Please read this article and then forward it to the head of your legal department or the person in your organization who is responsible for compliance. Recently, the Department of Health and Human Services reported that bad or no security awareness training is a main cause for compliance failures. This is true for not only health care, but all kinds of organizations in industries like banking, finance, insurance, manufacturing, and surprisingly, high-tech.
It does not stop with mere compliance failures causing regulatory fines. Trend Micro reported that 91% of successful data breaches started with a spear-phishing attack. The problem is that to be "letter of the law" compliant, you only need to herd your users once a year into the break room, feed them coffee and donuts, and give them a "death by PowerPoint" awareness update.
However, ineffective security awareness training could turn out to be a serious legal liability. Why? Cybercrime goes after the low-hanging fruit: your users. Why spend time exploiting complicated software vulnerabilities when you can easily social engineer an end-user to click on a link? So your end-user did not get effective awareness training and falls for the hacker trick. Their workstation gets infected with a keylogger, the hacker now knows their login and password, and with that penetrates your network. Simply put: if it's the Eastern European cyber-mafia, their focus is to transfer out money from your operating account over a weekend.
If it's the Chinese, they will steal your intellectual property. If it's independent hackers, your customer database and credit card transactions are exfiltrated and sold on dark web criminal sites. In all three cases you run the risk of a lawsuit:
1) You might sue the bank for negligence, and they might sue you back. Massive legal fees are inevitable. If it is found out the attackers came in by social engineering a user, your case is significantly weakened. Go to Brian Krebs' site and search for Patco Construction, a nightmare scenario. Here it is: www.krebsonsecurity.com
2) If the Chinese steal your intellectual property and you are exposed to a shareholder lawsuit, there will be a lengthy and costly discovery period. If it is found out the attackers came in by social engineering a user, your case is significantly weakened.
3) If hackers get into your network, and an investigative journalist like Brian Krebs discovers a website that has all your customer records and credit card transactions, a class action lawsuit is not far away. (This is the legal profession's biggest growth industry). If it is found out the attackers came in by social engineering a user, your case is significantly weakened. See the trend here? Not scaling your training to a level that effectively mitigates the risk you are exposed to is a severe legal liability.
We have a new whitepaper called "Legal Compliance Through Security Awareness Training" written by Michael R. Overly, Esq., CISA, CISSP, CIPP, ISSMP, CRISC. He explains the concept of acting “Reasonably” or taking “Appropriate” or “Necessary” measures. Reading this whitepaper will help you to prevent violating compliance laws or regulations.
Do These Two Things:
Did you know that legally you are supposed to "scale security measures to reflect the threat"? In the whitepaper are some examples of the Massachusetts Data Security Law and HIPAA to explain what is required. I strongly recommend you download this whitepaper and get up-to-date about the legal repercussions of not providing effective security awareness training:
Have you ever wondered how effective your current Security Awareness Training program really is, and if you are at risk in case of legal action? We offer a FREE test that gives you a real quantifiable number as to the percentage of your users that would click through, and fail, a simple Phishing email. Do our free Phishing Security Test. You don't need to talk to anyone, you can just create a free account and send your simulated phishing test:
Related Pages: Security Awareness Training