4 Tips to Make Security Compliance Not Suck

Do you trust your employees? You should! After all, they are your first line of defense. We can have all the fancy tools, but without employee support, we’re going to lose every time against the conniving hackers and phishing scams out there.

Security compliance training is the best way to help educate employees on the real world vulnerabilities that exist and how they can help prevent them. Yet for some reason, the phrase “compliance training” usually fills employees with dread and images of painful PowerPoints that drone on and result in hours of lost productivity.

But it doesn’t have to be that way.

You can create meaningful, educational compliance trainings that still check the compliance boxes. Use these helpful tips below to guide your next security compliance training session.

Keep it Brief: A 10-15 minute presentation is enough time to adequately update employees on the latest compliance policies and how they can implement safe and effective security practices. Make sure to move through the content quickly to keep participants engaged and paying attention. Anything longer than 15 minutes and you might see a few heads nod off to sleep.

Create a Culture of Security: The most important part of security is relating it to what employees are doing in their daily professional lives. Sometimes their work is aligned with core values of the company, while others – from finance to the legal team – might not work as closely with the company’s core product. Yet all together, employees are working towards the same company goal and being more secure can help achieve that goal.

Use the annual training as a way to meaningfully engage with employees across the entire company and not just a way to check the compliance box.

Content is Key: Although your compliance training will be tailored to the specific needs of your company, there are several key components it should include.

• Policy and Process: Give employees a refresher on the company’s information security policies and any major updates since the previous year.
• Physical Security: Remind employees about the role of physical security practices and how a busy street entrance, for example, can be susceptible to strangers walking into the building. Make sure badges are worn at all times and employees shouldn’t be afraid to ask someone where their badge is, or ask for a new one, if they misplace it.
• Digital Security: Password protected screensavers and digitally locking up machines while employees are away from their desk or office are equally as important as physical security. Many major security breaches were the result of data that was downloaded onto employees’ laptops, which were later compromised when the unprotected hardware was stolen or lost.
• Human Security: One of the most important parts of the training is making employees aware of the due diligence they must practice everyday. This includes trusting their instincts when they encounter a suspicious phone call or strange email that’s a possible phishing scam.

The Human Element: Employees should leave the training with tangible ways to immediately start practicing proper security habits every day. Real-life anecdotes and scenarios will help paint a picture for some of the threats they could encounter and how to deal with them. End with a concrete list of takeaways that are easy to remember.

Want to learn more from Chris Niggel, Okta’s senior manager of security and compliance? Watch his Oktane15 presentation on Okta’s security compliance strategy in the video below.