This post previously appeared on Forbes
Everybody agrees that it’s important to instill a corporate culture of compliance for cyber security, privacy and social media with your employees. But what are the best practices around doing that, especially with a large company?
At a recent event, Donna A. Balaguer, Principal, Fish & Richardson, Roota Almeida, Head of Information Security, Delta Dental of NJ, E.J.Borrack, General Counsel, The Stilwell Group and Korin Neff, Senior Vice President and Chief Compliance Officer, Wyndham Worldwide explored the challenges and best practices of training employees to follow cyber and social media policies. This is an edited version of that conversation. As a note, you’ll find that many of these key concepts apply to any type of corporate training.
Donna Balahuer: From a practical perspective, how do you instill a corporate culture of compliance?
Korin Neff: People always talk about getting senior management involved or the “tone at the top”. What is often forgotten is the “tone at the middle”. While it’s important that your CEO, CFO, your board of directors, and general counsel to show strong buy-in to the program, it’s also important to get your next level of senior leaders involved, buying into the message, and spreading it forward.
We’ve developed a network of compliance champions to lead the “tone at the middle” throughout the company. We gather them together annually to talk about cyber security, privacy and other compliance issues. We discover what’s really important to them and how to resonate that message throughout their areas of the business. We’ve learned that while it’s important for people to understand the “dos and don’ts” in terms of cyber security and privacy in the workplace, the way to get employees really engaged is by explaining how they can incorporate those practices into their daily lives. We’ve started a campaign of common sense practices for personal assets (such as cybersecurity for children or what to do if you are breached personally) so that these things just become habit. People start to understand if something is important to you in your personal life, it also important in your professional life.
Donna Balahuer: How do you spread the message to staff that cyber security is an important core value in the company?
Roota Almeida: It’s helpful to use different kinds of channels to spread the word. You could use email, or put it on the company website, or print posters, conduct contests, offer “lunch and learns” or create videos.
As with anything, out of sight is out of mind. We need to constantly to build awareness around daily work activities on email and websites. Training is more effective when you make it personal, as Korn said. Such as “How can you help your kids be safe while they are on line?”, “How can you help your parents be safe while they’re online?” “If you have an account that is breached, or if somebody has hacked into your email account, what should you do?” Treat your client data the way you treat your own personal data is one of our key messages. If you don’t want your social security number on sale on the dark web, you wouldn’t want that for your clients either. Instead, take every measure to protect that data while you access it or send it.
Donna Balaguer: Are there different training modules for different types of employees?
Roota Almeida: Training is not one size fits all. To make training more effective, it needs to be personalized so that the audience can absorb it more effectively. In our firm, we have one training program that is purely security awareness for those in the organization with access to information. There is also specific training for different sets of groups that handle different kinds of information. For example, HR handles Personally identifiable information (PII), Claims handles Personal Health Information (PHI), Sales and Marketing have their own set of information and Finance have their own financial information. The training is customized by how data is handled, the type of data that is handled, and the regulations associated with it. We educate our users on how to protect the data from an information security perspective, as well as from a compliance perspective of data handling procedures, data retention and retrieval procedures.
Korin Neff: It’s also important to offer training in different modalities. People have vastly different learning styles, regardless of the size of your organization. Tap the people who are really good at teaching people things in your organization. Learn from them how to best communicate your messaging. Regardless of the training you provide, be sure to write down your operational processes and content of your training. This will be beneficial if you are ever faced with regulatory scrutiny or private litigation. You will be able to demonstrate your specific training activities and say “It was one bad apple in the bunch. The whole barrel wasn’t rotten”.
Donna Balaguer: How can you engage employees in the training?
Korin Neff: Although most people find the issues pretty interesting, it certainly makes them pay more attention if there’s a test at the end. We also conduct a global program where we bring in external speakers from the government and law enforcement who tell war stories. They speak about real-life issues and threats facing companies, personal lives and national security and even international security. We’ll also do little things like raffle contests if somebody answer a particular privacy question correctly. It’s amazing what people will sit through in order to get a free sandwich or cookie.
Donna Balaguer: How do you handle training for a small financial services firm handling sensitive customer financial data?
EJ Borrack: We include cyber security training as part of our required Annual Compliance training. We follow Security and Exchange Commission (SEC) guidelines, have a training deck and a record of attendance, just like our regular compliance training. The regulators want to see that. But that’s not enough. In addition to the Annual Compliance meeting, we also have more informal quarterly compliance and monthly meetings. We discuss compliance issues or new SEC guidelines or the latest enforcement actions. That’s our opportunity to talk about changes, issues, or anything that the employees think we should talk about. In our company, it isn’t so much a training, as an ongoing conversation or dialogue.
Donna Balaguer: After you’ve given the training, how do you follow up and make sure employee are adhering to your policies?
Neff: As a company, we have about 36,000 employees, so we have an employee management system that helps us electronically track that people are taking the training they are assigned. But to get people really committed, we use both the carrot (and cookie!) and the stick. Being up to date on compliance training is part of our performance management program. That really conveys the “tone from the top” and makes sure people understand the importance of being committed to compliance. As a best practice, we also test awareness by sending out sample phishing emails. The emails will have some errors such as misspellings, or incorrect addresses to help tip people off. It an educational opportunity – not a “gotcha” at all. Instead, it helps show importance of why we’re doing the training. The testing also helps to refine our awareness campaigns and shows us areas of our training that we need to improve.
Roota Almeida: We also do a lot of tests to understand how effectiveness of the training. Do we need to tweak it? Do people understand it? Are they getting the picture?
During the question and answer period, I couldn’t help but ask:
Belbey: What about special risks associated with using social media, whether it’s sharing information that makes you an easier target for spear phishing attacks or leaking proprietary information, or introducing malware into the organization?
Roota Almeida: Our social media policy tells users the “dos and don’ts” on social media platforms. We also train our employees how to use different social media networks. We keep on top of the news on social media sites and make our users aware of issues on LinkedIn, Facebook or Twitter.
Neff: We have a social media policy as well. Because social media has become such a major way of communicating, we’ve created a social media “tri-fold” brochure that people can stand up on their desk. It includes “dos and don’ts” and summarizes how to behave in that environment. We also incorporate social media messages into our other training. We remind employees that social media is public. We tell them what they can and can’t communicate as a publicly traded company. However, as firms put together your social media policies, I caution you to read commentary by the National Labor Relations Board (NLRB) regarding prohibitions against companies directing their employees in particular ways.