Requirement 12.6 of the PCI DSS states that organizations must implement a formal security awareness program to educate all employees on the importance of cardholder data security. Personnel must be educated upon hire and at least annually thereafter.
However, motivating employees to get excited about annual training can be difficult for many organizations. “I don’t have time to do training.” “Do I really have to take this training every year?” “This doesn’t even apply to me, I will never use anything I read.” While these comments likely sound very familiar, unfortunately, even with all of the advanced technology and software applications available today, your biggest vulnerability is and will remain your employees. That means that the training is not only required, but plays a critical security role in your organization.
In nearly every data breach that occurred last year, there was a human failure somewhere in the chain of events. Human errors include mistakes like sending sensitive information to the wrong person, publishing private data to a public website, programming errors that allowed easy access into the network, insecure disposal of sensitive information (e.g. in a trash can or dumpster), etc. Other incidents that are categorized as malware are also often due to someone failing to install updates or patches, clicking a link in a phishing e-mail, or failing to comply with internal policies.
The 2017 Verizon Data Breach Report revealed that social attacks were utilized in 43% of all breaches analyzed. Phishing was utilized in 93 percent of those social incidents. Cyber criminals will continue to target humans as they continue to be successful in getting people to fall for their tricks, therefore you must have a robust staff education and awareness program to counter these attacks. If they aren’t aware of the devastating consequences that one click in a phishing e-mail can lead to, they won’t stop to think before responding. Once employees understand the different risks facing your organization and the role they play in protecting your information, they will be more likely to follow through on organizational policies and procedures. Invest in your staff just like you do in technology and provide them with the tools they need to do the best job with the best training.
As stated in the PCI DSS requirement, before your new hires even login to critical systems or access your cardholder data environment, they should complete your security awareness training. For your staff, training is required annually, but it is also important to provide them with ongoing and consistent reminders throughout the year. Regular updates on best practices, how and where they should report suspicious incidents, phishing attempts, etc. are all important and can be conveyed in multiple ways so that the message does not get stale. Perhaps you send out a monthly memo with some of the latest security vulnerabilities and explain how they could affect your organization, included some lessons learned from other similar institutions, and of course, explain what your employees can do to protect themselves from a similar situation. Posters can be hung up in the break room to remind staff about the need for e-mail security or the flow of your incident response plan. You can share different videos or resources and make them available to staff on your Intranet. Each organization is different, so build your awareness program to fit your employees and how they prefer to receive (and are more likely to retain) this knowledge.
It is also important to ensure that the training you are providing pertains to each individual’s job responsibilities. All staff should be aware of how to protect personal devices, computers, and system or e-mail accounts by using strong passwords, following best practices like locking their computer when they step away, being cautious about potential phishing messages, monitoring who may be walking around their work area, etc. For front-line staff taking payments in person, it is important that their training include details on the steps they should take to validate a customer’s identity, how to identify potential fraud, procedures they should follow for disposing of paper-based cardholder data, and procedures for inspecting POS devices for tampering or substitution.
It is important for your IT Staff training to include basic system security as well as an explanation of the role they play in protecting information across the organization. Software developers should receive training in secure coding practices (e.g. OWASP Top Ten) and be aware of potential vulnerabilities. Role- based training will help employees relate the different scenarios presented back to real-life situations they encounter, which will help them remember the lesson when or if that situation occurs.
By combining comprehensive awareness training with all of the technical safeguards you have implemented, you can help ensure the security processes in place remain effective and are not so easily forgotten or circumvented.
As you build your security awareness program, here are some things to consider:
- Ensure your organization’s information security policy exists and is up to date.
- Gain executive support for a security awareness training program.
- Create a committee to oversee the program and monitor ongoing compliance.
- Make training and resources easy to access.
- Set training implementation dates and deadlines for completion.
- Identify all employees (or third-parties) that are required to complete the training.
- Document staff confirmation of their annual training.
- Create a varied but consistent communications plan to keep security in front of staff.
- Measure program success through reductions in help desk support, incidents, phishing exercises, etc.
- Review the program each year and make revisions and updates as needed to reflect new threats, risks, and best practices.
- Survey staff for feedback (accessibility, usefulness, ease of understanding, questions, new topics they are interested in, etc.)
Implementing a successful awareness program will take time and effort, but there are many tools and programs that can help you automate progress tracking, documentation, reminders, annual updates, etc. If you have questions or would like to discuss your security awareness program with one of our staff, please contact us.
Some additional guidance from our Security Advisor team below:
[Burt]: Security awareness…one of the most forgotten yet crucial aspects to maintaining a security incident free workplace. Not only is this a requirement for PCI DSS compliance, but it’s extremely apparent that many security incidents (as well as data breaches) occur due to individuals lacking the appropriate knowledge which leads to being unprepared to follow proper policies and procedures.
For the most part, individuals don’t maliciously and intentionally perform insecure practices. When asked why a particular practice is being performed, the most common answers are “that’s just how we have always done things” or “we didn’t know any better.” Individuals want to do the right thing and make decisions that result in a secure environment. They just need the proper guidance and training.
Whether its compliance obligations for PCI, HIPAA, GLBA, FERPA, etc., do yourself a favor and make sure the appropriate security awareness training is in place. At the end of the day, criminals are generally lazy and would much rather focus their efforts on easy targets as opposed to extremely complicated measures. Security awareness is surprisingly not that expensive compared to other technical security implementations. In addition, in most cases, forty-five minutes to an hour is plenty of time to deliver the appropriate training. So, choose your method and make it happen!