“They Don’t Work With Customer Information; I Don’t Need to Train Them.”

We often hear feedback from our clients that they do not see value in providing information security training for staff that do not work with customers on a regular basis. Although on the surface, this may make sense, a deeper look might reveal why this could be introducing vulnerabilities to your information systems.

Digital systems rarely contain “hard walls” which prohibit use by any member of the organization, especially in smaller organizations. Most operations in business depend on digital technology and access to internet-based applications. You may have an application that facilitates service operations but does not integrate with your customer relationship management tools, so technicians do not see customer personal information, so why do they need to know how to protect and secure customer private data? Is your service application on the same digital network as your CRM? If so, your employee has access to customer data. Often, we assume that because someone has not been granted access to an application, that they won’t access the apps you don’t want them in! According to idwatchdog from Equifax, insider threats are the primary cause for 60% of data breaches. Some are intentional; others stem from employee mistakes. We may not be able to stop the malicious insider that deliberately compromises customer private data, but we can significantly reduce the unintentional instances by regularly training everyone in our organizations.

Training does not have to be “one size fits all,” in fact, the FTC safeguard rules tell us that our staff training should be based on the level of risk a person poses to our data. The employee that has little to do with customer data as part of their regular duties should have less intense training than the people that manage customer data and your CRM. Everyone uses computers and personal devices to conduct business and to answer personal emails, texts, and access social media. Most employers allow a certain amount of personal business on company time, so it is critical that everyone in the organization understands how they can put the organization at risk when they click on the wrong links or respond to malicious texts and emails.

For employees who rarely or never access customer data, it is important to train them on basic cyber hygiene principles, such as safe emailing and texting, responsible social media use, and recognizing phishing and other social engineering attacks. Organizations should also consider lessons on workplace safety and awareness with a focus on digital information and physical security.

For employees that regularly engage with customers and collect their private data, the training should be more comprehensive, including the basics mentioned earlier but include more information on how to only collect the data needed for a transaction, when to share and not share data, more in-depth anti-phishing training that includes how to recognize potential business email compromise events. Regardless of the curriculum, training should be regular to reinforce good habits and address any emerging types of threats users must be aware of.

Accelerate2Compliance offers comprehensive training options to meet the needs of your organization. With our Introduction, Core and Advanced level courses included in our base subscription, your staff will learn the basic blocking and tackling they need to protect your digital systems and customer information. With our optional programs you can do more in-depth training on phishing and dark web threats. Thinking of your staff training as a journey rather than a destination will help you develop a culture of security across your entire organization. When you train everyone in the basic principles of information security, your people will turn into a valuable line of defense rather than a key vulnerability. Contact Accelerate2Compliance and we will help you develop a security culture in your organizations.