National Cybersecurity Awareness Month...GONE VIRTUAL Package!
October is just around the corner -- what’s your plan to make your NCSAM program 100% virtual? We've got you covered.

Meets Compliance

Many governments standards require security awareness training. We’ve got you covered. These 10 regulations mandate a security awareness program:

Meets Compliance - What is Security Awareness and Why do I Need it?

-Security awareness is the knowledge and attitude people have about cybersecurity. A positive security awareness culture is one in which people feel able, encouraged and equipped to combat cybersecurity threats with a true sense of urgency. 

Why? Cybercrime will cost organizations around the world more than $6 trillion USD annually by 2021(Cybersecurity Ventures), worldwide spending on information security products and services will reach more than $124 billion in 2019 (Gartner) and the average cost of a single cyber attack is somewhere around $5 million (Ponemon). A significant proportion (~>90%) of this cost is due to human error. But the problem is not people and the solution is not blame-and-train. The problem is bad design. The solution? Security awareness for real people. 

Glittering technology over-promises and under-delivers. Meanwhile, people are ignored, misunderstood, blamed, shamed and virtually handicapped. The biggest ROI happens when we wage culture change and turn the perceived weakest links into the best sensors and the strongest links in the chain. With training, the very same people who you thought struggled with laziness become your security ambassadors. The same culture you thought neglected security becomes a resilient, intelligent human firewall. 

Human Firewall

  • People are an organization's most important infrastructure. As today's threats focus more and more towards the human attack surface and people as the most vulnerable vector, technical infrastructures are becoming more challenged to prevent breaches without degrading productivity. When individual members of the organization possess strong security awareness and skills, then the response to threats and attacks can happen closer to the actual event. This can result in many attacks being thwarted immediately, without the need for technical interventions. People-centric security architectures like human firewalls complement rather than replace security technology. Examples of the human firewall in action:

Security Awareness Program Compliance Requirements 

  • Organizations around the world are required to comply with specific regulations (e.g. GDPR and PAS555) which have provisions for security and security awareness programs to be implemented and maintained across each enterprise. Organizations in the United States have further regulations -- at the Federal and State level -- which emphasize the necessity of security awareness programming and maintenance. Below are just a few examples of such policies: 
    • FISMA (NIST 800-53)
      • §3544.(b).(4).(A),(B): Securing awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks.
    • NERC/CIP
      • The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standard. CIP-004-5.1 R1 - Each Responsible Entity shall implement one or more documented processes that collectively include security awareness that, at least once eachcalendar quarter, reinforces cyber security practices (which may include associated physical security practices) for the Responsible Entity’s personnel who have authorized electronic or authorized unescorted physical access to BES Cyber Systems.
    • HIPAA
      • §164.308.(a).(5).(i): Implement a security awareness and training program for all members of its workforce (including management).
    • PCI-DSS
      • 12.6: Make all employees aware of the importance of cardholder information security.
        • Educate employees (for example, through posters, letters, memos, meetings, and promotions).
        • Require employees to acknowledge in writing that they have read and understand the company’s security policy and procedures
    • ISO/IEC 27001 & 27002
      • 8.2.2: All employees of the organization and, where relevant, contractors and third-party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.
    • Gramm-Leach Bliley Act
      • The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operation, including three areas that are particularly important to information security: Employee Management and Training; Information Systems; and Detecting and Managing System Failures. Depending on the nature of their business operations, firms should consider implementing the following practices: Employee Management and Training. The success of your information security plan depends largely on the employees who implement it
    • CobiT
      • PO7.4 Personnel Training: Provide IT employees with appropriate orientation when hired and ongoing training to maintain their knowledge, skills, abilities, internal controls, and security awareness at the level required to achieve organizational goals.
      • §DS7: Management of the process of educate and train users that satisfies the business requirement for IT of effectively and efficiently using applications and technology solutions and ensuring user compliance with policies and procedures is: […] 3 Defined when a training and education program is instituted and communicated, and employees and managers identify and document training needs. Training and education processes are standardized and documented. Budgets, resources, facilities, and trainers are established to support the training and education program. Formal classes are given to employees on ethical conduct and system security awareness and practices. Most training and education processes are monitored, but not all deviations are likely to be detected by management. Analysis of training and education problems is applied only occasionally.”
    • State Privacy Law Examples
      • PA Act 94
      • Texas Health Privacy Act
      • Massachusetts Data Security Law
    • GDPR
      • The European Union has directed all European member countries to develop and define laws regarding the protecting of personal privacy of the citizens of their respective country. This regulation has specific requirements for data breach notification (within 72 hours) and fines up to 4% of the organization’s global revenues. Although each country’s implementation of this regulation is different and unique, the regulation does require a security awareness program. Under Article 39:
        • The data protection officer shall have at least the following tasks: ... (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; ..."
    • PAS555 Cyber Security Risk: Governance and Management
      • Clause 4: Commitment to a Cyber Security Culture: The organization's top management shall define and demonstrate how it engenders a culture of cyber security within the organization. (Note: A cyber security culture is one in which values, attitudes, and behaviors are the foundation of day-to-day life in the organization. It is one where being careless about (cyber) security is not acceptable. It is recognized that it takes time to achieve a culture change and cannot be immediate.)
      • Clause 7: Capability Development Strategy: The organization shall have cyber security awareness programs, training, and development so that all individuals in the extended enterprise have the awareness and competence to fulfill their cyber security role and contribute to an effective cyber security culture.

Why Living Security

Living Security is the experience-first security awareness company. All of our products incorporate human-centered design and science-based applications like gamification and positive reinforcement to engage and inspire people to lead more secure lifestyles.

Get In Touch