What topics should should you include in your security and privacy training?

Travis Good
October 14, 2020

Trust is essential for doing business. As is the case with most businesses, employees serve as the perimeter of your trust network. They can either be the last line of defense or the first line of access to company data. In addition, data regulations such as GDPR, CCPA, and HIPAA define specific rules governing how personal data is managed as well as the rights that individuals have over the collection and use of their persona data.

Employees cannot be expected to stay up to date on security best practices and privacy regulations on their own. This is why security and privacy training are more important than ever.

Startups use a smorgasbord of security training methods today. Certain types of training exist simply to check the box for reporting, auditing, and 3rd party assessments. Frequently this style of training is seen as a chore by managers and employees. Other training methods focus on engagement with content that is up to date and topical in the areas of security and technology. These methods of training, coupled with events like regular lunch and learns, can be very high value.

Regardless of the content and tools used to train employees on security and privacy, there are certain topics that should be covered and there are certain topics that must be covered.

Security Awareness

Every company, including startups, should provide some form of security awareness training to all of their employees. Effective security awareness training helps employees make informed decisions and protect company data.

Every company that is assessed against SOC 2, HIPAA, or PCI must provide some form of security training to all of its employees in order to pass an audit.

The challenge is that most commercially available security training is outdated, both in regards to technology examples and in how people actually work today. This training does however check the box for SOC 2, HIPAA, and PCI but it does little to actually increase the security awareness of employees.

Because of this, many companies create their own security awareness training. This path is hard to maintain and hard to track.

Whether you buy training or create your own, below are the topics that should be covered in a security awareness training course for technology companies.

  1. Phishing. If you only cover one topic, make it this.
  2. Malware. A close #2 topic with lots of overlap with phishing.
  3. Passwords. Passwords may go away someday but that day is a long way away.
  4. Multi-factor authentication (MFA). This deserves coverage and ideally is a part of your company toolkit.
  5. Computer security. Basics on best practices to keep your primary work device secure.
  6. Phone security. Analogues to computer security but for your smartphone.
  7. Remote work. Working out of the office presents new threats and best practices. COVID has forced all technology companies to deal with Remote work in some fashion or another.

When weighing each of the above topics, consider the list in priority order. Because Phishing accounts for close to 90% of all breaches, specifically in regards to email fraud, Phishing should be the primary focus for security awareness training. As an example, If we were to break it out into 10 lessons, the first 6 lessons (majority) should cover Phishing, with the remaining 6 topics covered in the last 4 lessons.

Privacy Training

Privacy training is something every company that is assessed against GDPR, CCPA, and HIPAA must do.

The focus of privacy training is different than security training. Privacy training is regulation specific, meaning privacy training for GDPR, CCPA, and HIPAA is tailored to the data use rules in those regulations.

The one universal topic that should be covered in privacy training is data subject rights. These are rights that individuals have around the use — collection, sharing, processing — of their own data. These rights include access to and the ability to delete data. The rights a user is granted are regulation-specific. However, the notion of data subject rights is universal, and the primary requirement for training in GDPR and CCPA.

Trust matters. Audits matter. Employees need appropriate training to ensure you earn trust and pass audits. The above topics are a starting point for a technology company looking for modern security and privacy training.