With cybersecurity and compliance standards continuously evolving to match the growing threat landscape, organizations must provide up-to-date awareness training that meets basic security requirements and addresses the most critical risks within your environment. Faced with resource constraints and time limitations, how can your teams ensure that training is current and updated to comply with new requirements for PCI DSS v4.0, the updated FTC Safeguards Rule, updated HIPAA Security Rule, and many more?
To help assess your organization’s training needs, the table below outlines some of the common compliance standards and specific training requirements for staff:
| Standard | Staff | Training Requirement |
|---|---|---|
|
Information Security |
All staff |
Annually/ongoing (state requirements, NIST/ISO, cybersecurity insurance). |
|
PCI DSS v4.0 |
All staff involved in the payment card process |
Security awareness at hire, annually thereafter. Training on the POI, device inspections, social engineering, phishing, acceptable use, and incident response. Refreshed annually. |
|
GLBA/Safeguards Rule |
All staff interacting with covered customer financial data |
Provide specific training around the risks identified in your annual risk assessment, Training must be kept up to date. Security team must maintain knowledge relevant to threat landscape. |
|
HIPAA |
All individuals accessing PHI data |
All staff must receive training under the Privacy and Security Rule. Organization must document training materials and workforce completion. |
|
CMMC |
All individuals accessing sensitive unclassified data (i.e. research data) |
Organizational system users are to be trained on the specific risks associated with their use of in-scope systems. Training should include how to recognize potential threats (insider threats, social engineering, etc.). |
|
FACTA Red Flags |
All staff interacting with consumer data and covered accounts |
Training should be part of your Identity Theft Prevention Program, teaching employees how to identify red flags, prevent and mitigate identity theft. |
|
FERPA |
All faculty/staff with access to student records |
Training of the requirements relating to the privacy and security of Personally Identifiable Information (PII) in student records. |
An EDUCAUSE quick poll revealed that 61% of participants believe training is only somewhat effective within their college or university. Participants reported that training programs were incomplete as they are often missing content about key issues, specific types of compliance, and/or regional or state regulations. Respondents also said training lacked updates and was seen as boring or overly long and complicated. Read our article for more insight into this poll, our key takeaways from it, and elements of a successful security awareness training program.
Don’t provide boring, check-the-box training. And don’t launch outdated training that references statistics from 2019! Training programs should be adaptable, ongoing, and regularly refreshed to stay up to date and ahead of the bad guys. It is also important to provide role-based training when possible so information can be targeted and include relevant information for specific groups or departments.
For example: PCI training for merchant managers is different than training for student cashiers which is different for IT staff responsible for securing systems and implementing technical controls, etc. The Business Office might receive more focused training on ACH payment fraud or email compromise attacks, whereas the Help Desk should receive additional training on potential vishing or phishing attacks.
Lessons learned should also include real-world examples or stories of organizations that have been impacted. For example, you might illustrate how a response to a single phishing email led to a larger data breach or ransomware attack at another institution. If training can be customized to align with operational procedures, this ensures that your overall messaging and instruction are consistent.
Provide direct links to policies within the training, and confirm staff knows how and where to find specific policies and procedures concerning acceptable use, approved technologies, privacy and data governance, etc. If users can tie everything together with consistent messaging, your awareness training can reinforce adherence to organizational procedures and reduce the likelihood of non-compliance.
If you have questions regarding your current training requirements or need to define which users within your organization should be receiving training, reach out to your dedicated CRM team or contact us.
You can also download our guide to Elevate Your Security Awareness Training.
