Importance of Ongoing Information Security Training

Imagine if every employee in your company knew how to identify a phishing attack and knew how to respond to various threats and incidents that may, and certainly will, happen in most companies.

Imagine if all your employees knew how to store, share, access and dispose of data in a proper manner that does not leave your companys IP in fair view of your competitors and also complying to laws and guidelines governing such aspects of data intergrity, confidentiality and availability.

Your company stands a better chance of achieving such states if they implement an ongoing security training and awareness program.

Ongoing security training and awareness in a company is an important, yet often ignored guideline that's mentioned by various security standards/frameworks and laws. Most companies don't have any ongoing training and awareness programs in place for the whole company- from management right down to the technical staff and security guards (training should be tailored for all those different audiences).

Just as compliance to security standards, such as ISO 27001 or PCI, does not necessarily mean security- ongoing training and awareness in a company does not mean that that company will be secure, but it will most certainly help improve its security posture.

Ongoing security training and awareness includes not only 'simple' things such as password policies but also data labeling, handling and disposal, other security-related policies, physical security, awareness of social engineering techniques, social media threats, own-device usage,etc.

Most of these will have to be taken seriously as they will incur huge fines (up to R10 million in fines or up to 10 years in jail) when the POPI bill comes into effect in South Africa.

Security is no longer only about fending off attacks from hackers, but also about complying to certain laws (in this case, the Protection of Personal Information Act and others).

Here is what some of the security standards and frameworks have to say about awareness and training:

ISO 27001

5.2.2. Training, awareness and competence – The organization shall ensure that all relevant personnel are aware of the relevance and importance of their information security activities and how they contribute to the achievement of the ISMS objectives

8.2.2. Information security awareness, education and training – all employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function

COBIT

DS7.1. Identification of education and training needs

DS7.2 Delivery of training and education

PCI

12.6. Implement a formal security awareness program to make all employees aware of the importance of cardholder data security

12.6.1. Educate employees upon hire and at least annually

Cybersecurity is an aspect that no business can afford to ignore, espicially now that most businesses are embracing technology more than ever- from cloud computing, to social media and mobile devices in the company.

For businesses in South Africa, the training of staff to be aware of the POPI and its requirements is vital since it directly impacts its bottom line and reputation.

If a company believes it doesnt have the skills or knowledge necessary to conduct an ongoing security training and awareness program, then third party companies can be called upon for assistance.

The benefits though of having an ongoing security training and awareness program is that it will really bolster a company's security posture - employees will be better prepared to deal with attacks when they happen and they will be able to identify potential threats and know how to respond to those threats.

They will also know what the law requires in terms of data security, thereby increasing a companys brand reputation,company culture and hopefully its bottom line.

Image credit: DeclanTM

Comments