According to the European Network and Information Security Agency, “Awareness of the risks and available safeguards is the first line of defense for the security of information systems and networks.”
The importance of security awareness programs is beyond question, but what makes a security awareness program successful? Presumably, this question may have as many answers as there are stars in the sky, and this article suggests several elements of such a program that have come into prominence over the years. Their origins are rooted in best practices, which is always a good indication of quality achieved through trial and error.
Organization's information security needs. Unique to the culture, size, and budget of the organization. Determining what level the information security program operates on depends on the organization's strategic plan. Also the plan's vision and mission statements.
![Program Program](https://er.educause.edu/-/media/images/blogs/2018/7/er184306figure1.jpg?hash=B6CF8CDB143F7940E25A3EB4EDF3070B9EC33501&la=en)
Security awareness programs are required for PCI DSS compliance, HIPAA compliance, and complying with federal and state regulations (e.g., Texas Health Privacy Law/ Massachusetts Data Security Law), among other things. Unfortunately, because of that organizations often turn awareness programs into a check-the-box exercise (See “6. Diversify the Content and Methods”).
Drafters of a security awareness program need to be familiar with the latest security training requirements. By way of illustration, the PCI DSS v3.2 (Payment Card Industry Data Security Standards) became mandatory, not best practices, on February 1, 2018.
Source:
How to Create a Compliant Security Awareness Program by Raju Woodward
How to Create a Compliant Security Awareness Program by Raju Woodward
As the President and CEO of Wombat Security, Joe Ferrara, said:
“Healthcare institutions are increasingly targeted by hackers, making it critical to deliver effective training to anyone who is not well-informed of HIPAA-mandated safeguards [.]”
“Healthcare institutions are increasingly targeted by hackers, making it critical to deliver effective training to anyone who is not well-informed of HIPAA-mandated safeguards [.]”
It is to be noted that even though security awareness is often mandatory by law, it remains a core responsibility of top technology leaders, such as CISOs and HR managers, and they are accountable for its effectiveness.
Consequently, successfully enforcing a security awareness program will not happen without the active participation of the C-level executives. Top management will hold the reins on the entire security awareness process, from the initiation to the support and direction – this lies at the heart of the top-down approach. It is usually more reliable than the bottom-up approach since the people in charge of the most important matters within an organization are also fully responsible for the success of the program. Also, when senior leaders are so engaged in awareness and training events and are familiar with the organization’s information security policies, that sends a positive message to everybody else.
Creating reliable communication channels – Upper management, again having a primary role, should take responsibility for communicating the program to all employees. Although such communication can take many forms, it is important always to remain clear, relevant, regular, interesting, and interactive.
To obtain maximum support, the implementation of the security awareness program should be facilitated by key departments (human resource, legal, marketing, physical security, etc.), other than the IT one. For example, the legal department will ensure that the program is in accord with compliance requirements. Additional support in the form of funding and distribution is always welcome, as it will fortify the foundations laid by the upper management.
Perhaps an awareness program should adopt the more department-specific approach. In most situations, a mixture of baseline best practices and department-specific code of conduct is the way to go.
Physical Security – It is about the physical access to the IT systems and organization’s facilities. Wearing badges and a sign-in procedure at the front desk, for example, are ways to let in only legitimate persons.
Password Security – Firstly, default passwords must not to be used. Secondly, each password should be at least 8 characters long and contain different upper and lowercase letters, numbers, and symbols.
Source: Creating Strong Passwords | Time To Change Your Password by brian kelly / CC BY 2.0
Anti-Phishing – Staffers need to be suspicious of emails that evoke a sense of urgency. Unless they are coming from trusted sources, no attachments or clicking on suspicious links should be executed. There are some good phishing simulations that will put employees to the test. Using regular phishing simulations is, in fact, a good strategy for developing of a security culture at every level within the organization (See the last component), as workers are advised to contact the IT department or security person when they are in doubt.
Social Engineering – Crooks sometimes try to manipulate staff into divulging important company-related information. Security awareness program and training would address such situations, but people need to approach these requests with a healthy amount of skepticism. Keep in mind that the social engineering may include other tricks, such as a malware-laden USB stick planted in the proximity of offices, in high hopes that employees will find them and be imprudent enough to plug it into the system.
Internal phishing and social engineering campaigns are good “checks and balances” tools concerning staff robustness against cybersecurity fraud and manipulation. As John Ferrara described it: “[Phishing] can shock complacent staff into realizing how vulnerable to social engineering they really are.”
At first, companies should differentiate between security awareness programs and security training. This Dark Reading article outlined the difference:
“Security training provides users with a finite set of knowledge and usually tests for short-term comprehension…. Security Awareness programs strive to change behaviors of individuals, which in turn strengthens the security culture. Awareness is a continual process. It is not a program to tell people to be afraid to check their e-mail. The discipline requires a distinct set of knowledge, skills, and abilities.”
