Cloud Computing Economics - There Is No Free Service

Cloudonomics Journal

Subscribe to Cloudonomics Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Cloudonomics Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Cloudonomics Authors: Lori MacVittie, Skytap Blog, David H Deans, Shelly Palmer, Tim Crawford

Related Topics: Cloud Computing, eCommerce Journal, Cloudonomics Journal, CIO, CIO/CTO Update, Sarbanes Oxley on Ulitzer, Java in the Cloud

Blog Feed Post

Train Employees about Cloud Data Security: July’s Cloud Security Tip of the Month

tip of the month Data security in cloud computing data security best practices cloud data security  cloud data security Train Employees about Cloud Data Security: July’s Cloud Security Tip of the MonthEvery month, we provide an important tip about data security in the cloud. We have discussed fundamentals like encryption and key management, but for July, the USA’s month of independence, we would like to discuss our interdependence between our cloud data security and our employees.

ComputerWeekly recently advised that “teaching employees to be aware of an organisation’s  security requirements can be one of the most effective ways to enhance the company’s overall security programme.” And yet, in a Ponemon survey “only 19 percent of the respondents indicated that their company provides general data security training that discusses cloud applications.” In a CompTIA study, “59% of the organizations surveyed indicated that their latest security breaches were the result of human error alone.”

There is a big gap between the risk posed by employees untrained about data security in cloud computing and what companies are actually doing do train their employees about these important issues (and their consequences).

In March, we discussed Learning from Compliance Requirements, that is, there are guidelines in certain industries that mandate security practices for that vertical. In the e-commerce segment, those requirements are set forth in the Payment Card Industry Data Security Standard (PCI DSS). PCI Compliance, whether you are bound to adhere to it or not, teaches us about the importance of training employees about cloud data security best practices.

Cloud Data Security: Does Security Awareness Training Work?

There are some mixed messages out there. It seems most experts agree that employees pose serious risks to companies’ data security in the cloud when they open bad email attachments, click links in spam messages, don’t change their passwords frequently enough, etc. However, there is also a mentality that employees cannot be trained to change this behavior. ISACA found that employees can be trained to minimize risks if that training is timely, relevant, and speaks in a language they understand.

Cloud Data Security Best Practices

To provide training that both complies with regulations and makes a difference in how employees view data security in cloud computing, follow these guidelines:

1.       Train at least once a year

Studies have shown that once a year is the optimal training frequency. In fact, training employees less than annually is less effective, but training more often is not more effective.

PCI-DSS also mandates that companies “educate personnel upon hire and at least annually.”

2.       Use diverse training methods

Some employees may learn best in a classroom setting and others may comprehend more by reading emailed tips. The important takeaway is to diversify your methodology. Offer training in different mediums: Computer-based training, newsletters, e-mail, leader-led training, video, posters, and brochures are some popular choices.

Diversifying, like frequency, is not only good practice, it is a PCI standard: “Verify that the security awareness program provides multiple methods of communicating awareness and educating personnel (for example, posters, letters, memos, web based training, meetings, and promotions).”

3.       Ensure training is relevant and interesting

Training on specialized topics like cloud encryption of your sensitive cloud data may be important to the select few who deal with the technology, but training employees about the importance of using the mainstream tools and not bypassing them is relevant to everyone.  For example, if an employee is provided with an encrypted drive, he should use it and not other storage mediums.

Focus your training on the real everyday risks like employees who take an easy bypass around security measures, and why that can cause damage. Of course, also train on malicious attacks, such as phishing, social engineering, stolen laptops, etc.

Though trainers may be technical, they should word their lectures, emails, or webcasts in language that is understandable to the people being trained. The technical talk may lose those who are least technical (and most important to train).

4.      Make sure they understand

PCI mandates that you should “Verify that the security awareness program requires personnel to acknowledge, in writing or electronically, at least annually that they have read and understand the information security policy.”

But verifying understand is more important than the signature required for compliance. Consider a gamification approach in which you turn understanding of data security concepts into a game, perhaps, with prizes.

 

Cloud Data Security Training

CIO.com warns “When it comes to data breaches, hackers and organized crime garner most of the headlines, but most data breaches are caused by human errors and system glitches… As a result, educating your employees and making sure they’re not cutting corners is a big component in preventing data breaches.” The cost of data breaches is nearing $200 per record. How much would a breach of your data cost your business?

Among other policies governing your data security in the cloud, you must invest in educating employees and train them on how to handle confidential information.

You might also find these articles interesting:

The post Train Employees about Cloud Data Security: July’s Cloud Security Tip of the Month appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.