How do you encourage your employees to make security a priority?

Gary Glover, Director of Security Assessments
By: Gary Glover
Employees can make or break your security. Like my colleague David Ellis says about phishing, “It doesn’t matter if you have the most secure security system in the world. It takes only one untrained employee to give away the data you’ve worked so hard to protect.”
The importance of employee security training is why the PCI Council released a 25-page document on security awareness programs at the end of October 2014 called Best Practices for Implementing a Security Awareness Program. The document provides further knowledge that merchants may reference while following PCI DSS Requirement 12.6.

The guidance document explains, “One of the biggest risks to an organization’s information security is … the action or inaction by employees and other personnel that can lead to security incidents—for example, through disclosure of information that could be used in a social engineering attack [and] not reporting observed unusual activity.”

The document hits the nail on the head. Multiple sources site human error as the main culprit for data breaches.In fact, according to Deloitte, over 70% of companies rate lack of employee security awareness as a vulnerability.

Whether it's a laptop stolen out of an unlocked car, password sharing, insider leaking of sensitive information, or simple ignorance, employees can cause a lot of organizational hurt.

Where do businesses go wrong?

Many merchants simply do not provide ongoing security training for their employees. It takes an educated person to be able to discern ‘secure’ versus ‘not secure’, and training is the first step in that education.

Need security training for your employees? Learn more here.

Another reason behind employee data breaches is the simple fact that humans forget. Employees need constant reminders of the importance of security. The content and methods of communication between regular trainings is a big part of what this new PCI guidance document addresses.

Ultimately, the document gives some great pointers on instilling a culture of security among your employees. Here are my takeaways for successfully creating security awareness at your organization.

Gather a security awareness team

This team is responsible for the security awareness of your employees. Your team should include personnel with varying responsibilities from different departments.

Team members should be the examples. They should recommend secure practices in your organization, and make sure information is disseminated so every employee has the chance to make security a part of their work behavior.

Develop security awareness content

Security awareness can be delivered in a variety of methods. I recommend annual formal training and other forms of communication as reminders, such as e-mails, employee newsletters, posters in break rooms, and memos.


Types of training vary greatly based on what your employees do every day. For example, if you employ cashiers, specialized training for them may include how to inspect POS devices for tampering at the beginning of their shift. If you employ developers, their training will be much more in depth and include secure coding practices.

Here are a few important things your training should include:

Create a checklist

This checklist should be a list of all the things that must happen to keep your security awareness program running at your organization. I adapted a checklist from the PCI Council document, which you can download and use at your security awareness team meetings here.

Don’t let your employees ruin all your hard security work. Organizations with a security awareness program in place are 50% less likely to have staff-related security breaches.Train them! Teach them to care about the security at your organization, and you will avoid a lot of potential heartache.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.


0 comments