SECURITY AWARENESS TRAINING
by Daniel J. Solove
What does the law require for security awareness training? What are organizations currently doing? What should they be doing? Below, I will answer these questions and more.
What is the return on investment (ROI)
for security awareness training?
There’s a huge ROI on security awareness training. A few years ago, a PriceWaterhouseCoopers report calculated the ROI of security awareness training as half a million dollars.
Because most data security breaches involve human error, training can reduce the risk of having breaches. Each member of the workforce is a risk. The more workforce members who are more careful, the lower the overall risk will be.
The cost of a data security breach is very high. The average cost of a data breach is more than $150 per record. Thus, a breach involving 50,000 records would amount to $7.5 million on average. In contrast, training is quite low in cost. In most cases, training costs less than 1% of what a breach would cost.
Is security awareness training required by law?
Many laws require security awareness training.
HIPAA. Both the HIPAA Privacy Rule and the HIPAA Security Rule have training requirements. The HIPAA Privacy Rule training requirement is at 45 CFR § 164.530(b)(1). The HIPAA Security Rule training requirement is an administrative safeguard at 45 CFR § 164.308(a)(5). HIPAA requires a covered entity to train all workforce members on its policies and procedures with respect to PHI. Each new workforce member must be trained within a reasonable period of time after hiring. Thereafter, training must be given whenever there is a material change in policies or procedures. Covered entities and business associates must provide a security awareness and training program for all workforce members. This program must include periodic security updates.
Gramm-Leach-Bliley Act (GLBA). The GLBA Safeguards Rule, 16 CFR 314.4 requires employee training. Interagency guidance recommends that organizations should: “Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext calling; Provide staff members responsible for building or maintaining computer systems and local and wide-area networks with adequate training, including instruction about computer security; and Train staff to properly dispose of customer information.”
Massachusetts’s Data Security Law. Massachusetts’s 201 CMR 17.03 requires training as part of a comprehensive information security program. Training should focus on reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing personal information. Training must be “ongoing” and must be given for not only permanent employees but also temporary and contract employees.
Federal Information Security Management Act (FISMA). FISMA, 4 U.S.C. § 3544, requires that federal agencies establish a security awareness training program. The program must include contractors and “other uses of information systems” that support the agency. The program must address information security risks and each employee’s responsibilities in complying with agency policies and procedures to minimize security risks.
Are there other security awareness training requirements?
In addition to security awareness training required by law, various codes and standards require training.
Payment Card Industry Data Security Standard (PCI-DSS). PCI-DSS is a code developed by the credit card industry’s PCI council. PCI-DSS12.6 requires that organizations implement a formal security awareness training program to make all personnel aware of the importance of cardholder data security. Personnel must be trained upon hire and at least annually.
ISO/IEC 27002. The International Standards Organization (ISO)’s Information Security standard ISO/IEC 27002:2005 is one of the most frequently followed standards by organizations throughout the world. The standard provides guidance on information security management in organizations, and it contains a requirement that all employees receive data security awareness training.
NIST Special Publication 800-53. NIST 800-53 is one of the most relied-upon security standards. Many federal agencies look to NIST 800-53 to guide their rulemaking and enforcement. According to NIST 800-53: “Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents.”
How long must the training be?
Most laws do not specify any particular length for the training. Obviously, training for just a few minutes wouldn’t be sufficient, but training does not have to go on for hours.
A common mistake I see in training programs is that they are often too long and bombard people with a lot of information they don’t need. The human attention span is very short. What matters more than time is the content of the training and how effectively and memorably the information is taught.
What topics must security awareness training cover?
Most laws do not specify specific security topics or best practices that training must cover. The most specific training requirement is the HIPAA Security Rule, which provides that training cover protection from malware and password best practices.
I believe that good data security training should cover the following topics:
• social engineering
• use of portable devices
• physical access
• data destruction
• data breach
These are the areas most involved with data breaches, especially phishing and portable devices.
People need to understand broadly that they play a big role in data security. People need to learn to be more suspicious and to pause and think before clicking. They know what to do when something seems suspicious.
How often must security awareness training be given?
Laws vary on frequency of the training, with some requiring it upon hiring and others requiring it annually. In practice, most organizations train all employees at least annually on information security, and I strongly believe that this is the best practice. Memories fade quickly. People need to be constantly reminded of what they must do because all it takes is one lapse and there will be an incident.
The HIPAA Security Rule requires a security awareness and training program for all workforce members with an implementation specification that the program include periodic security updates. The Security Rule doesn’t define what “periodic” means or when and how often people must be trained. Nor does it define what the periodic security updates must consist of.
Security awareness training is essential because humans are the biggest security risk. The risk is huge, and the costs are huge, so I recommend that organizations train often.
What are the consequences for inadequate security awareness training?
First, regulators can issue penalties. Inadequate training is low hanging fruit to a regulator. It’s an easy thing that regulators can use to find fault.
Second, inadequate training will result in more data breaches in the long run. It’s inevitable. Humans are the greatest security risk. Training is a way to reduce that risk. There’s no way to get the risk to zero, but because each person is a risk, the more people that training can educate, then the lower the risk will be.
About Professor Solove and TeachPrivacy
This resource page was written by Professor Daniel J. Solove. Professor Solove is a law professor at George Washington University Law School and the leading expert on privacy and data security law. He has taught for 15 years, has published 10 books and more than 50 articles, including the leading textbook on information privacy law and a short guidebook on the subject. His LinkedIn blog has more than 970,000 followers. Click here for more information about Professor Solove.
TeachPrivacy provides privacy awareness training, security awareness training, phishing training, HIPAA training, FERPA training, PCI training, as well as training on many other privacy and security topics. TeachPrivacy was founded by Professor Solove, who is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience.
Please Contact Us If You Are Interested In Security Awareness Training
We can provide you with a login so you can evaluate the programs. Click here for our catalog.