There are a number of schools of thought around awareness training when it comes to cybersecurity and privacy, and a number of challenges too. Some attorneys that I have worked with maintain that awareness is only worthwhile after your compliance programme is in place, which I wholeheartedly and respectfully disagree with. Awareness from the ground up can be one of the greatest controls you can have in your business, and in today’s article I’ll go through some of the examples of what happens when you don’t have it in place.
Trickling from the top down
It really does not help if your awareness is a top-down approach from the executive, or from the middle ground where a single information officer has awareness of privacy and cyber security concerns. You can have the most aware executive team on the planet, but if the staff on the ground don’t have the same awareness, you may as well not have a compliance programme at all. Breaches and incidents are often caused by people, negligence, and ignorance, awareness reduces the chances of this.
Different people, different pages
The next challenge arises in that different people have different opinions and knowledge levels when it comes to privacy and cybersecurity. One person may spot an incident straight off the bat, while another may continue in blissful ignorance, overlooking important details. Having company wide awareness training means that your teams are on the same page and can respond accordingly to an incident. A lack of awareness can also create a culture of distrust – something that certainly needs to be avoided – where incidents are not reported for fear of personal repercussions.
Haphazard incident response
One of my favourite stories to tell is that of a support desk consultant who told clients that there was a data breach when all that was happening was a server being rebooted. This is a clear example of multiple failures of awareness. Any sort of communication should only come from the Information Officer, and only after a proper investigation. Awareness would have changed this entirely. Incident responses should be measured and planned, and this can only be achieved if all staff are aware of what the plans actually are.
Getting training in place
Awareness training can be ongoing or at the very least once-off. One of my most popular offerings is a 3-hour interactive introductory workshop on privacy and cyber security. In the workshop I cover what laws are out there, what happens during and after a breach, how staff can protect themselves, and how the company can better look after data. It’s amazing to see the change in approach almost immediately after the workshop!
Awareness doesn’t have to be difficult, but it needs to be consistent and it needs to be an ongoing conversation. If you’re keen on upping your teams’ awareness, drop me a line using the booking form below!
Ross G Saunders Consulting offers a number of solutions that can drive your compliance and security maturity; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.