Training and awareness for data privacy – why it’s time to be pro-active…

By Iain McLeod, Managing Director of SAI Global Compliance

Iain McLeod looks at the FSA’s latest report on Data Security in Financial Services and addresses how firms can be more pro-active and successful in their approach to training and awareness.

Data security risks, specifically those leading to financial crime, are a key concern for the financial sector. A recent report by the FSA suggests there is still more the financial sector must do in order to safeguard client data, specifically in the area of staff training and awareness where firms “in general have substantial shortcomings”.

The FSA report puts ownership on Senior Management to “maintain effective systems and controls to counter the risk of financial crime”. This, coupled with backing from the UK’s Information Commissioner, Richard Thomas, and the threat of Enforcement action (for firms that fail to take account of the reports findings), makes training and awareness a higher priority.

The key message from the report is simple: firms need to be more proactive and less reactive. The FSA suggests that firms are too focused on damage limitation (mainly protecting their reputation after a breach has occurred) than actually having systems and processes in place to prevent data breaches. They point out that there is some disconnect between customer data and fraud/financial crime – when actually the two are directly related. And when it comes to the training and awareness piece, firms are falling short by providing training that focuses on policies, legal and regulatory aspects and not enough on meaningful best practice i.e. “how does that policy affect me and the way I do my job”? Policies are a great starting point, but once in place, it’s how they are communicated that makes all the difference.

“… even the best policies and procedures have little value if front-line staff are not aware of them or do not understand what they mean in terms of their day-to-day responsibilities.”

Taking a more pro-active approach to data privacy is common sense, but how do companies go about putting this shift-change into practice when it comes to the training and awareness element?

What are firms currently doing wrong?

As the report discusses, nearly half of the companies surveyed didn’t have any training initiatives in place, this suggests a degree of complacency in the financial sector towards training on data privacy generally. However, the financial sector is already juggling training challenges covering a whole host of compliance issues, so it’s not surprising that one or more balls gets dropped. Firms need both the resources and the insight to get it right from the outset. So, what are the key steps that companies need to follow?

Having worked with financial companies worldwide implementing a range of successful compliance training solutions, SAI Global have identified some key issues that need to be addressed before embarking on a data security training project:

1. A Coordinated Approach – in many cases we see information security departments left to source, develop and implement data privacy training in isolation. However, IS professionals are generally not training and awareness experts – they need support and expertise from other parts of the business. HR and Training departments can provide key expertise in implementing an appropriate training initiative. In addition, each business unit will have specific data privacy issues that need to be addressed in training. It is important to work with senior management across departments to ensure all training needs are identified from the outset. As the FSA report points out, to be truly effective, training needs to be made job-specific. If a coordinated approach is not achievable internally, due to timescales, resources or politics(!) then a specialist external company can be sourced to liaise with, scope, develop and deliver training that meets the requirements of each business unit. This can provide a more objective view (to achieving company wide objectives) and speed up the process, in turn, saving money and minimising risk. 
“Large and medium-sized firms generally devote adequate resources to data security risk management but there is a lack of coordination among relevant business areas such as information technology, information security, human resources, financial crime, and physical security.”

2. Setting Objectives – in order to measure the effectiveness of data privacy training, it is essential to first establish training objectives. This crucial point is so often overlooked, but is vital. How can you prove that positive results are being delivered, if the parameters against which the training is to be measured are not made clear from the outset? 
•    Are we just looking for a tick in the regulatory box in order to provide evidence that everyone in the organisation has been through a data privacy ‘sheep dip’?
•    Are we aiming to bring about meaningful and positive behavioural change amongst employees?
•    Or are we hoping to embed an organisational culture of data security?
For example, counting the number of people who attended or accessed a course will achieve the first objective above, but tell nothing about whether the awareness activity has impacted on behaviour, which is essential in order to achieve the second and third objectives. Setting clear objectives should drive not only the content of training and awareness but also help identify the measures used to determine their effectiveness.
“Our experience shows that many instances of data loss occur because staff do not know or understand relevant policies and procedures.”

