Tom Colgan, Director of Cyber Security, Pilgrim Quality Solutions, an IQVIA company
As agents of quality and compliance within the Life Sciences industry, we are all well aware of the importance of employee security awareness training in order to be compliant with various frameworks, laws, and regulations, including HIPAA. But in practice, does your organization’s awareness program simply “check the box,” or do you believe your efforts are having an impact?
Your employees are the frontline to securing your organization, and an effective internal security awareness program will strengthen your defense in depth approach. Here are just a few of the ways you can strengthen your program:
- Phishing Exercises
Incorporate a phishing exercise/testing program. Phishing and spear phishing are on the rise for one reason only…they work. Implementing a program where you test your team members regularly with phishing examples will provide them the skills needed to identify a true phishing attempt.
- Ongoing Education
Inform your users how to protect themselves at home, as well as in the workplace, on a regular basis, not just once a year. Teach them how to educate their family on the importance of information security. The thought behind this parallel approach is that developing behavior to secure their own personal information will lead them to inherently protect your organizational data in accordance with the same values.
- Team Challenges
Conduct regular testing of team members. Just as with the phishing exercise, you want to test the comprehension and practice of important behaviors on a regular basis. Walk around the office and place a sticky note “violation” on the desk of a team member who didn’t lock their screen or didn’t adhere to the clear/clean desk policy. Challenge team members who don’t have a visible photo badge or ID and empower your team to challenge others as well.
- Knowledge Games
Providing your development teams with secure code training is important, but take it to the next step and engage them in a game. After undergoing secure coding training, set up a “capture the flag” game or similar activity to test their comprehension of that training. Last year Facebook introduced an open source tool to do just that. You can find it here: Facebook CTF is Now Open Source!
- Comedic Communication
Last, but not least, incorporate humor into your security awareness efforts wherever possible, especially in your required annual employee training. In the past, I have created videos that incorporated acting out obvious careless behavior (e.g., a person dressed as a thief and an employee scanning their badge to let them in the building), as well as poking fun at executives or other well-known individuals in the organization. The key is striking the right balance of humor and professionalism to suit your organization.
Recent news continues to confirm that human error is responsible for the worst data breaches. When organizations just “check the box” with information security awareness, they are risking their reputation, customer trust, and potentially their bottom lines.
Case in point: In 2014, the FBI said hackers were able to use a “spear phishing” email to gain a Yahoo employee’s credentials, enabling them to break into the company’s systems and access 500 million user accounts. Experts worried that the record-breaking haul of password data could be used to open locks up and down the web. Not knowing the full extent of data stolen sends ripples of insecurity across the internet and throughout the world of commerce.
That historic event is a powerful reminder that organizations need to look to their staff as their first line of defense. The challenge is to find the right amount of training and communication to provide an effective security awareness program for your workplace environment. When you find that sweet spot, make it a standard practice. You can never be too safe.
We want to hear from you: What do you believe is the ideal frequency for training and communication? Do you have fun with awareness training in your organization? You are encouraged to share your experience with effective workplace security awareness programs you have found to be effective.
Submit your comments to: firstname.lastname@example.org, or simply add your input in the comments section of this blog.
Information Security Summary
This white paper details the security controls that Pilgrim has put in place to ensure information security.