Given that the cyber attacks today may have multiple attack vectors, security awareness programs need also be as comprehensive as possible. There is no “one size fits all” security awareness program, and therefore employees may receive information through various awareness avenues: phishing simulations, newsfeeds, newsletters, blogs, games, etc.
Several studies, such as this 2013 white paper from Secure Mentem, reported that interactive materials are more likely to be effective in achieving results than PowerPoint slides or awareness videos. Also, the combination of in-person and online based, interactive sessions seems to deliver greater results. Implementing simulations and gaming techniques is an excellent way to engage users and prompt them to provide immediate feedback at the same time.
Practice shows that awareness efforts directed towards what employees should do are more successful; for instance, how to use social networks safely, instead of telling them what they should not do.
Consider specific content directed at people who are new to the organization (i.e., “Onboarding”) or dedicated for situations in the wake of security incidents (i.e., “Post-Incident”), both of which will presumably be a bit different from the normal content (i.e., “Ongoing”).
Also, you can use a more personal approach – that is, logically bind, if possible, cyber awareness patterns to activities from personal life, environment, or people. Numerous studies have reported that employees tend to be more responsive when they think that awareness materials can be used outside the office.
A good program should both make regular references to the latest cyberattacks to demonstrate its importance and educate everyone on latest cybersecurity trends. Awareness programs that focus on providing staffers with cybersecurity information promptly could successfully repel cyber-attacks, as evident by the attempted Syrian Electronic Army hacking against IDG Enterprises.
Use a checklist but also other methods – this is a routine procedure designed to provide for the systematic dissemination of the security awareness program throughout the organization. It can also be used in all other stages of the program’s life cycle. Unfortunately, most awareness programs are nothing more than a mere check-the-box exercise or a long sequence of computer-based training videos.
Perhaps the biggest problem with security training is that they do not evoke enough interest and enthusiasm in employees, even though when the trainees know its importance. Security is a serious subject. Nevertheless, like every other serious subject, it could become boring after a while.
Fun stories are often tantamount to intriguing stories. In this regard, funny videos could create a good atmosphere and excitement at the office. Humour may be the missing ingredient in your program. Although it should be in the right amounts, just as adding the right amount of salt to a dish – more is too salty, and less can be not tasty enough. Intriguing content can really leave a lasting imprint on memory. So, why so serious?
In general, security awareness should be carried out in person. Choose the best time for training carefully (usually during slow days or downtime). Make sure that users are actively engaged in all aspects of what they are learning.
As an example, routinely testing employee preparedness through a phishing training program will keep everyone alert and reinforce awareness activities. Moreover, the immediate feedback also comes in the form of a given employee clicking on a link in a phishing email or downloading an attachment – a potential breach of security that you could address right away by teaching him how to avoid such threats in future. Do not hesitate to notify persons that lag behind regarding training and best practices. Accountability is important to the process, so keeping a slack rein could be detrimental to the overall security awareness policy.
According to Stephen King, hell “might be repetition”; however, security-wise “repetition” may have a redeeming effect. Most employees do not come across security risks daily, so they need a reminder of looming security threats from time to time.
A yearlong plan broken down into quarters will help you focus threat research and training development efforts on specific goals, as well as notice changes that may occur in between these periods. Various methods can help you track progress, with reports and metrics being most common. Metrics have an illustrative character as they are key attributes that identify whether learning objectives are met or not, and whether the managerial staff needs to make any adjustments to the program.
Ethical Hacking Boot Camp — 93% Exam Pass Rate
When your people demonstrate due diligence concerning the application of the security awareness program, your normal response would be to show them somehow that they are on the right track. Sometimes a pat on the back would be enough, but sometimes it would not be.
An internal incentive-based system that rewards people who report potential security incidents, even in the context of phishing simulations, is a welcome addition to every security awareness program.
Rewards may include even leisure activities: dinner out, listening to music, watching TV, etc. You can also provide gift cards and call out the names of top performers during meetings.
What good cutting age technological security measures are going to bring a company if its people have no security culture? No ultra-modern technologies can compensate for the lack of security culture within a company. According to E-commerce Times, IT administrators and other security professionals consider “end user carelessness” as the primary security threat to their company, surpassing even malware-based cyberattacks and advanced persistent threats (ITIC/KnowBe4 “2013 — 2014 Security Deployment Trends Survey”).
The security culture is the key. Provided that it is properly created and enforced, an awareness program can instill habits and behavior that drive security culture.
The optimum goal of a security awareness program is not only to improve practical implementation of best security practices but also broaden understanding of newest security threats and how to counteract them.
The security awareness program ensures that every person in the organization possesses a minimum level of know-how concerning security matters, which is also usually accompanied by an appropriate sense of responsibility.
