Earlier this month, we attended the NetDiligence Cyber Liability Conference in Philadelphia. One of the many takeaways from the conference was the importance of employee training – train all employees on cybersecurity and data privacy. More and more we see that the human element, i.e., human error, is the cause of many data breaches. This year saw an epidemic level of employees making mistakes and sending files of employee personal and financial information, sometimes, including W2s, to threat actors sending phishing emails posing as a top executive. To limit or avoid human error with data privacy and information security breaches, training employees should occur at all stages of employment.
All new employees should receive data privacy and information security awareness training on the organization’s data privacy and security polices and procedures, including, for example, how to respond to email requests for information and how to store information (full encryption of devices and portable storage). Employees also need to be trained on how to respond to emails that appear to come from the C-suite. One of the frequent emails employees receive, and erroneously provide information in response to, is an email that appears to come from an executive requesting employee personal or financial information. Employees need to receive training to recognize such emails and how to properly respond.
Employees in certain positions or departments, or employees who handle sensitive data, for example, payroll or finance and human resources, should receive specialized training. Policies and procedures should include the minimum access principle; individuals are given minimum access to sensitive data necessary to perform a job or task, and the access is granted for the minimum time necessary.
Table top exercises and phishing training
Organizations should include practical training as well, including table top exercises and simulated exercises to determine how well employees respond to data privacy and information security crises. Further, phishing programs train users how to identify and avoid or properly respond to phishing emails.
All organizations should provide annual retraining on their data privacy and information security policies and procedures, awareness training, and position specific training. Make sure to also keep a record of all training and retraining completed should a regulator ever conduct an audit or investigation.