Data Breach Response: The importance of training

08Jan2021

In a crisis, you don’t rise to the level of your aspiration, you fall to the level of your training. In this article, Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt explains why training before a data breach occurs is critical to an effective response when a data breach occurs.

The reason why

People in an organisation are often the first and front line of defence in cybersecurity. There is a tendency in cybersecurity circles to focus on technology and infrastructure solutions, systems and processes to maintain security. These are critically important. However, equally, if not more important, are the people in the organisation. These are the people who are operating the systems in place, following the processes, and generally conducting the business.

The quality of training and awareness programmes will have a direct positive impact in reducing data breaches and mitigating the adverse consequences of data breaches when they do occur. Effective training will raise awareness of threats to information security in the business, how to report incidents, and how to play a role in responding to incidents and data breaches. This, in turn, mitigates and reduces the loss and liability arising from data breaches.

The absence of effective training is a common criticism in investigation reports of regulators in respect of serious data breaches. This highlights that effective cybersecurity training is an expected standard for businesses. The absence of an effective training programme will be and adverse and aggravating factor in regulatory investigations and proceedings when a data breach occurs.

Who should be trained

Anybody who participates in the conduct of the business needs to be trained in respect of security threats that that business. Training should be customized to the role and function of the people being trained so that the training is relevant and relatable. Even people who do not have regular or any access to IT systems should receive a degree of training, though the content would be tailored to physical security or other measures relevant to their specific role. Training may not be limited to just employees and can include contractors, suppliers and other persons who have access to the business premises or IT systems.

Training should emphasise the role each person plays in maintaining the confidentiality, integrity and availability of data and information of the business. The training should help people identify threats to information security, and the actions to take if they identify threats or incidents.

When should training be conducted

Training should be timed in different ways to add variety to the training programme. This can comprise:

Induction: Cybersecurity training should be a key component of an induction programme. This will help to inculcate good practices from the outset and reduce the chance of bad habits forming at the outset.

Scheduled: Certain core topics should be addressed at frequent and periodic intervals. This acts as a consistent reminder of common and persistent threats to information security. Repeat training on phishing attacks are a good example of this.

On demand: Certain training should be made available on an “always available, on demand” basis. This allows busy persons to catch up on relevant training topics and material at a time of their choosing.

Just in time: Certain training can be provided on a “just-in-time” basis. This can arise where the training is given directly in conjunction with a specific process that requires that training or at a particular period when that threat is at its highest. For instance, cybersecurity training coming into a Christmas holiday period is an example of providing training to coincide with a period of heightened cybersecurity risk.

Surprise: Training can be most effective when it is delivered at an unexpected time. This will highlight the real level of awareness of people in respect of the subject matter. For instance, a simulated phishing attack will produce results of how people responded to that phishing attack, and will provide authentic data and actions based on people’s response.

The trap to avoid is to rigorously adhere to an annual calendar that requires participants to acquire a certain number of training hours within that period. This inevitably leads to an absence of training for much of the year, and a rush to acquire training credits in the twilight of that period. The quality of training, and level of learning, inevitably suffers.

Forms of training

The form and method of delivery of training should be varied. Some styles include:

Lecture: This is a traditional lecture format, in which the trainer delivers the content directly to those being trained. This can be delivered in a real-world or online environment. Presentation aids such as a slide deck, participant questionnaires, or polls can be used. This traditional style demands more focus and endurance by the participant to remain engaged and acquire the learning points. It may be useful at an introductory level, or as a master presentation on a topic for future reference.

Seminar: This is a more interactive format, in which the training topic is explored in a smaller group setting. Typically, a socratic style of delivery is adopted in which the trainer directly asks questions of the participants, or breaks the group into smaller working groups on tasks or problem-solving relating to the topic. This is an effective method for encouraging self-learning through task performance or problem-solving.

Round table: In this format, the trainer leads a discussion among the participants to explore the training subject. This is an effective method where the desired objective is to share experiences and glean new insights from those experiences. It is often used between persons who work in different departments or functions, but who share common issues. It can also be very effective among senior executives.

Table top simulations: In this format, the trainer will lead a small cross-functional group through the different stages of a simulated incident. The purpose of the exercise is to assess the knowledge and readiness of the participants in the context of an actual incident, and identify areas of weakness in their response. It is especially effective in training incident response teams.

Awareness programmes

Awareness programmes are very important in embedding a culture of security in an organisation. Awareness is different to training. Training is directional and focused on specific learning on specific topics. Awareness is using people’s surroundings and attracting their attention so that they are aware of the importance and relevance of information security in the organisation. This can be done through campaigns, multimedia messages, reminders, and any number of creative or innovative activities.

The key ingredients for success in awareness programmes are variety and surprise. Once a poster has been on a wall in a pantry for a period of time, it seems to become part of the wall and almost invisible. The awareness programme should have that surprise and fun element that brings information security to the top of mind at that particular moment.

Key ingredients for an effective training programme

The key ingredients in an effective training programme in respect of cybersecurity and the data breach response are:

  1. Senior management support: The training programme must be approved and supported by senior management. It sends a powerful signal of the importance of training when a senior executive – ideally the CEO – actively participates in a training programme and consistently emphasizes the importance of cybersecurity training in his messages. Senior management support also means budget support.
     
  2. Organisational involvement: A training programme is not a matter for just the training department. A core objective of training is relevance. This requires active involvement on a cross-department, cross-function basis. This is critical in the planning stage, as this is when the training objective is customized to the particular needs of specific participants.
     
  3. Measuring effectiveness: Training is not just about showing up; it is about learning actionable lessons. The training programme should include ways of assessing and measuring whether the training objectives have been achieved. This could be measured by assessment tools such as questionnaires and feedback forms, or more sophisticated attention tools for an online environment.

Closing thoughts

Vegetables. We know we need them. But, well, they are not always palatable. Training can be like that. Training is necessary. It is impossible to respond effectively to a data breach, unless there has been some training on how to do so. Training is a necessary and vital ingredient in the data breach response. We, at Tanner De Witt, have devised training programmes in data protection and security which have helped a number of our clients.

The key to effective training is to provide variety and relevance to the training. This requires creativity, planning and execution skills. But with organisational support and involvement, training in cybersecurity and data breach response can be crisp and vibrant, not overcooked or reheated.

Pádraig Walsh

If you would like to discuss any of the matters raised in this article, please contact:

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.