You’re a business. That means you provide much-needed goods and services to your clients. In return, you may have some of your clients’ data. The last thing your clients want to hear is that you’ve breached their data.
Your clients want to know how you’re protecting your data. A foundational part of any information security program is proactive safeguards in the form of staff education and awareness. You may be mandated by contract to engage in education and awareness.
When thinking about how to build that security awareness program, you need to be proactive and account for your clients’ needs. Here are the top five questions your clients might have about security awareness.
1. What Staff Training Do You Provide?
Your clients first want to know whether you provide training, what it covers, and how often you provide training.
At a minimum, you should provide your workforce training in general security awareness annually.
What is Security Awareness Training?
Security Awareness Training is training in general information security practices. This training helps defend your business from cyber threats because it increases awareness of them and how to mitigate them. You’ll want to cover a few things, including:
-
Physical security – this security domain includes keeping desks clear of sensitive or confidential information, not letting someone snoop over your shoulder or eavesdrop, and not letting people walk into a locked area behind you (also known as “tailgating”).
-
Email and communications security – how to share information, how not to share information, and how to spot social engineering attacks and phishing emails.
-
They are not circumventing security safeguards on a computer.
-
How to report a security incident.
-
Acceptable use of information technology resources.
Depending on what industries you serve, you may have other specialized topics on which you must train. Be mindful of those and do your research. For example, if you’re in healthcare, you must comply with the HIPAA Privacy and Security Rules. You also have enhanced fines and public reporting requirements depending on the size and quality of the data breach. You’re obligated to train your staff about those obligations.
Why Annually?
Annually doesn’t mean that you can’t do more—providing more training only benefits you the more you deliver. You can train as often in as many forms as you like. In doing so, your staff will be exposed to more diverse information security issues.
That being said, training annually with one omnibus training provides a good, auditable point in time for training. You can use an industry-standard benchmark to market and represent your training efforts.
If you train more and keep records of that training, that could provide an excellent benchmark to highlight the above-par security program you run. Not only will you have safer operations, but you can market the benefits of your safer operations as a result of that security awareness. Safer operations translate to high availability, better data integrity, and lower data loss or exfiltration.
An added benefit: not only will this make your clients happy, but it’ll also make your business and cyber insurance happy.
2. Do You Provide Phishing Training?
Phishing is the leading cause of information security incidents. Not providing phishing training is negligent, at best. Realistically, failing to provide phishing training is practically inviting a ransomware attack.
Phishing training comes in many forms. While a conversation around phishing training baselines is valuable, your clients want to know how actively you prepare for this common and devastating threat.
As with general staff training, this is an excellent opportunity to highlight ways your organization stands out. You can’t go wrong by doing more in this space: you’ll look more sophisticated to your clients and do a better job of avoiding costly data breaches.
One of the ways you can stand out is by conducting regular live phishing exercises. This includes sending phishing emails to your staff linked to training modules, which simulate real-world phishing emails. By providing real-world examples of phishing, your team will be significantly more prepared to identify and stop phishing attacks in their tracks.
Your clients may also have questions about training for other human-based attack vectors. Some of those attack vectors include:
-
Social engineering attacks – attacks that rely on an individual’s fight-or-flight response and routine activity to steal information, money, or account credentials.
-
Intentional internal threats – jaded workforce wishing to harm involving data or steal data.
-
Mistakes – some costly data breaches have arisen from misdirected information. Are you providing error management training to your staff?
3. Do You Cultivate a Culture of Security or Safety?
Building a training program can be a meteoric effort. Undertaking that programmatic approach to security is an excellent way to highlight your seriousness about information security and protection.
That work effort can be for naught if you don’t also enforce a culture of security or safety. Suppose you pay lip service to security or use requirements as a check-the-box exercise. In that case, your workforce may find it challenging to take security seriously and apply their training to practical issues.
A culture of safety and security is an excellent metric for your clients to understand that you not only build awareness but apply it in everything you do. It shows that you take security seriously, and you’ll take their data protection seriously. It’s an encouragement and motivation to share data.
In short, a culture of security and safety is a business enabler.
Building a culture of security or safety is a top-down exercise. Executive leadership needs to task the organization with managing information governance. The workforce must hear that there’s a solid commitment to enabling security-forward practices.
Maintaining a culture of security or safety is a bottom-up exercise. Everyone needs to work securely and be mindful of security best practices. Those best practices should be woven into enterprise processes, projects, infrastructure, and operations.
Critically, it’s vital to drive metrics that are measurable and verifiable. Those metrics both help to motivate the culture of security and safety, benchmark the culture of security and safety against industry peers, and highlight to clients how well your security awareness program operates.
4. Do You Know What Your Vendors Do?
Where a culture of security and safety is critical to implementing a security awareness program, your clients may want to know that you take that awareness further afield of your organization. Your clients may want to see that you have—or even insist that you have—a third-party risk management (TPRM) program.
A TPRM program, at the highest level of abstraction, is a program that observes your vendors’ and data exchange security posture. Most TPRM programs do more than that. Some iterations of TPRM will evaluate the technical perimeter of your vendors and data exchange partners. Other aspects of TPRM programs include administrative security evaluations to determine what security frameworks your vendors use and how well they manage them.
Whatever your TPRM program looks like, you’ll benefit by implementing a program that provides good visibility into what your vendors do. Not only does a program like this promote confidence—both yours and your client's—but it also promotes an understanding of your complete risk profile. It’s unlikely that you grasp that well without a TPRM program in place.
A TPRM program also provides an avenue of communication between you and your vendors, specifically about information security issues. Concerning the culture of security and safety and a general awareness program, a TPRM program promotes both.
By integrating security into every aspect of organizational operations, inside and out, you demonstrate the quality and importance of security. That, in turn, bolsters how important your workforce treats the quality and significance of security.
Additionally, a quality TPRM program lets you extend your security awareness to other organizations that provide critical support and supply chain needs. The last thing you want is to lose support or have a crippled supply chain due to information security issues. You also don’t want to provide significant quantities of data to a vendor only to have them exfiltrate that data during a breach.
5. How do You Manage Risk?
One side of the security awareness equation is vital education and practice development. The other side is active risk management, where the rubber meets the road. That was alluded to in the previous section regarding TPRM, but more generally, good security awareness means being aware of and actively managing risk.
How you manage risk depends on your organization’s size, structure, complexity, assets, and other factors leading to a comprehensive picture of where you are susceptible to a cyberattack or further compromise. While security awareness is only one component of a thriving risk management program, it’s a significant contributor to the quality of that program.
Your clients may request that you have a risk management program. They may even request the byproducts of that risk management program for their TPRM program. Whether you want to disclose those is a personal decision based on what you generate and the sensitivity of that information to your organization.
However, a formal risk management program and its performance measures attract customers. As with other aspects of a security awareness program, it shows:
-
If you’re thinking about information security and how to secure your clients’ data,
-
That you’re taking meaningful steps to, in fact, secure your client’s data, and
-
You’re keeping up-to-date with developments in the information security threat landscape and are proactively addressing your security posture to those issues.
Point number 3 is especially critical: whatever risk management program you implement needs to incorporate threat feeds and threat intelligence. Many services assist in that space and will help you learn about and mitigate some of the most current information security threats.
Conclusion
You’re likely to get a lot of questions from your clients about what you’re doing to protect their information. You don’t want to be caught flat-footed by those questions. The best way for you to prepare is to be aware. Building a security awareness program, the cornerstone of a much more effective risk management program will help you evaluate and understand your place in the information security threat landscape. It will also inform you and your workforce how to better defend against and mitigate threats.
