But security awareness training for the reps in a call center provides some challenges. In particular:

1. Staff (rep) turnover rate can be high, and the average length of employment short.
2. Staff often don’t have (company) email accounts.

Let’s look at each of these factors in turn.

High Staff Turnover

There’s really no such thing as a typical staff turnover rate for a call center – figures vary widely. For instance, a survey by Purdue University’s Center for Customer Driven Quality (CDQ), quoted in “Call Center Management: People Versus Technology” by Drew Robb, shows a very wide range.

And a survey conducted by International Customer Management Institute (ICMI) in 2000 reported on the ICMI website showed the following data for average full-time staff retention periods:

Although not presented, one would expect the average retention period for part-time staff (such as seasonal staff employed during holiday seasons) to be much shorter. Overall, it would be fair to say that the turnover rates are generally a lot higher than in many other types of organization.

So what does this mean for security awareness training?

1. Continuous recruitment throughout the year means that it can be difficult to schedule classroom training sessions. So training should be “on demand” which, these days, typically means web-based training.
    
2. Because of the relatively short retention periods – especially when recruiting reps for seasonal vacancies – the learning curve needs to be as short as possible. Therefore, extended training classes aren’t going to be practical, and a highly condensed and customized course/class is advisable.
    
3. The administrative effort in setting up and managing student accounts and tracking training must be minimized. Therefore automation is critical which, once again, typically means web-based training.
    

Emails

Many web-based training systems rely on email for login identification, and for other communications with students. But not all call center reps have company email accounts, or access to email at work. So you may not be able to rely on this. If you’re looking at a web-based training system, make sure that it doesn’t depend on your students having email accounts.

Course Content and Presentation

As noted above, the time available to train your reps is going to be very limited, so you’re probably going to want to have a highly condensed and customized course/class that covers the specific business processes that your staff will be dealing with. For example, if you don’t have company email for reps (see above), you won’t need to deal with email security, and if you don’t deal with information on paper, you won’t need to cover document retention and destruction in the same way as you would if your reps deal with paper orders and invoices.

If you’re not going to develop the course/class yourself (and I’d recommend that you don’t), you can probably find a number of providers who will be able to work with you to develop the content you want. Look for a couple of things:

• A provider with a library of existing content that can be used as the basis for your training so that you’re not re-inventing the wheel.
   
• A provider who stresses simplicity in their approach to presenting the information so that the course is succinct and focused rather than presenting the students with numerous external links, games, exercises, pop-quizzes …
   

And a final note – since call centers, by their very nature, involve audio communications (telephone calls), it might be tempting to make heavy use of audio in your training courses. Don’t. As this blog post talks about, excessive use of audio can:

• Increase course development and maintenance costs.
   
• Use additional network bandwidth which might cause operational problems.
   
• Slow down the learning process.
   

Use audio sparingly – perhaps including some sample rep-client conversations. But don’t narrate every slide since it will slow the learners down considerably.

Other Considerations

Here are some other things you should think about when looking for a security awareness training solution for your reps.

• Regulations such as PCI DSS and HIPAA don’t just require staff to receive training – they require staff to read and acknowledge security policies. Doing this on paper could quickly become overwhelming for your administrators – especially when auditors come in and start asking for reports – so look for a training system that will also handle policy signatures and reporting online.
   
• Security isn’t the only area which requires staff training and policy affirmation, so ask around your organization to see if there are other areas that could share the system (and cost!).
   
• Managers, supervisors and IT staff are probably going to need to receive additional training. This isn’t (generally) subject to the same constraints as the training you need to provide to reps, but they should take the same basic training regardless and then receive additional courses/classes as required.
   

Summary

Here are the key things that (I think) you should do when developing or purchasing a security awareness training solution for your call center reps:

1. Use web-based training. The system that you need should:
   1. Automate student management processes as much as possible.
   2. Incorporate policy signature management within the same system as the training.
   3. Allow use by reps who don’t have company email accounts.
   4. Be extensible to other training and/or policy signature needs within your organization.

