What’s your current approach to compliance? Policies and procedures in place, a security risk analysis every eighteen months, and an annual slide presentation for employees on HIPAA basics? With our increased reliance on data, as well as changing compliance rules and regulations, that's no longer enough. We need to rethink compliance from the employee perspective.
Security awareness training is one method you can count on to bolster your compliance program and protect sensitive data. But that’s only true if you don’t count on bullet points in a slide show getting the job done. You’ll need more issue-specific training and ongoing check-ins to assure compliance and foster security awareness.
For instance, if you’re an employee, you may have mixed ideas about how your job relates to compliance, much less know how to protect sensitive data. An employer’s task is to eliminate that confusion, which then helps promote a security aware environment that in turn supports compliance.
5 Tips for Employee Security Awareness & Compliance
- Explain compliance and information security using layman’s terms, not jargon. Conversely, encourage questions about compliance’s confusing acronyms.
- Conduct phishing-specific training. Then test employees. Effective techniques may include intentional phishing to test training results.
- Make sure employees know how to protect their physical environment, like locking their screens when they aren’t using their devices.
- Emphasize the need to alert IT to any suspicious email or strange network activity (or inactivity).
- Force regular password changes and implement an automatic “weak, medium, strong” password tool.
When it comes to rethinking compliance, it also helps to remember that compliance and security aren’t the same thing. You need compliance excellence if you’re going to demonstrate that you can meet security standards. That includes having a way to manage interdependent components like workflow management, task monitoring, access controls and asset tracking for compliance as well as cybersecurity purposes. Your security aware, compliance-promoting environment will help employees learn how to recognize risk, especially the kind that pops up in their inbox.