Why Your Staff Needs Security Awareness Training Now!

We have all been there. We are sitting at our desks, doing our work and the email pops up. Usually from our IT Department or our boss, the email tells us that we need to complete our annual Security Awareness Training within the next 2 weeks. What's the first thought that goes through your mind? If we are being honest with ourselves, that first thought is usually something like, "Ugh, why do we have to do this? Don't they know that I know how to work a computer and keep our information safe?" But do we? Do we, as individuals working for companies, know how to spot a suspicious email? Do we know what do when someone allegedly from our IT Department calls us to tell us they need to install software on our computer remotely?

The weakest link in Information Security is people. We can put in place the best technology in the world, but there is one thing that is certain: people will mess it up. Whether we are trying to be helpful or be a "good employee" by working with the alleged IT person, we are the weakest link in an organization's Information Security program. Why do you think that Ransomware is so prolific these days? The good news is that Security Awareness Training can help. Here are 3 ways in which Security Awareness Training can have an impact on your organization:

• Raise Awareness - We all read the news and hear about different Ransomware attacks that occur. Immediately we start to think things like, "How could that person not know something was fishy (pun intended)?" Could you spot a phishing email that gets through your Spam filter? Security Awareness Training, at a minimum, raises your awareness to the IT Security challenges out there and also demonstrates that your company cares about the data they have. We take for granted the sensitive information we have on our clients and if nothing else, Security Awareness Training sheds light on that fact.
  
  
• Compliance Requirements - Many different Federal, State, and Industry regulations have a provision in their guidance mandating that Security Awareness Training take place at least annually. If you are an organization that accepts credit and debit cards as a form of payment, PCI DSS v 3.2, requirement 12.6 states that you need to have a formal Security Awareness Training program and educate employees at least yearly. If you are a Healthcare Covered Entity or Business Associate, HIPAA Security Rule 164.308(a)(5) mandates that you train your staff on Security Awareness. To comply with these mandates, you have to train your staff. Period.
  
  
• Why Wouldn't You? - I will admit that this last one isn't a way that Security Awareness Training can help or have an impact on your organization. But why wouldn't you train your employees and ensure, to the best of your ability, that you have tried to educate them and mitigate your risks? What message does it send to your employees and your customers that you don't take the time to train your staff to protect the data they have access to?

We need to stop looking at Security Awareness Training as a checklist item and instead as a tool to empower your staff, build a culture of security, and keep your organization's data safe. At Compass, we offer a variety of Security Awareness Training tools and methodologies based on the needs of your environment. For more information, contact us and download our Security Awareness Training brochure for more information. I've gotta run so I can go take my online Security Awareness Training! Until later in the week, have fun and stay safe online!