In a recent blog entry, I talked about creating a strong password. But what are passwords used for? They are, among other things, a mechanism for ensuring that sensitive data is accessed only by authorized persons. Some of that sensitive data may be personal data that can be used to uniquely identify a person, such as their Social Security Number or driver’s license number. If a person obtains sufficient personal data on an individual, they can perform identity theft, impersonating that individual in order to fraudulently open accounts, obtain credit cards, etc. It can take the individual whose identity was stolen a long time to get things straightened out, and during that time their credit history is tarnished.
Personal data is collected during normal business transactions. Even organizations that may not collect personal data from customers will still have personal data for their employees. This data must be protected from unauthorized disclosure. Depending on where you live, Federal and State legislation (such as the Texas Identity Theft Enforcement and Protection Act) requires that sensitive personal data be protected, and requires disclosure should this data be compromised. The disclosure requirement is one of the reasons we have recently read more reports about data breaches by commercial and government entities. Loss of personal data is a serious issue, and can generate negative publicity and potentially damage the reputation of the organization responsible.
In several recent data breaches, a major factor contributing to the incident was the lack of proper employee training. Lack of training may have resulted in employees not following existing procedures or knowing how to use existing protective technology, or simply being unaware of the value of the data they were handling. These issues can be addressed by ensuring that a strong security awareness program is in place, and by properly training all employees.
An effective security awareness program provides employees with the information they need to understand existing policies and procedures, and to properly use the technology that has been put in place to safeguard the enterprise, including personal data. In most circumstances, employees want to do the right thing, but they have not been provided the necessary training in an effective manner. A good security awareness program provides training on an ongoing basis to ensure that the security message is fresh in employees’ minds. It also helps if the message is provided in multiple ways: Web-based training, live seminars, lunch and learn sessions, posters, videos, brochures, and other delivery methods. Not all people learn in the same manner, so it is important to provide the message using different media.
With regards to personal data protection, awareness training should stress:
• What is personal data?
• Proper handling and destruction of personal data, including laptops, hard copy collateral, USB drives, etc.
• Proper use of technology, such as the encryption of laptop hard drives
• Procedure for reporting suspected breaches
Providing employees with effective security awareness training helps protect against inadvertent disclosures of personal data, and prevents negative publicity for the organization.