(As published in the November/December 2018 issue of MediNews)
Over the past several years, I’ve spent considerable time with clients working to develop better IT policies when it comes to things like Acceptable Use, Privacy, Security, and Incident Response. These policies are all important and necessary, because if you don’t properly equip your staff with rules and guidance on the expectations for their handling of technology and by extension sensitive data, you can’t expect them to act responsibly.
But this goes beyond simple drafting of policy by management and acknowledgement by staff. Policies won’t necessarily educate users regarding the threats out there, or even more fundamentally, what some of threats mean to them. Moreover, policies are often stagnant. They are created to establish a guide for how people are supposed to act, but they do not necessarily speak to what a staff member might have to deal with on the most basic level of their day-to-day tasks. How is a staff member supposed to recognize a malicious email, illegitimate website, or applications that are not trustworthy? Even as an IT professional, I still run into new threats that I have to educate myself on, which means I have to continue to self-train on a regular basis.
If you look at the statistics, groups that have sophisticated and well thought out Security Awareness Training programs have fewer security incidents. This leads to real returns on investment for training products and services that really don’t cost very much, especially compared to the cost and impact of a major security incident. If you avoid one incident because of awareness that wasn’t in place before, the entire training program likely pays for itself. That’s why a number of compliance standards mandate a Security Awareness program.
In this article, I’d like to discuss ideas behind developing a Security Awareness Training program for your practice.