A guest post for Data Protection Awareness Day 2017 from our very own Steve Foley, Security Consultant…
Security Awareness Training, the phrase that makes most employees roll their eyes and think ‘great another hour of my life that I’ll never get back’. Some staff gleefully look forward to 60 mins sat in a darkened room that will allow them to zone out and think of what’s for dinner or possibly their weekend plans….
The point I try to make here is that no one really relishes Security Awareness Training and that in itself has long been the issue. For years, I delivered the same security training within my former organisation and you knew as you surveyed the audience, looking at all those glazed expressions, that you had lost the majority even before the off. I tried to liven it up as best I could by making topics relevant and current where possible, altering the format to attempt to involve the crowd and most importantly and what I found to be key, relate it to the individual’s personal life.
Part of the reason for this sense of apathy amongst staff I feel was due to the perception that they HAD to attend whilst never witnessing Senior Management partake. Another reason for the lack of enthusiasm may well be down to the delivery style. As organisations have streamlined more and more operational departments, security teams have taken their fair share of the brunt and many large enterprises now rely on the e-learning portal to deliver annual training, this in itself is a problem as generally the format stays the same, the information stays the same and the method of testing stays the same year on year. Staff pay this method lip service, often colluding to pass any test making me wonder whether any actual learning occurs? Having worked across many areas that employ this method and dealt with numerous security incidents, I would suggest not! There simply is not enough practical learning and what is conducted is not fit for purpose.
Data Protection is becoming more relevant than ever and will be key to organisations with the looming financial penalties that GDPR will enact as of April 2018. Whilst the external threat will always exist, my and many others opinion is that a data breach is not going to come from someone hacking your network and stealing all our ‘stuff’. The much more likely leak is going to be by a non-malicious member of staff, who accidentally and without thought releases or mishandles data that they shouldn’t.
How do we combat this? I believe a fantastic opportunity for Senior Management to engage their staff in this incredibly important topic would be to lead from the front! Direct their Security teams to script a real-time scenario as their annual Security Awareness Training. This would then allow Management to interact with staff and provide a key opportunity to empower their subordinates by allowing them to lead these security tasks, including walk through/ talk through points as they progress through each element. Not only would this add realism and allow for a positive team building activity but it would surely linger on in the memory and enthuse staff to embrace a more positive attitude to security awareness? Who knows it might even be fun….
- Posted by Ellie Hurst
- On 27th January 2017
- 0 Comments