    

2. Provide reps with a highly condensed course/class customized to your organization’s specific needs. Base this on existing materials wherever possible, and don’t get too fancy with the presentation – training time is of the essence.

The National Finance Center is a part of the Agriculture Department that deals with payroll and personnel matters for the Commerce Department and some other government agencies, and the spreadsheet contained the names and Social Security numbers of at least 27,000 Commerce Department employees. According to the report, the employee informed supervisors of the mistake almost immediately, and there’s been no indication that it has resulted in any cases of identity theft.

Something of a non-story since no damage occurred? Actually, it raises some interesting points.

1. The employee knew enough to report the incident immediately to his/her supervisors. I don’t know whether or not incident reponse is covered in the security awareness training that the National Finance Center provides, but this is definitely a valuable reminder to the rest of us that it should be.
    
2. It’s a case where the information never left the organization that was responsible for looking after it, but it was still considered to be a notifiable data breach. I’m sure that this kind of thing happens more often than we’d like to think in business and government, but how many organizations would consider this to be a data breach? And, even if an organization’s management knows this, does the organization’s staff?
    

Have you covered this in your security awareness training?

And, in New Zealand, a woman was sacked for sending “confrontational” emails in red, bold and CAPITAL LETTERS that “caused disharmony in the workplace”. Regardless of whether sacking was an appropriate course of action for the employer, it would be interesting to know whether ths was covered by the employer’s Acceptable Use Policy (AUP) and whether the employee had signed the AUP.

Either way, the importance of being able to show that employees have read, understood, and agreed to comply with company policies is clear. And these cases also highlight how important it is to automate the policy signature management process as far as is practicable in order to avoid being swamped with paper.

As usual, it’s probably going to take a while for the dust to settle so that we can understand the full implications of the rule. But Rebecca noted one fascinating aspect – security breaches involving the Personal Health Information of individuals that the organization knows to be deceased must be notified to the deceased’s next of kin or personal representative.

I don’t think I’ve come across a requirement like this before, and it’s not clear what implications this will have for record retention policies and associated training.

1. Risk Assessment
2. Currency of Policies and Procedures
3. Security Training
4. Workforce Clearance
5. Workstation Security
6. Encryption

All of these areas are discussed in detail in the report summarizing the investigation. In particular, page 9 et seq. describes the findings that refer to Security Awareness Training.

They found that:

• CEs did not have formally documented policies related to training;
• CEs did not track and retain evidence of training completion;
• CEs did not conduct security awareness training prior to granting user access; and,
• CEs did not conduct security refresher training on a regular basis.

Not good.

The document includes the following recommendations which are included here in full since they should be of interest to many organizations – not just HIPAA covered entities:

1. CEs should develop and formally document policies for the development, administration, and monitoring of initial and annual security awareness training courses. The policies should require that all newly hired employees complete initial security awareness training prior to gaining access to ePHI. This requirement should include employees and temporary workers as well as contractors and vendors, if not previously arranged through a Business Associate agreement.
Additionally, the policy should require that any individual with access to ePHI complete security awareness refresher training at least annually.

Further, the policy should require that management review and revise both the initial and refresher security awareness training courses at least annually to ensure currency with the organization’s environment. Additionally, as CEs identify new risks through the risk assessment process, they should incorporate these potential threats in the trainings to further awareness.

2. CEs should develop and formally document a procedure for initial and refresher security awareness training. This procedure should be coordinated with the account provisioning/management process. The procedure should require verification that new users have completed initial security awareness training prior to granting them access to ePHI and require security awareness training on an annual basis thereafter. Additionally, processes should be designed, documented, and put in place to monitor compliance. To support this process, CEs should develop tools for monitoring compliance. If possible, CEs should deploy an automated tracking system to capture key information regarding program activity (e.g., individuals’ completion dates). The tracking system should capture this data at a high level, so that CEs can use such information to provide enterprise-wide analysis and reporting regarding awareness, training, and education initiatives.

