Training employees on privacy and security is a vital responsibility. HIPAA requires that organizations provide training for all employees, new workforce members (i.e., employees, interns, contractors, volunteers, etc.), as well as periodic refresher training.
But identifying your organization’s best practices for achieving security education, training and awareness can be a constant challenge, one that can change with the cyberattack du jour. After all, you can’t expect your employees to know what to do when they encounter the latest threat (e.g., ransomware) if they aren’t being regularly trained.
However you choose to design your training strategy, these measures represent a few constant parameters that can help.
- Frequency. An integrated approach at different stages can be most effective.
- New employee training. Privacy and security training should be part of orientation. Employees should know who your security officer is, and begin to acquaint themselves with your policies and procedures.
- Annual training. Review policies and procedures and stress any common compliance transgressions either in the organization or across the industry to reinforce expectations. Then have employees re-sign agreements, such as acceptable use policy agreements.
- Periodic training. Conduct short, quick hits of shared information regarding issues that either need reinforcement, or to create awareness about new cyber threats. When there are policy changes or new requirements, conduct training as appropriate to support the level of awareness needed.
- Targeted training. When patterns of non-compliance emerge, address them either by individual, by team, or by department as appropriate.
- Vary communication tools. Using any and all the communication tools at your disposal will help get your messages to your workforce audience on many levels and at different times. These can include email blasts, newsletter articles, top-down promotions, intranet videos, and just-in-time, face-to-face training.
- Test comprehension. Here again, there are a variety of ways to test employees’ understanding, with a range of effort required, depending on your objectives—from computer-based training modules perhaps integrated with other human resource training requirements (like OSHA training), to circulating short security quizzes. Quizzes can help gauge employee understanding of a topic and can serve as a way of identifying subsequent training opportunities.
- Target content. Handing over a big book of policies to housekeeping staff when three-quarters of it doesn’t apply to their responsibilities isn’t the ideal way to train. It’s better to know your audience and tailor training accordingly.
- Take advantage of available tools. Commercial computer-based training tools are great, but don’t forget about the many free tools at your disposal. Some include: