Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Security Awareness Training and Security Reminders
Quick Take
On this week’s episode of Compliance Unfiltered, the CU guys cover the ubiquitous topic of Security Awareness Training (SAT) and Security Reminders.
Every company needs them but not all SAT programs are created equal. Adam gives a full breakdown on why companies have prioritized regular SAT, the various methods of delivery for the SAT, and how often companies should conduct SAT.
Need a little more context to ensure your SAT is what it should be? No worries, the CU guys will cover the how’s the why’s and the best practices to make sure your team is up to date, and well informed.
All this and more on this week’s episode of Compliance Unfiltered!
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance sucks less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside, gosh darn it, just the smartest guy in the field of compliance that I think that I know. Adam Goslin, Adam, how the heck are you?
I’m not sure if that’s a compliment or is it a dis? I just don’t know. I’m doing good time.
Yes, the backhanded competence from this side of the table over here.
Yeah, you’re the smartest one person that I know. OK, great. Yeah, thanks for that.
Well, fortunately, I’ve met a person or two in the field of compliance, and you certainly ranked tops among them. So we’ll start there today.
Speaking of, today, I think we’re going to chat about something that everyone has a little bit of familiarity with, and if not, you certainly should, and that is security awareness training and security reminders. So Adam, talk us through like why companies are performing the security awareness training. Like how does that track?
Well, it depends on the company. So some organizations, they’re straight up required to go through and do security awareness training for their folks, depending on what security or compliance standard that particular organization goes up against.
In other cases, some folks just simply care about security. The reality is that you can set up your program, and you can set up your systems, and you can do everything right and whatnot. But one of the singular largest risks for any organization is the human factor that comes into play. And that’s really where the security awareness training, giving people reminders about what they should and shouldn’t be doing, et cetera. It’s just a good practice because it’s the human element in this mix that’s far known the biggest risk to the organization. And in some cases, we have an organization that got a parent company that’s telling them, well, thou shalt do security awareness training, et cetera. So it really depends on the circumstances. But you hit it right on the noggin earlier, which is that organizations should be doing this. They should be taking this seriously because no joke, it is the person that’s on staff that is what is far more likely to, quote, make a mistake than your firewall’s not going to make a mistake. It may be configured incorrectly, but it’s not typical that it’s going to have a lapse, if you will, where for the human element of this, yeah, there’s a substantively higher chance that someone’s going to do something they shouldn’t have, clicked on something they shouldn’t have, held the door open for somebody they shouldn’t have, et cetera. So it’s just a good overall practice.
That’s a good shot. Well, talk to us a little bit about some of the various ways, methods of delivery, if you will, for security awareness training.
Well, there’s a number of different ways you can go about doing it. It really depends on the organization. It depends on, well, it depends on, you know, what are your, you know, kind of internal skillsets? How many warm bodies do you have? Do you have somebody that’s a trainer? You know, what systems do you have in place, et cetera?
So different methods that I’ve seen for delivery. Sometimes it’s in-person classes. So literally the company or the organization they’ve got an internal trainer, whatever, and they’ll have people come and attend security awareness training classes that they’ll put on. In some cases, you know, I’ve seen where the organization will, you know, kind of flow the security training down through the organization. So all of the top levels will get, you know, kind of go through their security awareness training and then they’ll take the deck and they’ll show their next round of folks, you know, and bring them through security awareness training, et cetera. You know, sometimes it can be virtually, you know, maybe it’s a call platform of choice. So, you know, whether you’re using Zoom, go to meeting or whatever, fill in the blank, you know, they’ll go ahead and put the training on in that aspect. I’d certainly say, you know, that notion, especially over the last, you know, kind of couple of years with all the pandemic stuff going on, certainly has taken root, if you will.
