By Matt Kelly – a long-time writer and observer of the corporate compliance and GRC scene. Matt runs Radical Compliance, a website and newsletter devoted to corporate compliance, audit, and risk management issues that he launched 2016. He has been working to make the GRC world a better place ever since.
Earlier this fall the Securities and Exchange Commission (SEC) published an unusual report: a review of cybersecurity failures at nine large firms where employees fell for “business email exploits” and mistakenly sent company monies to overseas accounts. Altogether, the firms lost nearly $100 million.
Worse: none of those losses had to do with IT security. These were human errors, where employees were not sufficiently skeptical about requests to send money.
In other words, this was a failure of effective training.
Worse, those failures were only a sign of things to come. Effective training programs are becoming more important to business operations. The modern large enterprise is more complex, highly regulated, and dependent upon third parties than ever before; it’s also more transparent to outside stakeholders than ever before.
So compliance and HR executives have more training to do, on more issues; while the success of training overall has become more important for organizations to get right.
How can a compliance officer achieve that? First let’s look at four traits of an effective training program. Then we’ll apply them to one of the most pressing risk issues facing companies today: cybersecurity.
Control Over Content
Hiring someone to develop customized training material from scratch can be an expensive, time-consuming proposition; one that forces you to spend time detailing the exact specifications and then dealing with revisions back and forth. A better strategy is to look for training systems that allow “self-editing” — solutions that are generally applicable to most organizations; and that also let you customize the material easily to fit your specific needs.
Solutions that accommodate self-editing let you quickly whittle materials down to your exact training needs. For example, your company might not collect personally identifiable information (PII) from customers, so training on data privacy might be less important to your business. Along similar lines, your industry or home jurisdiction might have specific breach disclosure rules you want to be sure to explain. You know your compliance requirements better than anyone, so look for solutions that let you tailor them without hassle.
Pick training solutions that are “device agnostic,” so that the training materials look and operate the same on any device, whether it’s a company workstation computer, a personal laptop, a tablet, or an employee’s personal cell phone.
For example, training should be as smooth for remote sales agents accessing lessons via mobile phones as it is for accountants sitting in headquarters on company PCs. You don’t want to waste time configuring device settings so employees can access the training. Nor do you want to impose on employees unnecessarily, dragging them into the office for online training that should be available on any device with a secure internet connection.
Look for solutions that will deliver the same ease of use and access regardless of what device you provide employees with or they bring themselves.
This point may sound technical; it’s not. It is simply another way to tailor training based on who is being trained.
For example, a low-level employee does not need to know policies on when senior executives can override internal controls; that’s beyond the scope of his or her job. More senior managers, on the other hand, might need to know those policies. An ideal training solution will identify those differences by asking the trainee a few screening questions at the start, about job title and duties. Then the training system filters out irrelevant content to focus on those training courses that matter most. Result: time and money saved for employees and employer alike.
Responsive to Regulatory Change
Above all, companies need training partners that keep up to date with what the current regulations actually are, so training materials can keep pace with the latest changes.
For example, in 2018 alone, new regulations have taken effect requiring all employers in the state of New York to provide sexual harassment prevention training to their employees, and the European Union implemented new data protection laws with specific time frames for reporting breaches.
Countries, states, and industries change their requirements on a regular basis. Compliance training must reflect those latest expectations for performance and best practices, so companies must have training systems and partners that can respond adroitly to regulatory change.
A Practical Example: Cybersecurity
As ever more employees and third parties work with companies’ confidential data, cybersecurity has exploded from a concern for the IT department to an enterprise-wide risk of the highest priority. Companies must now train more people, on more cybersecurity risks and regulations, and train them more effectively — because a cybersecurity lapse can lead to regulatory and reputational disaster.
Two recent regulatory changes illustrate the extent of the training challenge: New York’s Department of Financial Services cybersecurity regulation and the European Union’s General Data Protection Regulation.
The NY-DFS rule applies to banks, insurance companies, and financial institutions working in the state of New York. The regulation, which took effect last year, imposes different training requirements for various levels of employees and third parties. IT personnel have technical requirements, like multifactor authentication, while other employees require cybersecurity awareness training to educate them on current risks. Duties cover third parties as well, with companies required to conduct due diligence and periodic assessments of their partners’ cyber practices.
Likewise, the GDPR affects much more than just the IT department. The law requires general workforce training for those handling EU citizens’ personal data. Again, this training should focus on bigger conceptual goals: how to recognize what PII is, and what the employees’ responsibilities are to handle PII carefully. To be GDPR-compliant, organizations need to make sure any third-party processing data on their behalf also meets the law’s requirements.
To put it another way, as the scope of cybersecurity training has broadened, so has the nature of it. Rather than dwelling on technical specifications, like firewalls or encryption, effective training today must focus on awareness and smart behavior. Persons handling sensitive data or having access to it need to understand what pitfalls and warning signs to watch for, such as phishing email scams and other scams.
That was the whole point of the SEC’s recent report on cybersecurity failures, and it holds just as true for other types of training, such as sexual harassment, fair labor standards, and social media. The objective must always be to guide the trainee to smarter, more risk-aware behavior. Any training system you choose needs to reflect this shift.
Much of what makes for a strong training program boils down to flexibility. A training solution must be flexible enough for a company to put its own stamp upon the training materials, tailored to your specific needs. Those solutions must also be flexible enough to work seamlessly on any device or platform, to adjust to the role of the person taking the training, and to keep pace with the rapidly evolving world of regulatory change.