Trust awareness
Among other findings, PwC's "The Journey to Digital Trust" report picked up on inadequate attention to awareness and training:
"Many businesses could do more to raise employee awareness and accountability around cybersecurity and privacy. Only 34% of respondents say their company has an employee security awareness training program. Only 31% say their company requires employee training on privacy policy and practices."
Less than a third of companies require training on their privacy policies and procedures? Wow! The other two thirds presumably expect their people to 'just know' this stuff. Perhaps it gets into their heads through osmosis, Vulcan mind melds or magic crystals. Perhaps management is over-reliant on the general news media and public awareness activities, forgetting that we are all awash in a vast ocean of information. Picking out the Stuff That Matters is getting harder and harder by the second.
It is any surprise, then, that privacy breaches and other information incidents occur so often? I suspect a good proportion of the organizations that do provide privacy awareness have suffered already - they've learnt the hard way, whereas the rest of us can and should learn from their mistakes.
It's hardly rocket surgery: if workers are expected to do stuff and not do other stuff in order to secure information, maintain privacy and satisfy all the other requirements to minimize information risks and compliance, surely they need to know what's expected of them. Just as kids need to be told and shown, repeatedly, what's right and what's wrong, adults need instruction and guidance in this area.
PwC offers the following 'Actionable advice for business leaders':
- "Prioritize raising workforce awareness about cybersecurity and privacy to support business objectives. Use messaging that avoids invoking security fatigue and is memorable enough to influence behavior when busy employees later face phishing schemes and other sophisticated threats.
- Establish corporate policies governing access to IT assets and data. Enforce the policies at all levels of the company to drive accountability for cybersecurity and privacy."
Well said, PwC! I agree with emphasizing business objectives, although they might also have mentioned personal, team and social objectives: information security and privacy are not just important for our organizations. Protecting the interests of customers, for instance, by adequately protecting their personal information is not purely a strict business matter. Influencing employee behavior is an important goal ... and I might add that influencing decisions (especially management decisions made by business leaders) is one of the most powerful changes that an effective awareness and training program can achieve.
PwC's mention of policies and accountability smacks of the compliance-driven culture which is particularly strong in America and increasing elsewhere in the world - GDPR being a topical example. Noncompliance with the privacy regulations can seriously damage the bottom line and be career-limiting for those held to account for their failures, including management's bad decisions I just mentioned. It's a governance matter. Duck and cover is not a viable response.