There’s also the option of doing online classes. So where you’ve got some type of an online, you know, kind of classroom style setup, where maybe it’s a, you know, some form of a learning management system, otherwise short form to LMS, where the internal resources will go log on to that platform or that system and they will, you know, then take their courses through that delivery mechanism. I mean, some organizations, depending on, again, what they have and what you have at your fingertips, you’ll really denotes the options, but you know, in some cases, you know, folks, you know, HR information system or HRIS, you know, system will have the capability to, you know, kind of, you know, be that LMS. In other cases, folks will have one of the, you know, kind of a big box, you know, ERP style systems that have a, you know, kind of a training, you know, trading bolt on. So there’s a lot of different ways you can go about doing it. It just depends on the organization that you’re talking about.
Yeah, that makes sense. So what are some of the basic requirements of a security awareness training program?
Well, first and foremost is that it needs to get provided to the typically where it is, you know, it depends on the certification going up against, but you need to be provided to all personnel. Now, it sounds like a nice handy, easy blanket statement, but you know, keep in mind, you’ve got your staff, you know, you’re kind of your full-time staff members, you may have contractors that are in the mix that require training, you may have vendors that are kind of connected into your system. So when it comes to those connected vendors, you know, if they’ve got their own security compliance program and they’re training their personnel and kind of attesting to it through a third-party audit, well, okay, cool, but I can’t tell you how many vendors out there that there are that don’t do that for their staff and yet their personnel are connecting to your system. So you might as well take the opportunity in the grand scheme of things, generally, it’s no skin off your nose, just make sure that you’ve got anybody that is pertinent, that has logins to your systems, that connected to your systems, that they’re receiving that training in some way, shape or form.
You know, we’ve got, you know, some of the other basic requirements, you know, multiple methods for delivery. In other words, you know, you’ve got your, you know, your main line, you know, you’ve got your main line, security awareness training that you would deliver, but there’s other elements of a security and compliance, you know, security awareness program that we’ll talk about in a couple of minutes, but just making sure that you’ve kind of got the, you know, all of the check boxes for the various methods for delivery. This might sound ridiculous to have to state, but I’ve run into organizations that have problems with this, take attendance at the security awareness training session. You know, you got to know who attended, you know, who was there, depending on what platform you’re working on, you’ll also have additional options for, you know, for how attentive were they, were they paying attention? You know, if it’s online course, a lot of those online courses and courseware that you can get will give you statistics back. So did this person basically fire the go button and either walk away or, you know, put it in the background on their computer and going off and busy multitask on something else and not really paying attention? You know, so you’ve got those, you know, kind of stats that are kind of at your fingertips as well. You know, the other element of, you know, so you go and you get your attendance, whether it’s, you know, if it’s an online system that you’re leveraging for doing it, do yourself a favor and make sure that you export the attendance records and then store them somewhere safe. If you’re delivering this in person, have a sign-in sheet, you know, that type of thing. So you won’t, but at the end of the day, if you’re doing this for security and compliance, you need to be able to go back and say, this person, yes, did receive their security awareness training.
So you need to be able to show that. So that’s where the storage of all of that information comes into play. For those that do the in-person as they go through and kind of do those in-person sessions and they have like a sign-in sheet as you walk in or whatever, and they got to check it, check in and then check back out again or something. You know, a lot of folks will just, you know, okay, I’m just going to go scan that and, you know, if I got my records. Well, the scan is cool, but the problem is, is that, you know, now I can’t readily go in and confirm that Angela took training within the last year. Now I’ve got to go and pilfer through all of these PDFs. So what a lot of folks will do, they’ll take those PDFs, keep them as kind of backup, but convert them over into something electronic so that they can search, pull records, you know, store dates, when did they take it, et cetera, because it makes your world a lot easier when you get kind of down the road. It’s a typical problem that I’ll see, especially with organizations kind of going through it for the first time. It’s just something that they don’t think about and it’s not until, you know, they’ve got an assessor sitting there. So, you know, show me that Bob, you know, attended your security awareness training and meanwhile they’re madly, you know, scrolling through, you know, whatever, 50 or a hundred different manual sign-in sheets. It’s just a nightmare.
