Human error remains one of the biggest threats to an organization’s security. This makes adequate security training more important than ever.
Human error remains one of the biggest threats to an organization’s security. This makes adequate security training more important than ever.
To help organizations with employee security training, the PCI Council released a 25-page document on security awareness programs called Best Practices for Implementing a Security Awareness Program. This document provides further knowledge that merchants may reference while following PCI DSS Requirement 12.
See also: PCI Council Security Awareness Guidance
The document explains, “One of the biggest risks to an organization’s information security is often not a weakness in the technology control environment. Rather, it is the action or inaction by employees and other personnel that can lead to security incidents.”
While security awareness training has been part of the PCI DSS standard for many years, some updates to standard 12 will impact how your security awareness program affects your compliance. Before we get into the updates, let’s review what a security awareness program is.
A security awareness program is a structured initiative designed to educate users about the threats that can compromise an organization's data and train them on practices that minimize risks to the organization's data.
The primary objectives of a security awareness program are to reduce the organization's attack surface and help employees follow established data protection policies and procedures. These policies and procedures encompass a wide range of areas such as computer usage, internet usage, remote access, and other measures to govern and safeguard the organization's valuable data.
A security program only works when employees know what they need to do to stay secure, have a clear path of action when they encounter a security threat, and know how to respond to a data breach.
Security awareness can be delivered through various methods, including annual formal training, e-mails, employee newsletters, posters in break rooms, and memos. It’s better to try to train your employees from multiple angles rather than just one.
The goal of requirement 12 is to make it as easy and accessible as possible for employees to understand and follow important security objectives so that your organization’s data stays secure.
See also: 5 Tips to Implement Security Awareness at Your Company
Organizations will need to enforce a more formal Security Awareness Program, where before you could get by with some basic security training.
Organizations will need to document and update their Security Awareness Program at least once every 12 months and as needed to address any new threats and vulnerabilities that may impact the security of their CDE or information provided to personnel about their role in protecting cardholder data.
The standard now expects a security training program to discuss specific threats and vulnerabilities in your environment, as well as acceptable use of end-user technologies.
For example, if phishing is a big deal in your environment, you need to address it in your training. The training program will also need to be reviewed and updated at least annually.
One of the biggest failures of organizations’ security plans is that they don’t regularly train their employees. Establishing a culture of security awareness within a company requires strong leadership commitment. Safeguarding against data breaches demands substantial investments in time, resources, and strategic preparations.
However, protecting your organization against a data breach that can result in huge fines, the loss of customer trust, or even the downfall of your organization makes it worth the investment.
.svg)
