For an organization to comply with Payment Card Industry Data Security Standard (PCI DSS) Requirement 12.6, they must have a formal security awareness program in place. On reviewing a number of these programs over the last few years, I have been surprised to note how many failed to adhere to the guidance outlined in the PCI Security Council’s “Best Practices for Implementing a Security Awareness Program.”
In failing to do so, organizations have left gaps in their programs that leave them open to notable risks.
3 Places Most Security Awareness Programs Fail
Some of the areas that we often see lacking in a training program include these three major issues:
1) Security awareness training needs to be aligned with roles.
Role-based security awareness gives organizations a reference for training personnel at the appropriate levels based on their job functions. These roles can be broken down as:
- All Personnel – “All personnel” (which is the explicit language in the standard) need to recognize threats, see security as beneficial enough to make it a habit at work and at home, and feel comfortable reporting potential security issues. This group of users should be aware of the sensitivity of payment card data even if their day-to-day responsibilities do not involve working with payment card data.
- Specialized Roles – e.g., clerks processing payment cards, developers developing PCI relevant applications, network engineers, etc. Training for these users needs to focus on the individual’s obligation to follow secure procedures for handling sensitive information and to recognize the associated risks if privileged access is misused.
- Management – This group has a responsibility to enforce/govern the PCI DSS compliance program. Accordingly, it’s important that they understand the organization’s security policy and security requirements well enough to discuss and positively reinforce the message to staff, to encourage staff awareness, and to recognize and address security-related issues should they occur.
2) Security awareness training needs to be comprehensive and not just PCI-focused.
On review, we often find training that is specifically geared toward PCI requirements fails to provide the broader security education necessary to make the PCI training effective. For example, a security awareness training program that fails to educate participants on the risks of phishing is not going to be effective at protecting PCI data.
PCI’s Best Practices Guide provides the following generic guidance on essential security awareness training topics to illustrate this point. These topics should not be left out of your training curriculum:
- The organization’s security awareness policy
- Impact of unauthorized access (for example, to systems or facilities)
- Awareness of CHD security requirements for different payment environments
- Card present environments
- Card-not-present environments
- Phone (individual or call center)
- Online (eCommerce)
- Where to get further information on protecting CHD in the organization (for example, security officer, management, etc.)
- Importance of strong passwords and password controls
- Secure e-mail practices
- Secure practices for working remotely
- Avoiding malicious software (viruses, spyware, adware, etc.)
- Secure browsing practices
- Mobile device security, including BYOD scenarios
- Secure use of social media
- How to report a potential security incident and who to report it to (see PCI DSS Requirement 12.10)
- Protecting against social engineering attacks
- In Person – Physical access
- Phone – Caller ID spoofing
- E-mail – Phishing, spear phishing, e-mail address spoofing
- Instant messaging
- Physical security
- Shoulder surfing
- Dumpster diving
3) Metrics are essential to gauge security awareness training effectiveness.
As the saying goes, “You can’t manage it if you can’t measure it.” In addition to measuring completion percentages, employee satisfaction, and quiz scores, you would ideally measure the effectiveness of the training.
You might consider measuring:
- Phishing testing success rate (hopefully this is trending down)
- % of personnel completing training in the last year (hopefully trending up towards 100%)
- Training comprehension (hopefully tracking up based on employee satisfaction and/or quiz scores)
- PCA Relevant System Downtime (hopefully tracking lower)
PCI DSS compliant Security Awareness Training provides a significant amount of value as your staff are both your single greatest threat surface and your single greatest threat detection surface. A good program concurrently reduces overall exposure and increases your ability to detect and rapidly respond to security incidents.
If you would like to talk about Cyber Acuity, our PCI Compliant Security Awareness Program, please get in touch.