The U.S. Department of Homeland Security (DHS) has designed October as National Cyber Security Awareness Month. But as we leave October, remember that data security is an ongoing challenge that requires continued vigilance not just from information system hacking, but also from employee error and other threats. Setting up a comprehensive training and awareness program is critical – and this outline can help you continue keeping your organization aware of cyber security throughout the year.
DHS’ purpose is to engage and educate public and private sectors through events and initiatives that raise awareness about cybersecurity, make certain tools and resources available, and increase our resiliency in the event of a cyber incident. This is a great effort and DHS collects helpful information and a number of resources for visitors to its site. But by selecting October to draw attention to cyber security, surely DHS did not intend that October be the only month that we think about this important area.
Earlier this year, the FBI reported a significant increase in ransomware attacks. Late last year, the Wall Street Journal reported on a survey by the Association of Corporate Counsel (“ACC”) that found “employee error” is the most common reason for a data breach. Training and creating awareness to deal with these continued and growing risks is critical. In fact, for many organizations, doing so will help satisfy legal requirements for securing data. And, it is a mistake to believe that only organizations in certain industries like healthcare, financial services, retail, education and other regulated sectors have obligations to train employees about data security. A growing body of law coupled with the vast amounts of data most organizations maintain should prompt all organizations to assess their data privacy and security risks, and implement appropriate awareness and training programs.
Here are some questions to ask when setting up your own program, which are briefly discussed in the report at the link above:
- Who should design and implement the program?
- Who should be trained?
- Who should conduct the training?
- What should the training cover?
- How often should training be provided to build awareness?
- How should training be delivered?
- Do we need to document the training?
No system is perfect, however, and even a good training and awareness program will not prevent data incidents from occurring. But in the absence of such a program, the question you will have to answer for your organizations likely will not be why didn’t the organization have a system in place to prevent all breaches. Instead, the question will be whether the organization had safeguards that were compliant and reasonable under the circumstances.