I might as well try to save some of that pain, right? Exactly. Make sure, whichever mode you’re using, that you get the sign-off from everybody that attends. I can’t tell you how many times, you know, you kind of, you go through, you know, you get in, you’re doing the audit, the assessor, you know, does their, you know, whatever. Give me every person you got and you give them a hundred dates and they say, okay, we’re going to randomly pick these 12, you know, and sure as nuts, one of these 12 freaking people went in, sat there, attended the training, blah, blah, blah, but didn’t sign the sheet, you know? So, just make absolutely certain that, you know, all of the people that attended got recognition for the fact that they were there because it will avoid, you know, potential issues kind of down the road, if you will.
And while you’re at it, it’s typical as part of a security awareness training style program that is part of their, you know, their learning process and part of their sign-offs that they also sign off and say that they understand and will follow the, you know, kind of the organization’s policies as part of that, part of that annual event, if you will.
So how often should you perform a security awareness training?
Well, for anybody that is new to the organization, it needs to be done at literally at higher. So what I’ll typically recommend to folks is, you know, when you have, you know, when Mary starting, you know, on Monday, as part of her first things that she does paperwork, you know, you’ve got the typical onboarding, right? You’ve got, they go in, they sign off on all the paperwork and then they fill in all of their, you know, all of their, you know, dollar stuff and healthcare things and blah, you know, get through all of that, have them go in and immediately attend the security awareness training, you know, and what you want to do is you want to make sure that you’ve got that these folks have not only signed off on all of their, you know, kind of required paperwork for the organization, but that they also attend that security awareness training in advance of giving them credentials to be able to get onto your systems because that’s an area that I’ve seen some organizations run into some problems is they’re not able to kind of prove out that, you know, so-and-so signed off on all the documents and, you know, got their training performed in advance of gaining, you know, kind of gaining logical access to the intellectual property and assets of the target organization. So that’s something for folks just to kind of think through.
The other is for, you know, so let’s say you’re not a noob, but you are, you know, you’ve been there for years, every single person needs to then go through annual, at least annual training. Now, I don’t have any particular problem if, you know, people are doing deep dive, you know, security awareness, you know, activities, kind of in full more than once a year, but for most of the security and compliance standards out there, they require you to do that at least once a year.
Well, how do companies administer the annual requirements, though?
Well, I’ve seen several different approaches, and more often than not, it depends on the size of the organization. So it depends, like if it’s a smaller org, then you’ll see certain options come into play where if it’s a bigger org, you’ve got to kind of spread things out.
So one approach is that I’ve seen used fairly frequently is it’s like whatever February is, training month or whatever. Now, the one thing for organizations to keep in mind when they take that approach, right? We’re gonna train everybody in February. Well, technically speaking, if you’re required to have your training once a year or within the last year type of thing, then if you in, let’s say I’m in last year, I took it in the first week of February, but this year I just happened to take it in the last week of February, fill this off thickly, we do training once a year. But technically speaking, that individual now is kind of out of whack. They’re at a year and three weeks, not within a year. So the one suggestion that I’d have for folks, if they take this January type of an approach, just to make it really easy, just move your date, move your month back each time. So if I did it in February this year, next year I’ll do it in January, next week, next year I’ll do it in December, whatever it may be. Some organizations actually like to skip December specifically because it’s usually so fricking busy. And so they’ll just go skip to November and then skip back to October, et cetera. But that way, if you do it that way and you enforce everybody needs to take it within this period of time, then there’s no possibility that you’re gonna have anybody that’s gonna be kind of over that 365 days. For other organizations that are larger, I’ll see a couple of different approaches. They’ll do it based on their higher date. They will do it based on the month of their birth. Everybody with the last game starting with blog goes in this month and that type of thing. When they’re using an HRIS system or a learning management system, that holds certain advantages because then you can set in automated reminders, et cetera. So oftentimes it will kind of, you’ll get the yellow level warnings. Hey, you’re six weeks away from your annual poof date for needing to take your training and then it’ll go red as of two weeks before or whatever. So there’s a bunch of different options that folks can take there. Really, companies can pick whatever mechanism is gonna work best for them. The important part of this is at any point in the year, I should be able to walk to that organization, tell them to pull their security awareness training list of who got trained when and when the day I pull it, I should have nobody that has a date that’s longer than 365 days in the past. So that’s the objective. As long as the program accomplishes that goal, then the how, it really becomes irrelevant.
