As more and more companies become victim to data loss through phishing campaigns and insider threats, and the loss of data becomes riskier, companies are struggling to address the risks through employee education efforts. Note that we call it “education” and not “training.” No one likes training, so be mindful of how you are presenting an education campaign to your employees.
I say companies are struggling because there are different ways to implement an employee education program and some are much more effective than others. The hardest thing is to figure out how to start planning for an education initiative.
Companies know that it is an important risk management tool to educate employees on the risk of data loss. It is a given, but I continue to be surprised at the number of companies that do not conduct any privacy and security training or education of their employees. The excuses are common and consistent: “It’s too hard to get everyone in one place;” “We don’t have it in the budget;” “We can’t afford to take the time out of our regular business;” or “We don’t have time to organize it.”
Employee education has been found to be effective to reduce risk, and it is a big bang for your buck. There are different ways to implement education programs, and here are some tips from many years of experimentation:
- face to face sessions are by far the most effective—even if some staff are present and others are remote—live training is the most engaging
- small lunch and learn sessions or department sessions are effective for large employers
- large numbers of employees can participate in live sessions via Webex
- make the content as interactive as possible
- tell stories that are teaching moments and will keep them awake and alert
- get laughs and jokes in there at times to keep it lively
- give practical tips that they can use in their personal lives as a value add and then relate it to company data
- give them a sense of responsibility as data security ambassadors for the company
- initiate contests and other friendly competitions around data security and give prizes and other incentives
Data privacy and security training is not a one and done project. The risks continue to change, technology becomes more advanced and this area is not static. Therefore, in addition to live educational sessions, companies are getting creative in developing a culture of privacy and security and advancing employees’ education, including hosting hackathons and demonstrating an active hacking; offering employees in-house technology sessions on data security; providing pop-up flash video tips; notifying employees of malicious spam; designating employees as data security leaders throughout the organization and educational sessions on the capabilities of smart phones and IoT.
If you can’t conduct a live session, then do something. Something is better than nothing, but evaluate the training methods. Some companies check the training box by implementing a computer generated session, which most employees will complain about, multi-task during the session and generally not pay attention. It is debatable whether this is worth the cost. Evaluate your choices to determine whether they are effective.
Most employees want to do the right thing. Providing them with the tools to do so and making them data stewards engages them in the solution and makes them feel like an important part of the data security process.