Security refresh: Are employees protecting customers' card data?
Security breaches continue to make headlines, bringing unwanted attention to affected businesses and eroding trust in their services. While business owners may go to great lengths to protect payment data, it won't be enough if employees aren't on board as well. In fact, keeping employees informed of best practices for payment security is so important, it's already part of Payment Card Industry Data Security Standard requirements. Employees could easily make a mistake that leads to a security leak or data breach. To prevent this from happening, education is crucial.
The importance of security education
According to the PCI Security Standards Council, uninformed employees can often be a bigger weak point for a business's security than technology. Staff may accidentally share information that should be kept secure or inadvertently cause a data breach through failing to uphold best practices in general.
Unfortunately, most workers don't receive this type of training. According to a survey from Security Monitor, more than half of employees indicated they never received any type of workplace security training. Moreover, the majority of staff admitted to unsafe practices, such as using weak passwords or one password for multiple functions, as well as storing sensitive information on mobile devices or in the cloud. More than one-third of respondents also admitted to clicking links from unknown senders. Before an employee slips up, it's critical to teach the whole staff about the need to stay secure.
To better secure your business, here are some factors to keep in mind when educating staff on security procedures:
Create a team
PCI suggests employers put together a security awareness team that's responsible for creating and implementing the program. This team should contain members from all different areas of the organization so they can provide insight into weaknesses in unique points of the business. Each person will have different responsibilities to cover the breadth of security needs.
Businesses shouldn't assume anyone on staff has more background knowledge than others. It's important to educate everyone from managers to part-time workers about the need to maintain security. For instance, managers can be a target for fraud because of their privileged access to information. Anyone can be a weak link in a business's security. Make sure that employees on all levels participate in training sessions. However, managers should also receive some specialized training because they need to uphold and reinforce secure practices among staff, PCI suggested.
Conduct training regularly
Maintaining payment security is an ongoing process. As technology and practices change, fraudsters evolve to keep pace. This means companies need to be vigilant about updating training materials and communicating new trends to staff members. Businesses should create a schedule so they don't overlook this crucial task. Integrating some basic security training into onboarding and orientation is also a good idea.
Make it fun
Payment security might not be the most exciting topic for staff, but there's no reason training sessions have to be a burden. To make sure staff members stay engaged during training sessions, it might be a good idea to make sure there are some snacks on hand. Consider quizzing employees on basics and offering some kind of reward for those who perform well. Testing workers at the end of the session is also a good way to measure the effectiveness of the training.
Ensure employees know what to do
If employees do spot a red flag, make sure they know how to respond. Make it clear what steps employees should take if they see something is wrong, including who to report to and what number to call. Encourage staff to speak up even if it turns out to be a false alarm. Frequently occurring false alarms are simply a sign that you need to improve your approach to training or clarify a few points.
Critical areas to consider
There are many different topics to cover in a payment security training program. Here are a few important areas businesses should touch on:
- The need for strong passwords.
- Email, browsing and social media security.
- Avoiding malicious software, such as viruses and spyware.
- Awareness of card data security in various environments, such as in-person and card-not-present environments, when applicable.
There is always room to improve data security environments. In addition to maintaining PCI compliance and adopting data security technology, it's crucial for businesses to implement training processes to keep employees in the know about best security practices. Without any kind of background in security, employees are more likely to make an error, which could lead to a full-scale data breach. At the same time, a well-informed employee may notice a red flag that managers miss. Staying secure is everyone's job.