To effectively implement this recommendation, CEs must tightly integrate the initial hiring process with the account provisioning process. They must also integrate the training compliance monitoring process with the account management process.

3. CEs should develop and formally document procedures to monitor course completion and escalate issues involving users who have not completed their annual security awareness training timely. Specifically, pre-determined sanctions should be applied to those individuals who are not in compliance with this requirement. These sanctions may include notification of the user’s supervisor when initial deadlines pass without completion and revocation of the user’s access when final deadlines pass without completion.

Excellent advice that should apply to ALL organizations that handle sensitive information.

It’s certainly an effective approach for the first year if you have a fairly steady (low turnover) staff. But there are a number of problems with the approach that I think negate or, at best, reduce its value.

1. It’s difficult to think up new topics after the first 12 or so, making each subsequent training module less effective.
    
2. Until the initial program has been fully completed, your training will be incomplete. For instance, you might be subject to a phishing attack before you’ve covered that topic in the training leaving you more vulnerable. Or your auditors may be a little worried that the program is incomplete if they look at your training records.
    
3. Staff joining after the program has started will have missed some of the topics. So they’ll need to do “catch up” training. This isn’t too much of a problem if they join in the first couple of months – they’ll only have a couple of additional courses to do. But 12 months later, the backlog can be considerable.
    
4. This system won’t meet the requirements of regulations or standards that specify completion of a training program at hiring and/or before network access is granted.
    

Because of these shortcomings, I far prefer an approach based on:

• Comprehensive new-hire training for all staff.
• An annual “refresh-update-test” course.
• Short monthly reminders/nudges using email, presentations at staff meetings, posters …

This seems to cover all of the bases, and is consistent with accepted best practices.

It’s now a year later and you have to do it all again to comply with the annual retraining requirement in many of the regulations. What’s the best way to do this?

You could simply run the same training classes again. But you and I know that’s not going to work. Students will be annoyed, the materials may not be up-to-date, and the auditors may question whether the retraining has actually achieved anything. This one (like the dodo) just won’t fly!

Perhaps you should rewrite (or ask your training vendor to rewrite) all of the training materials so that they cover the same topics but in a different way?

I’m here to tell you that’s probably not the best way. Why not?

• You’ll still annoy your students – they don’t want to be taught things that they already know, and (despite what you may think) many of them will remember what they were taught 12 months ago.
   
• Sequels are seldom as good as the original – we all know that from Hollywood! The original version probably used most of the good ideas for how to present the materials
   
• If you did a comprehensive job the first time, it probably took each student somewhere between 3 and 6 hours to work through the materials – probably acceptable for the initial training. But do this every year and your CFO will start asking about the cost in terms of time.
   
• It’s expensive to rewrite a complete and comprehensive training program.
   

But you still need to update your staff on new developments, and make sure that they remember what you previously taught them. So what’s the answer?

Over the years, I’ve come to the conclusion that the optimum solution is to:

• Implement a comprehensive new-hire training program.
• Create a new course each year to refresh, update and test the understanding of your staff.
• Update the new-hire training each year with the new topics from the annual course.

Here’s how it works:

1. When a staff member is hired or, when you’re rolling out a new program to existing staff, in the first year, you present a comprehensive set of materials (or at least as comprehensive as time will allow, and it’s usually employee time that’s at a premium).
    
2. Each year thereafter, you create a course that does 3 things:
   • REFRESH – Briefly reviews all of the topics that you covered in the new-hire training and any previous annual courses.
   • UPDATE – Introduce any new security trends that you’re seeing, and highlight any organization-specific problems that have become apparent over the last year. For instance, this year you’d probably want to mention the security problems inherent in social networking applications and, if you’ve had some uninvited guests during the previous year, remind staff to watch out for anyone who’s in an area where they don’t belong.
   • TEST – Require the students to do a comprehensive mastery test that includes questions about the topics covered in the new-hire training as well as the new materials that you’ve provided. If you think that students may have forgotten the original materials, you can still make those courses available for reference.