So, I mean, we spoke earlier that that makes total sense.
Now we spoke earlier about multiple methods of awareness and I think that, you know, most listeners at this point in time will probably be wondering, well, talk to us more about that.
Okay. Most of the security and compliance programs are going to require not only the, you know, whatever training, you know, full blown security awareness training at higher and, you know, and then training once a year for all of the existing personnel, you know, but they’ll also require some form of, I’ll call it periodic reminders to the staff. So, you know, it has seen a number of flavors for that with different levels of effectiveness, if you will. You know, some will, you know, just they’ve got a board, you know, a court board up in the lunchroom and they’ll just pin something new to it periodically, you know, type of thing. You know, the problem I’ve got with that is that, you know, if I don’t happen to eat lunch and walk into that room, well, I’ve never seen this thing.
So, you know, I’m a bigger fan of, you know, something that’s a little more direct and interactive and accessible. So, you know, organizations will, you know, send, you know, somebody internally is the point person, they’ll send out emails to all of their staff. Some organizations, especially if they’re using like an LMS to deliver the training, they’ll configure and set up these mini training sessions. So, where your annual security awareness training is, whatever, an hour, two hours, three hours long, you know, then these little mini quarterly sessions, it’s, you know, five minutes, you know, five minutes on this topic. Maybe they’ll splash in two or three topics, taking up a total of maybe 12 minutes type of thing and just track them, you know, going through and doing that. There’s a lot of different ways that you can deliver, you know, kind of deliver these security reminders. But, you know, like TCT implemented a program for our paying clients, where what we’ll do is we’ll distribute a quarterly security reminder, you know, out to, you know, to any of the existing clients that would like to participate. Because it’ll cover pertinent security reminder topic for that quarter. So we’ll just kind of go pick something to, you know, go and get into a little bit, you know, of a reminder depth on to give them a helpful reminder. We also send, you know, send a, you know, help tips for security and compliance management. And then, I call interesting stories in the news over the prior quarter. So, actually, I always the best. I saw one, I saw one earlier today, which was a company that had gotten in trouble. So what they did is they were trying to they were trying to play an April fool’s prank on. They’re trying to play an April fool’s prank. And so what they did is they put they put something out there that said, hey, come sign up for our service and blah, and we’re going to give you, you know, give you free beer. And, and so what they did is they had the people had to put a code in. Well, the code that they told them to go put in, they thought they’re being all funny was April fools spelled backwards. And all they thought, oh, this is going to be hilarious and blah.
Well, meanwhile, the whole thing like blew blew up in their face in that in that these people that were now clicking the link and signing up for this service that, you know, that now they’re it started as an April fool’s joke. But now this company is getting nailed for is getting nailed for false advertising.
So, you know, it’s stuff like, you know, it’s just I like to include there’s so much going on in the world of security and compliance. It’s just it’s kind of interesting to to hear, you know, relevant stories over the over the prior quarter of real world things that are happening. So that kind of makes it makes it a little bit fun. But that’s that’s just something that we can do to help our clients with and perform a task, you know, kind of centrally for TCT on behalf of the customers to ease burden on them. That way they don’t need to worry about it. You know, there’s a there’s a lot of organizations that, you know, they don’t want to spend the time going and digging into this stuff. I mean, this is really our world. So, you know, it’s just it’s nice to be able to go in and give me.
Absolutely. And for this and additional tips around those quarterly security insights, you take a listen to our last episode here on compliance unfiltered and all those spicy details are in there for you. That’s all the time we have today.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
