Donna Balaguer (Principal, Washington, DC) was mentioned in Forbes article, "Cybersecurity And Social Media: Corporate Training Best Practices."
Everybody agrees that it's important to instill a corporate culture of compliance for cyber security, privacy and social media with your employees. But what are the best practices around doing that, especially with a large company?
At a recent event, Donna A. Balaguer, Principal, Fish & Richardson, Roota Almeida, Head of Information Security, Delta Dental of NJ, E.J. Borrack, General Counsel, The Stilwell Group and Korin Neff, Senior Vice President and Chief Compliance Officer, Wyndham Worldwide explored the challenges and best practices of training employees to follow cyber and social media policies. This is an edited version of that conversation. As a note, you'll find that many of these key concepts apply to any type of corporate training.
Donna Balaguer: From a practical perspective, how do you instill a corporate culture of compliance?
Korin Neff: People always talk about getting senior management involved or the "tone at the top". What is often forgotten is the "tone at the middle". While it's important that your CEO, CFO, your board of directors, and general counsel to show strong buy-in to the program, it's also important to get your next level of senior leaders involved, buying into the message, and spreading it forward.
We've developed a network of compliance champions to lead the "tone at the middle" throughout the company. We gather them together annually to talk about cyber security, privacy and other compliance issues. We discover what's really important to them and how to resonate that message throughout their areas of the business. We've learned that while it's important for people to understand the "dos and don'ts" in terms of cyber security and privacy in the workplace, the way to get employees really engaged is by explaining how they can incorporate those practices into their daily lives. We've started a campaign of common sense practices for personal assets (such as cybersecurity for children or what to do if you are breached personally) so that these things just become habit. People start to understand if something is important to you in your personal life, it also important in your professional life.
Donna Balaguer: How do you spread the message to staff that cyber security is an important core value in the company?
Roota Almeida: It's helpful to use different kinds of channels to spread the word. You could use email, or put it on the company website, or print posters, conduct contests, offer "lunch and learns" or create videos.
As with anything, out of sight is out of mind. We need to constantly to build awareness around daily work activities on email and websites. Training is more effective when you make it personal, as Korn said. Such as "How can you help your kids be safe while they are on line?", "How can you help your parents be safe while they're online?" "If you have an account that is breached, or if somebody has hacked into your email account, what should you do?" Treat your client data the way you treat your own personal data is one of our key messages. If you don't want your social security number on sale on the dark web, you wouldn't want that for your clients either. Instead, take every measure to protect that data while you access it or send it.
Donna Balaguer: Are there different training modules for different types of employees?
Roota Almeida: Training is not one size fits all. To make training more effective, it needs to be personalized so that the audience can absorb it more effectively. In our firm, we have one training program that is purely security awareness for those in the organization with access to information. There is also specific training for different sets of groups that handle different kinds of information. For example, HR handles Personally identifiable information (PII), Claims handles Personal Health Information (PHI), Sales and Marketing have their own set of information and Finance have their own financial information. The training is customized by how data is handled, the type of data that is handled, and the regulations associated with it. We educate our users on how to protect the data from an information security perspective, as well as from a compliance perspective of data handling procedures, data retention and retrieval procedures.
Korin Neff: It's also important to offer training in different modalities. People have vastly different learning styles, regardless of the size of your organization. Tap the people who are really good at teaching people things in your organization. Learn from them how to best communicate your messaging. Regardless of the training you provide, be sure to write down your operational processes and content of your training. This will be beneficial if you are ever faced with regulatory scrutiny or private litigation. You will be able to demonstrate your specific training activities and say "It was one bad apple in the bunch. The whole barrel wasn't rotten".