   This should meet the needs of most – if not all – regulations for annual retraining.
    

3. Modify the new-hire training to include discussion of the new materials that you’ve covered in the “refresh+update+test” course so that new staff are receiving training on the most up-to-date topics.
    

In this way, you’ll:

• Reduce the annual retraining to a single course of approximately 45 minutes to an hour (in my experience) – your CFO will be happy!
   
• Eliminate the cost and hassle of rewriting your entire new-hire training each year.

Note that I’m not claiming that this is perfect and your actual mileage (in terms of real security improvement) may vary. But I believe that the combination of a comprehensive new-hire training program complemented by a “refresh+update+test” course is the best compromise between your ideals as a security educator, and the practicalities imposed by the real world.

Have you ever considered the cost? Use this simple calculator to generate a very rough estimate of how much you could save in a year if you automated this process.

Some notes about the calculator:

1. If you use email or a website (your intranet?) to distribute your policy documents rather than paper, set the number of pages to 1 assuming that your staff still has to print out and submit a signature sheet for each policy.
    
2. I haven’t included any costs associated with mailing policy documents to remote offices.
    
3. If you can eliminate most or all of the time you spend chasing people to make sure that they’ve signed, you’ll save even more (although it’s difficult to quantify in $$).
    

However, there are a number of sections of the act which impact information security management including:

• Section 302 which requires the CEO and CFO to certify that the organization’s financial reports are true and accurate, and that the organization has put in place adequate controls over financial reporting and disclosure.
   
• Section 404 which describes the required controls, and requires outside auditors to certify that the controls exist and are adequate.
   
• Section 409 which requires publicly traded companies to promptly report any changes in financial condition or reporting that might be material to investors which might (potentially) include, an information security problem.
   
• Section 802 which requires organizations and their auditors to retain accounting documents and work papers (both paper and electronic) for a minimum of seven years.
   

Since a problem that results from improperly secured financial data would be as much a violation of the law as any other kind of event, there is an implied requirement that organizations implement sound information security practices.

Compliance with the law from the point of view of information security is often demonstrated by developing management systems that follow one of the well-established security and/or IT management frameworks such as ISO 17799 or COBIT – all of which include security awareness training as a fundamental component.

The Safeguards Rule, issued in 2002, establishes standards for the protection of customer information and requires all "Financial Service Providers" to develop a written information security plan including:

• assigning at least one employee to manage the program,
• conducting risk assessments, and
• developing, implementing and monitoring a program to secure the information.

In the preamble to the Safeguards Rule, the Federal Trade Commission (FTC) identified employee training as one of the three areas that the Commission believes are particularly relevant to information security.

And, in April 2006, the FTC issued guidelines for organizations implementing measures to meet the Safeguards rule. In this document, the suggested security measures include:

Ask every new employee to sign an agreement to follow your organization’s confidentiality and security standards for handling customer information.
Train employees to take basic steps to maintain the security, confidentiality and integrity of customer information, such as:

• locking rooms and file cabinets where paper records are kept;
• using password-activated screensavers;
• using strong passwords (at least eight characters long);
• changing passwords periodically, and not posting passwords near employees’ computers;
• encrypting sensitive customer information when it is transmitted electronically over networks or stored online;
• referring calls or other requests for customer information to designated individuals who have had safeguards training; and
• recognizing any fraudulent attempt to obtain customer information and reporting it to appropriate law enforcement agencies.

Instruct and regularly remind all employees of your organization’s policy – and the legal requirement – to keep customer information secure and confidential. You may want to provide employees with a detailed description of the kind of customer information you handle (name, address, account number, and any other relevant information) and post reminders about their responsibility for security in areas where such information is stored – in file rooms, for example.