Source: Cybersecurity Awareness Month kicks off year-long Army campaign by Ms. Erinn Burgess
If we consider the first two lines of defense to be security controls and detection, security awareness fortifies mostly the third one – the human factor. In this context, a proper security awareness program should educate people on how to use the other two lines of defense.
Having a security awareness program is simply indispensable. By the reckoning of Maria Corolov of CSOOnline, “[t]he least effective training program still had a seven-fold return on investment, even taking into account the loss of productivity during the time the employees spent being in training. Moreover, the average-performing program resulted in a 37-fold return on investment [.]” Nevertheless, why settle for an inferior program? This article outlines several elements that everyone should consider when developing a security awareness program, and implementing most of them is not that difficult.
[Webinar] 10 Proven Security Awareness Tips to Implement Now
Sources
The Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within, Kaspersky Lab Daily
Beaver, K. (2017). Your Security Awareness Program Stinks. Here’s Something You Can Do About It. Available at https://securityintelligence.com/your-security-awareness-program-stinks-heres-something-you-can-do-about-it/ (02-08-2018)
Cully, T. (2016). THE TOP 10 COMPONENTS FOR DEVELOPING A STRONG INFORMATION SECURITY PROGRAM. Available at https://www.linkedin.com/pulse/top-10-components-developing-strong-information-security-tom-cully (02-08-2018)
Drolet, M. (2018). 4 steps to launch a security awareness training program. Available at https://www.csoonline.com/article/3246455/data-protection/4-steps-to-launch-a-security-awareness-training-program.html (02-08-2018)
Egan, G. (2016). New Security Awareness Training Program Helps Healthcare Organizations Manage End-User Risk. Available at https://www.wombatsecurity.com/blog/new-security-awareness-training-program-helps-healthcare-organizations-manage-end-user-risk (02-08-2018)
IT Weapons (2018). Ways to Test Your Security Awareness Training Plan. Available at http://www.itweapons.com/4-ways-test-security-awareness-training-plan/ (02-08-2018)
Harper, K. (2018). Security Awareness Training: Are You Setting Yourself Up for Failure? Available at https://www.elasticito.com/single-post/2017/11/18/Security-Awareness-Training-Are-You-Setting-Yourself-Up-for-Failure (02-08-2018)
Harris, S. Key elements when building an information security program. Available at http://searchsecurity.techtarget.com/tip/Key-elements-when-building-an-information-security-program (02-08-2018)
Hudgens, J. (2015). Top 5 Components of a Strong Information Security Awareness and Training Program. Available at https://pratum.com/blog/285-top-5-components-of-a-strong-information-security-awareness-and-training-program (02-08-2018)
Lohrmann, D. (2014). Ten Recommendations for Security Awareness Programs. Available at http://www.govtech.com/blogs/lohrmann-on-cybersecurity/Ten-Recommendations-for-Security-Awareness-Programs.html (02-08-2018)
McLaughlin, T. (2017). How to Implement a Security Awareness Program at Your Organization. Available at https://www.threatstack.com/blog/how-to-implement-a-security-awareness-program-at-your-organization/ (02-08-2018)
Morris, S. (2015). 5 Topics to Include in Your Security Awareness Training Program. Available at https://kirkpatrickprice.com/blog/5-topics-to-include-in-your-security-awareness-training-program/ (02-08-2018)
Shumaker, T. (2018). Creating an effective staff security awareness program. Available at https://www.itgovernanceusa.com/blog/creating-an-effective-staff-security-awareness-program/ (02-08-2018)
Smith, K. (2016). How To Build A Security Awareness Program for Widespread Organizations. Available at https://www.securestate.com/blog/2016/10/20/how-to-build-a-security-awareness-program-for-widespread-organizations (02-08-2018)
Winkler, I. (2017). 7 elements of a successful security awareness program. Available at https://www.csoonline.com/article/2133408/data-protection/network-security-the-7-elements-of-a-successful-security-awareness-program.html (02-08-2018)
Wikipedia. Security awareness. Available at https://en.wikipedia.org/wiki/Security_awareness (02-08-2018)
Woodward, R. (2017). How to Create a Compliant Security Awareness Program. Available at https://www.cbtnuggets.com/blog/2017/12/how-to-create-a-compliant-security-awareness-program/ (02-08-2018)
As healthcare provider shortages loom, hospital and health system training and development programs become increasingly important. Such programs can help retain current employees, improve their skills and positively impact the overall quality of a health system — something that is increasingly important in a value-based world. Yet, training and development initiatives aren't often a top concern for health system leaders. This, of course, is not surprising given that leaders are faced with more pressing issues, such as reimbursement, compliance, clinical quality and beyond. However, training and development is an important area that leaders should assess often.
