Opinion: Top 5 mistakes of privacy awareness programs

Computerworld - HIPAA requires it. The Payment Card Industry Data Security Standard requires it. The ISO 27001 standard requires it. In fact, every regulation that mandates that reasonable measures be taken to protect information implicitly requires that companies maintain a program to regularly inform employees on what those measures are.

How are companies doing at meeting this requirement? In a poll two years ago of members of the International Association of Privacy Professionals, three quarters of respondents said their companies do some form of internal privacy training. This is a good number. But if you peel back the cover, you'll find that what “training” means varies widely.

Many large corporations have a check-box, compliance mentality toward privacy training. These are the top five shortcuts I see them taking instead of using the opportunity to deeply root out information risk:

1. Doing separate training for privacy, security, records management and code of ethics. Do you get one set of messages from your CPO, one from your CISO and an annual code of ethics sign-off from Legal? You're not alone. In the largest companies, when the people running each of these functions need to get their messages out to the employee population, they tend to not want to water down the uniqueness of their messages by mixing them with related topics. They also want to control their own destinies. As a result, they each go their own way with training and awareness. What's the outcome? Confused and over-messaged employees who just want one place to go to know the do's and don'ts of information management.
2. Equating "campaign" with "program." When privacy leaders get money to devote to "soft" projects like privacy training, the natural first step is to launch an awareness campaign. Some go so far as to deploy computer-based training modules. They may think that a program is now in place. But there's a difference between hitting employees with one or two messages a year and surrounding them with reminders that the policies are for real, have teeth and are baked into the culture. A true program has an annually refreshed calendar of messages and training going out to different employee populations throughout the year.
3. Equating "awareness" with "training." Does your company post some PowerPoint presentations to an intranet site, send out some e-mails, put up some posters, and call this a privacy and security training program? An effective information-risk program will certainly include awareness campaigns -- messages sent to broad populations about specific policy objectives. But it will also include the delivery of role-based training, which is aimed at educating smaller groups about the processes and procedures of implementing those policy objectives.
4. Using one or two communications channels. Let's face it: We live in a multimedia world. Our employees are used to surround sound, big-screen TVs, sophisticated visual effects, podcasts, chat, user-generated content and more. Yet, how many of our awareness campaigns at work are limited to a few e-mails and a couple of PowerPoint decks. If you really need to connect with your employees, consider how you can incorporate sound, moving pictures and interactive content into your approach.
5. No measurement. Security experts regularly opine that insiders are the biggest threat to corporate information, and the list of breaches maintained by privacyrights.org is dotted with incidents resulting from employee mistakes. Employee training is probably the most important component of a corporation's information-risk management. Yet few companies actually measure the effectiveness of their privacy training and awareness programs. So, in an economic downturn, these “soft” budgets become target No. 1 for the red pen.