Most businesses do compliance training once a year. It consists of a series of slideshows followed by a quiz that must be passed in order to continue doing your job. These same businesses often do a yearly audit as well to verify that all facets of the business remain in compliance. The problem with both of these is that it’s far to infrequent. How can companies guarantee compliance? Everyone is most compliant on the day they are audited. What about the other 364?
Auditing more frequently than once a year is a positive step. But doing so can be a large undertaking depending on business size. It can be costly in both time and money. It’s a step in the right direction, but most businesses are not capable of doing monthly or even quarterly audits. So how can you ensure that your business remains in compliance?
There are two best practices businesses can employ to ensure year-round compliance. First, implement proper training practices, and second, start toll gating.
Annual training, testing and auditing is not enough. It’s not targeted enough, it’s basically giving the same training to everyone in the company whether it applies to them or not. While annual training and testing may be sufficient for those in certain positions, employees who are on the front lines and touching data on a regular basis should undergo training and testing on a quarterly basis, at minimum. This method keeps compliance in front of everyone, gives them a refresher and keeps them thinking about what they are doing to protect the company, clients and co-workers.
The second, and probably most effective, way to remain compliant is to implement toll gating. This isn’t a road block that prevents someone from doing their job, this is adding a small step that makes someone think before working with data. For example, a customer service rep gets a call. While on the call, the rep determines they need to pull certain sensitive data. They submit a request to their manager, who has a two minute SLA, to approve or disapprove the request. This step does not impact the rep’s ability to do their job, but it will make them stop and think about whether the information they are requesting is actually needed. Without this step, the rep could pull up sensitive data they might not need and risk exposing a customer’s information. With the step in place, the rep is more likely to try and solve the problem without contacting the manager, thus limiting exposure.
This example can also apply to coders. Many places don’t have code security review policies in place. But if a business pushes new code, a security review should be conducted as part of the process. If it doesn’t pass the security review, it reverts back to the coder to fix it before it ever hits the system. This will teach coders to code securely from the beginning as opposed to having to fix code that’s already been breached.
Compliance governing bodies generally put programs in place, because someone has done something bad. Compliance is generally a reaction, resulting in a law, a bill or a set of rules that must be followed or there are repercussions. Most businesses have their employees complete this training as part of onboarding and annually to “check a box”, but they do not take steps to ensure that compliance is followed throughout the year. The result is problems arise on the 364 days they aren’t under audit resulting in fines and fees accrued and customer data exposed. Implementing more frequent training and toll gating practices helps ensure businesses remain in compliance year-round.