined through evaluation of job description and job function, access logs, and other records of data usage.
- Set up the schedule.
You’ll want to provide initial training for new employees and incorporate ongoing or “refresher” training in instances where policies or procedures may have changed or new information needs to be conveyed. Best practice dictates that any training programs should be re-evaluated on a periodic schedule as well, not just for updates but also to determine effectiveness.
- Verify and document all training.
It is a best practice to verify training through documentation, as it demonstrates compliance with regulation and helps limit liability in the event of a breach. Generally, this is done via a consent or authorization form, but it could also be accomplished through sign-in sheets for in-person training and audit logs for online programs, among many others.
- Consider customization of topics.
Your training program will, at the base level, cover security policies and procedures. However, this is a prime opportunity to consider your roles-based utilization and customize training so that it fits with scenarios the employee is most likely to encounter.
- Don’t forget data breach prevention, detection, and escalation.
Apart from proper handling of sensitive information, it’s important to train employees to recognize a potential breach and escalate information to key administrators that are designated first responders. The first few hours after discovery of a breach are crucial to ensuring a successful response.
- Integrate regular reminders of key training points.
To keep privacy and cyber security top of mind, engage in ongoing communication with employees. This could be in the form of newsletters, emails, login reminders, or any number of formats.
- Create a cultural shift within the organization.
To be truly effective, training and education should be part of the culture rather than just the “required” act of signing an agreement. Organizations must demonstrate a top-down commitment to understanding privacy and security requirements and to keeping data safe. If management is not on board with the process, how can frontline employees be expected to take it seriously?