3. Get Board/Senior Management buy-in – endorsement of training by the Board/Senior Management is vital. Getting them involved at the scoping of a project will help break down barriers and help them feel ‘part’ of the process. This will lead to a positive vibe that will translate further down the line. More importantly, it is essential that Senior Management ‘lead by example’, they need to be clear on their role in promoting best practice to staff. A separate training initiative aimed at managers (perhaps something more open such as workshops) would do well to ensure that management is aware of their responsibility in managing risk day-to-day. The fact that the FSA report makes Senior Management accountable for identifying and managing the risk of financial crime, provides a good starting point.

4. Make training appropriate, relevant and meaningful - from past experience we have found that it is commonplace for firms to simply circulate policies and procedures and expect that to do the job.
“it is not realistic to expect staff to read and act on policies simply because they are available on the firm’s intranet or in an employee handbook.” 
While policies are important and a good starting point, fundamentally they need to be turned into information that employees understand and relate to. Providing job-specific training with clear guidance on best practice (as it relates to day-to-day tasks) will deliver more effective results. A simple way to achieve this is by using a scenario or case study approach where employees are guided through an appropriate day-to-day situation and shown how to apply best practice. Highlighting the outcome (and consequence) that could occur from failing to apply best practice is also an effective way of demonstrating how risk can relate to financial crime. For example, leaving a confidential file on a desk might not seem that risky to some employees, but when shown where the data could end up (for sale on a rogue website) and how it might be used (to commit fraud) – can provide the motivation staff need to apply best practice.

5. Develop an ‘internal communications campaign’ – using a combination of innovative training and awareness initiatives to promote data security, is an approach we have used consistently with clients. There are a variety of innovative delivery methods that can be used to reinforce initial training i.e. newsletters, emails, poster campaigns, competitions etc. Where possible, get internal expertise from training and communication departments/staff – they may be able to provide invaluable input and guidance on the project. The general idea is to produce a coordinated internal communications campaign (much like a marketing/advertising campaign) that will build awareness over time, and keep data privacy best practice ‘front of mind’. If internal expertise/time is lacking then a specialist external company could add value and may actually work out to be more cost effective as they have existing resources and materials already in production.  
“… good awareness campaigns usually translated into good practice. For example, desks were clear, passwords were carefully guarded, and staff were generally careful in handling customer data”

6. Be in it for the long term – Most alarmingly the FSA report demonstrates that many firms fail to provide ongoing data privacy training for staff. In our opinion, this is the easiest way to fail. Why? Because data privacy is an ever-changing and ever-present issue. The fraudsters will keep finding ingenious ways of obtaining data and it is up to companies to stay ahead of the game – both in assessing the ongoing risk and in helping to protect against it by providing meaningful and appropriate training initiatives. The key objective must be to keep data privacy and best practice ‘front of mind’ at all times – this requires a long term view. 

In addition to the above, the FSA’s report provides some notable examples of good training and awareness practice, to access the report, click here: http://www.fsa.gov.uk/pubs/other/data_security.pdf

Taking the report’s findings into consideration, companies now need to arm their employees with the awareness and understanding to combat data breaches and protect against financial crime. In addition to IT systems, it is the ‘human element’ of data security that needs addressing – just as it is the ‘human element’ in the outside world that continues to commit financial crime. ‘We are only human’ is clearly not an excuse that the regulators want to hear.

Two key action points from the FSA ‘Data Security in Financial Services’ report:
•    “Senior Management are responsible for making an appropriate assessment of financial crime risks associated with their customer data. Rule 3.2.6R requires firms to ‘take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime’. This is the minimum standard to meet the requirements of the regulatory system”.
•    The FSA expects firms to “use the findings and translate them into a more effective assessment of this risk, and to install more effective controls as a result. Firms should take a proportionate, risk based approach to data security, taking into account their customer base, business and risk profile. Failure to do so could result in the FSA taking enforcement action”.

Source: All quotes taken directly from the ‘Data Security in Financial Services’ report published by the Financial Services Authority. For the full report click here: http://www.fsa.gov.uk/pubs/other/data_security.pdf