A recent DataMotion study brought up some shocking statistics regarding attitudes to compliance training in 2015.
The study found that 33% of business owners felt that their employees didn’t understand basic safety procedures that ensure the security of data.
33% is an astronomically high number. Criminally high
But that’s not all. The DataMotion study also found that 44% of respondents felt that security and compliance procedures were only moderately enforced.
If any CEOs or directors or managers are reading this then let me say to you that it is your responsibility to educate your employees about compliance policies and procedures. How can you expect employees to engage in basic compliance practices if you are not creating a culture within your company that puts compliance at the forefront of every activity?
Educated employees, led by engaged leaders who also understand and believe in the necessity of compliance, are motivated to follow their company’s compliance procedures.
The DataMotion study supports this.
The study found that 4 out of 5 employees respect company compliance strategies as long as they are educated on how they must follow procedures and, arguably even more importantly, it is explained why they must make compliance an every day part of their job.
To put it bluntly, employees are not the problem.
Bob Janacek, CTO at DataMotion, makes a great point regarding employee education: "Though the survey shows us there is year-over-year growth in the number of companies putting security and compliance measures in place, the widespread security risks occurring are of great concern."
We cannot control the rising numbers of daily security attacks - no one can - but you can ensure that your company is protected as much as humanly possible by investing in the training of the most important element in every security strategy: your staff.
Janacek supports the need to focus on the education of staff: "Particularly at a time when a number of organizations—both large and small—have experienced serious data breaches, it is essential that companies have strong security and compliance policies in place and that they ensure their employees fully understand and diligently follow them."
According to the DataMotion study, 66% of companies were providing ongoing compliance training.
That is not high enough.
I have written about the repeated failure to take security awareness seriously. The consequences of overlooking the need to implement continuous compliance training are clear:
The buzzword that is now featuring in the compliance training debate is “evaluation”. Put simply, companies want to have systems in place that measure whether or not their compliance strategy is effective.
Some companies feel that effectiveness can be evidenced by completion rates.
Compliance training is not a ticking the box exercise.
As Dirk Thissen, a director at IMC Learning, argues , evaluation is an on-going process that must be incorporated into each section of employee training.
I would add to that to say that evaluation should be incorporated into each element of each employee’s day-to-day tasks.
A point to be made is that evaluation can be, and should be, qualitative, e.g., asking for employee feedback, using surveys to gauge changes in employee attitude, or testing whether employee have learned certain facts about compliance and the company procedures.
And because of the need to take a different approach to compliance training the major issue, quoted often by business leaders, is time.
Perhaps there is an argument that it’s a difficult to find the time to take employees on a three-day off-site training course (never mind the cost!)
The answer might be eLearning.
What some business leaders don’t realise is that investing in an eLearning training program can be the catalyst to creating a thriving compliance culture.
In the DataMotion survey only 43% of respondents said that their company had some form of technology to monitor security compliance.
A suite such as Metacompliance’s Compliance Management Software allows the planning and scheduling of internal audits to assess the performance of any employee at any time The individualised training program allows employees to complete modules when it is convenient for them with their performance monitored by management. Managers can also obtain feedback from users with awareness surveys. And finally, instances of non-conformance can be tracked and recommendations for improvement offered.
As Thissen points out, “Investment in innovation and flexible e-learning solutions [...] may not come cheap but can provide significant return on investment to firms who get it right, particularly those who are otherwise paying out for thousands of employees to attend external courses.”
Moreover there is the suggestion that training provided as part of the job, rather than outside of normal day-to-day practice, is given extra significance by staff: “Training provided within the workflow can be very successful and is more likely to be retained as it offers support to employees as and when they actually need it.”
The take-away from this blog is that having a training program incorporated into everyday working life aids companies on three fronts: firstly, it creates a healthy compliance culture that the best employees will want to work for; secondly, it keeps companies on the right side of the regulators; and thirdly, it attracts more customers as customers know that the protection of their personal information is the company’s highest priority.
In the world of compliance, education is an investment that guarantees returns.