Donnetta Horseman, corporate responsibility officer for CaroMont Health in Gastonia, N.C., oversees the health system's compliance training and development initiatives, along with Cynthia Machuga, the system's educational services coordinator. Together, the two oversee the delivery of system-wide training programs.
The health system offers thousands of training courses each year — both mandatory (such as those for compliance, privacy, clinical skill development, etc.) and optional, by role. Examples of optional trainings include continuing medical education and leadership development opportunities. Overseeing thousands of trainings each year can be a daunting task; however, Ms. Horseman and Ms. Machuga say there are a few best practices that can help ensure any given training program meets its goals without overextending a health system's resources.
1. Create training programs for different learning styles. Training programs should include material that appeals to various learning styles: verbal, visual, hands-on, etc.
'You have to be willing to use a variety of different teaching methods,' says Ms. Machuga.
Training programs also need to reflect the multilingual employee population in so many hospitals today. 'We often make the generalization that if this is in English and it is simple enough then everyone's going to get it, and that may not be the case,' notes Ms. Horseman. 'You need to ensure all of your different employees in their different roles — from the housekeeper to facility worker all the way through the CEO — can comprehend the information.'
2. Make programs interactive. Group work, quizzes and other activities can help make training programs less lecture-based and more interactive — something that not only helps employees retain information but also makes the training more enjoyable for them.
![Developing Developing](https://image.slidesharecdn.com/a41f2416-98c2-4a84-8816-fb8d0affb096-160307153620/95/croft-arlenefso-nonpossessing-completed-1-638.jpg?cb=1457364995)
'You have to make it as interactive as possible; the more involved [employees] are, the more they retain,' explains Ms. Horseman.
3. Embrace computer-based training modules. While certain types of trainings may be better suited for face-to-face training, many others can be completed online. Computer-based training modules are often more convenient for employees as they can be completed from various locations, at different paces and at times that work within an employee's schedule, says Ms. Machuga.
Ms. Horseman adds that computer-based trainings also help CaroMont deliver consistent training and allow administration to track that each employee has completed a training module — something that is especially important for mandatory trainings around compliance and privacy issues. Additionally, using computer-based modules developed by third parties are less resource intensive than developing them in-house. While CaroMont actually prefers to develop its own modules because doing so is less costly, when trainings need to be developed and rolled out quickly, using a third-party product can be advantageous, says Ms. Horseman.
When using computer-based trainings, it is important to prepare for some technical difficulties. 'If you can, have the IT department involved early on in the process, even in planning, to make sure what you're looking at purchasing will work with your hardware and system,' advises Ms. Machuga.
4. Personalize information so it is specific to your hospital or health system. Another reason CaroMont often develops its own training programs is because, in addition to being cost efficient, information within the training can be specific to CaroMont's facilities and procedures.
If using a third-party module, Ms. Horseman recommends selecting one that allows for some personalization. 'Pre-packaged [modules] are a little more generic,' she explains. However, when CaroMont selected a third-party module for compliance training, it chose one that allowed the system to add its own documents, policies and procedures. “It made us feel like we were still able to have training very specific to our organization without having to spend as much time developing content,” she adds.
5. Ensure training reflects changing skills. Hospital training programs have always covered issues such as compliance and clinical competency, but increasingly hospitals are developing programs around newly sought-after skills, such as customer service and patient-centered care.
'What we've seen more than anything else because of value-based healthcare is that we're putting more focus on the patient experience and balancing it with quality and cost,' says Ms. Machuga. 'We've always covered customer service in orientation, but it's certainly more in depth than before. As the patient experience plays more into our reimbursement, we have to get across to staff what this means and how the employee can impact it.'
6. Consider employee demands beyond training. Employees at hospitals have multiple responsibilities, and training should be designed so that it can be completed without taking away from those responsibilities.
'One of the things that makes healthcare unique is a large part of our employees are nurses or physicians who are caring for patients,' says Ms. Horseman. 'We really need to make sure we're putting together training that is effective for them. Not everyone is at a desk, so training they can do between daily activity is ideal.'
7. Evaluate the effectiveness of training programs. Finally, hospitals should always assess the effectiveness of their training programs through surveys and testing of skills. After all, a training program that doesn't effectively improve some skill or competency is a waste of health system resources and employees' time.
'Did you achieve what you were trying to achieve, and if not, what do you need to do from that point on?' asks Ms. Machuga.
More Articles on Hospital Employee Training and Development:
One Philosophy to Achieve the Ultimate Patient Experience10 Questions Every Hospital Should Ask its Employees
3 Personas in Every Organization: Builders, Cutters and Maintainers
© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.
To receive the latest hospital and health system business and legal news and analysis from Becker's Hospital Review, sign-up for the free Becker's Hospital Review E-weekly by clicking here.