More effort and time needed for information security, training, and awareness activities

The weakest link in information security and privacy is people. Multiple studies show that most incidents and breaches occur because people simply didn’t know what they were doing, or they made a silly mistake because they were not told how to perform their job responsibilities while keeping information security in mind, or they maliciously did bad things because they knew that, with lack of awareness of their co-workers, they would likely not get caught. Informed and aware personnel are countermeasures against security incidents and privacy breaches.

Training and awareness needs to be a prime factor in an organization’s successful security and privacy compliance program. Many laws and regulations explicitly require formal, ongoing training and awareness. Not only HIPAA, HITECH, and GLBA, but also many other federal, state and local level laws, regulations and industry standards. Fines and penalties will become increasingly more significant for organizations that lack effective training and awareness activities.

A large number of the organizations do not have a formal training and awareness program. The training and awareness activities that are in place have often not been effective. In many other organizations absolutely no training and no awareness communications or events exist at all. Not only does this put information at risk of incidents resulting from lack of knowledge and having more mistakes, it is also significant noncompliance infraction. Most other regulations require ongoing training and awareness to be occurring right now. Organizations need to make training and awareness a priority in their information security, privacy and compliance programs.

Training and awareness are the least expensive, and most effective, control that can implement to prevent incidents and breaches. I’ve seen the direct and measurable benefits many times; those who try to tell you otherwise have not done it effectively, likely because they didn’t believe it would work in the first place. But, unless you want to have increasing incidents and breaches resulting from silly mistakes and simple lack of knowledge, you need to be more proactive in providing regular training and ongoing awareness communications and activities.