When it comes to training your employees to identify and report insider threat in the workplace, NISPOM Conforming Change 2 is quite specific about what is required for compliance. This is one area in particular where you should really strive to go beyond checking the box - consider that the safety of your assets, vitality of your business, and loyalty of your customers all hinge on the ability of your staff to keep your most valuable information safe.
In fact, even if your business is not subject to federal insider threat regulations, these precepts are important to create a robust security culture. With the average cost of a data breach rising 11 percent in 2015 to $217 per stolen record, you truly can’t afford NOT to train your employees to take personal responsibility for preventing and identifying insider threats.
Conforming Change 2 outlines several key tenets of compliance with respect to insider threat training, including:
- All employees who hold a clearance or are being processed for a clearance are required to complete insider threat awareness training, regardless of whether or not they are currently in access to classified materials;
- All personnel assigned duties related to insider threat program management (this includes members of your insider threat working group) must complete insider threat program management training within 30 days of being assigned duties; and
- Insider threat information must be included in already mandated annual security refresher briefings.
Though you meet minimum requirements for compliance by utilizing free training resources, think carefully about if you want to risk taking a one-size-fits-all approach, especially when training your staff to protect your most valuable assets. We’ve said time and time again that compliance doesn’t always equal effectiveness, and that is especially true here. To set your team up for success and secure the future of your company, ask yourself the following when evaluating your training program:
- How do my employees best absorb information? It sounds basic, but checking in with a representative sample of your team about the details of training sessions that stuck with them can prove invaluable when identifying which types of training (one-on-one, group activities, etc) are appropriate and will be most effective. NISPOM is directive about the topics that must be addressed in insider threat training, but allows for flexibility when it comes to format and modality -- this is your chance to tailor the sessions to your company's unique learning style and improve your overall effectiveness in preventing insider threat.
- Where are the gaps in knowledge/experience/skills? As you are building your insider threat program, you will start to get more clarity on what skills and abilities are needed to ensure effective operations. You may find, for example, that the program requires personnel who are adept at data analysis and metric tracking, understand counterintelligence concepts, use discretion with sensitive information, and are capable of prompt communication. Knowing this, work to identify if there are any gaps between your needs and their current abilities. Are there several people missing knowlege about informational security protocol? Does your HR department lack experience in mediation with disgruntled employees? These elements should be folded into your training program in addition to the insider threat topics required by NISPOM.
- What do insider threat indicators look like in real life? Bring theoretical concepts down to earth by incorporating concrete examples specific to your organization into your insider threat training. Your goal is to ensure that employees understand a) what a reportable insider threat indicator is, and b) how to report it -- so the more you can help them visualize the details, the better. For example, you could tell employees that they must report any instance of careless or negligence in handling classified information to the Insider Threat Senior Program Official and hope they understand what that means. Or, you could tell them that if they see a colleague getting up from their desk to go out to lunch and notice that they've left the workstation unlocked and card in the reader, they are responsible for logging out of the account and immediately contacting their on-site supervisor to retain the ID card.
- What resources do we already have? Experienced employees can be a great training resource, and provide excellent coaching and mentoring. As a bonus, giving employees a reason to build these relationships can strengthen trust and drastically improve employee satisfaction and workplace morale (mitigators of insider threat risk!).
In general, any program that is interactive and hands-on will be more effective and engaging. If it's possible to measure knowledge and understanding of the concepts before and after training, you will be able to identify any information that doesn't seem to be sticking and can continue to reinforce those areas. The effects of good training likely won’t be visible overnight, but you’ll undoubtedly benefit in a few key ways: compliance with NISPOM regulations; minimized risk of accidental data breach (caused by negligence with sensitive information) or malicious insider threat; better employee retention due to increased competency and job satisfaction; and an elevated level of information security that can help you to secure more lucrative clients.