By Mette Søs Gottlieb, Learning Expert
Shifting Employee Education
Compliance professionals never rest, always keeping up with the latest regulatory requirements and trying to keep the whole organization trained and compliant. But it’s not just about the latest laws. Compliance and security are directly linked—especially for any industry handling sensitive customer data. In addition to the standard crop of regulations organizations are used to, new regulations are popping up all the time, such as the recently enacted CCPA in California.
To prevent unwanted fines and subsequent brand damage, organizations must ensure that compliance training is effective and streamlined. Besides adhering to rules and regulations, effective compliance training leads to a secure organization with proper governance—two goals most organizations strive to achieve. One of the steps organizations can take to ensure maximum compliance is to bake training into their regular operations and create a culture of continuous training.
According to Kaspersky Labs, 52% of businesses admit that employees are their biggest weakness in IT security, with careless employee actions putting business IT security strategy at risk. Problems run the gamut, but the most common human mistakes include clicking on links, opening unknown attachments, and entering personal or confidential information into what seems like a friendly or familiar account. These errors are driven by social engineering, the technique by which hackers take advantage of error-prone human behavior.
In most situations, these security blunders are not intentional but rather due to a lack of education and/or diligence. Of course, there will always be malicious actors, but their actions happen irrespective of sound security and compliance training and must be treated as outliers.
Ultimately, the fault lies not only with employees who click the wrong link but with the employers who failed to train them properly. Most companies aren’t putting enough money into training when they make technology investments. When it comes to these investments, most companies put most of the IT budget toward the actual technology and very little toward the necessary training and education for that technology, even though human error accounts for so many of the cyber incidents that occur.
Organizations continue to up their spending on improving the IT security of their business—implementing tools like advanced firewalls and MFA—but tools alone aren’t enough to ensure optimal IT security. Implementing simple but effective security training that stresses the importance of employee actions will create awareness and help ensure your organization can enjoy the flexibility of a modern digital workplace while staying safe.
Organizations need to dedicate more time and effort on cybersecurity hygiene training. Cyber hygiene is a collective term for the practices and steps that users of computers and other devices take to maintain system health and improve online security. Good cybersecurity hygiene doesn’t just help prevent breaches, it addresses other issues related to compliance such as preventing data loss or misplaced data.
Companies must have a cybersecurity hygiene policy in place that includes a specific training and education component, organizations must not assume that employees know these things. Security is now part of everyone’s job, and security training must be baked in.
Security threats are continually evolving and changing but compliance regulations must still be met. As such, training and education must also evolve. Training isn’t a one-and-done, point-in-time need; as the cybersecurity and compliance landscapes continue to evolve, so must employee education. It needs to be embedded into daily or weekly operations. The best way to accomplish this is by making training easily accessible to employees, at any time and from any location.
A Learning Management System (LMS) is helpful here. With an LMS, you also can easily share important updates (regulations, software updates, and so on) and information to all bodies of the organization and make it available to professionals at all times. You also can provide training that’s specific to an employee’s job role, location, or specialization. For instance, in a healthcare setting, you could offer training to all employees regarding HIPAA requirements and cyber hygiene. But only a subset of those employees will need training on the latest IoT medical device.
Using an LMS will ease your administrative process and leave you with more time to get the message out to your employees to make your program stick and, over time, ensure a culture of compliance and ethics within your organization.
The need to comply with regulations will not become less relevant and will remain crucial to every organization. The same goes for cybersecurity, particularly as malicious actors evolve new pandemic-themed attacks and exploit work-from-home security vulnerabilities. However, by following the above recommendations, you can take control and move your organization toward compliance and security processes that are current, relevant, and easily accessible, as well as cut down on the expense typically associated with training.