True employee awareness of data privacy is not just about keeping sensitive documents from prying eyes. Here are nine topics a comprehensive privacy awareness program should cover
What your employees don’t know about handling data at your company or organization could burn you, and fast.
That’s why it’s important to implement a privacy awareness training program so all your employees can actively protect sensitive data.
From how to stop phishing attacks to the best practices for data management and protection, there are numerous fundamentals involved with securing personal and sensitive data.
We’ve narrowed down nine topics that you should cover in your privacy training program to establish a risk-aware culture in which your employees see data protection as second nature.
Best Practices for Data Protection and Data Management
A privacy awareness program needs to cover the basics. To make sure your workforce is actively protecting sensitive data, they need to understand the data lifecycle — how data is created, stored, used, shared, archived, and destroyed within your company.
Here are some of the basics to cover in privacy awareness training:
- What data needs to be protected
- How to label data
- How to organize data
- Protocols on sharing data
- How to dispose of data no longer needed
- The importance of backing up critical data
Compliance with Privacy Policies: HIPAA, GDPR, and CCPA
A wide variety of privacy regulations exist, both U.S.-based and global that you may need to follow when it comes to how your company manages personal data. Many include training requirements for employees who handle this data, shifting training from a nice-to-have to a necessity.
What follows is far from an exhaustive list of some of the most impactful policies in force today:
HIPAA – The Health Insurance Portability and Accountability Act of 1996 provides data privacy and security provisions for safeguarding medical information in the U.S. Learn more about our HIPAA TrainingPack.
GDPR – The General Data Protection Regulation is a regulation on data protection and privacy for all citizens of the EU, which includes the transfer of personal data outside of the EU. Learn more about our GDPR TrainingPack.
CCPA – California’s Consumer Privacy Act enhances privacy rights and consumer protection for residents of California. Learn more about our California Regulation TrainingPack.
Keep in mind that you may not have to comply with any of these regulations. Additionally, there may be other regulations not listed here that you do need to comply with. For more information on which policies you might need to look out for, you can search privacy policies by country right here.
Keeping Software Patches Top of Mind
Nearly every piece of software your employees use on a regular basis requires frequent updates. Without them, any machine could be at risk for becoming a dangerous access point for malware or a source of data breaches.
Patching is a set of changes to a computer program or its data that is designed to update, fix, or improve it. Systems can be patched for things like improving usability and performance to fixing bugs and more.
Your training program should include who should patch, how often to patch, as well as patch management guidelines (what to prioritize, etc.).
Turning Away Social Engineering Attempts
Most data breaches begin with a successful social engineering attack. This happens when a hacker targets someone to get them to do something that gives them the access they are looking for.
For example, they could get a link from a LinkedIn connection or Facebook friend when, in fact, it’s really a hacker just trying to get into the network. In other words, it’s a con game.
Make sure your employees are aware and teach them how to recognize a social engineering attack and what to do if they believe they have been targeted.
Knowing What Identity Theft Looks Like
Personal information is incredibly easy to obtain as data breach after data breach dumps reams of data into the dark corners of the internet.
Thieves use this information in a variety of ways—financial gain, criminal evasion, and illegal collection of Social Security and medical benefits.
Identity thieves steal and use their victims’ personal information to create imposter accounts and to access existing accounts. Armed with stolen personal information, identity thieves can rob your company of customer trust and confidence.
That’s why we recommend including information on the threat of identity theft in your privacy awareness training. General topics and ideas to cover include but are not limited to:
- Identity theft red flags, such as what suspicious requests or uses of data look like
- Real-world examples of identity theft consequences
- What regulations exist to address identity theft
How to Identify Phishing Email Scams
Email scams are tricky, so it’s crucial that your employees know how to identify them. Some are more difficult to identify than others, but many share common themes that call them out as phishing attempts.
There are a few ways to identify and combat phishing attacks:
- Look for spelling or grammatical errors in the domain name or email address
- If the email is asking for any of your personal information or confirmation with a sense of urgency and no real proof of the claims
- Not clicking on any suspicious links you weren’t expecting
- Protecting and backing up your data
The most important takeaway here is making sure your employees take their time and think before interacting with any unexpected emails. Be sure to include some of these reminders in the training itself, and don’t be afraid to get creative with real phishing emails as a training tool!
Best Practices for Choosing a Password
Choosing a password might seem simple, but when you’re dealing with sensitive data, you need to make sure it’s secure.
In addition to choosing a unique password with eight or more letters, numbers, and characters, you should also use multi-factor authentication (MFA) or two-factor authentication (2FA). Both require at least two pieces (MFA can be more) of evidence in order to authenticate access into a system, like a password and a code sent to your mobile device via text message.
Here are some password best practice ideas for including in your training (and maybe even your company password policy):
- Trend towards length over complexity
- Consider a “passphrase” that adheres to our organization’s password requirements for length
- Avoid passwords based on a single, common word that can be found in the dictionary or that uses the name of the associated service
- Use different passwords for your work and personal accounts
All About Safe Browser Use and Screen Locking
When working with personal data, it’s important that employees don’t leave their computer available to anyone that can cause damage to their identity or the company. Remind them to lock their screen each time they step away from their computer to reduce the chances of unauthorized access (either accidental or malicious).
In addition to screen locking, you should also cover safe browser use. This includes making sure the browser is fully patched, only browsing safe websites and URLs, and reminding employees not to install unnecessary add-ons without admin approval.
How to Report an Incident
Whether it’s a malware attack, phishing scam, data breach, or even a hunch something might be wrong, it’s important for employees to know how to report an incident and who to report it to. Here are some ideas on what to cover regarding incident reporting:
- What to expect when an incident occurs
- How to recognize and report cybersecurity incidents to IT etc.
- Guidelines on how to handle an incident (who to call, what steps to take)
- What to do with a device that is believed to be compromised
In today’s digital world, it’s easy to share information at the click of a button. As a result, standards for privacy protection continue to rise, which makes it harder to keep up with the changing laws that regulate our personal information.
But as the privacy landscape and associated trends and regulations shift, the end goal of privacy awareness training remains the same: helping your employees achieve a mindset where protection of personal data comes as second nature.