PCI DSS requirement 12 states that organisations must achieve, monitor and maintain PCI compliance and "maintain a policy that addresses information security for all personnel".

It is your duty that all of your employees, including "full-time and part-time employees, temporary employees, contractors and consultants who are “resident” on the entity’s site or otherwise have access to the cardholder data environment" understand "the sensitivity of data and their responsibilities for protecting it."

Are you worried about the security of your company? Do you understand the importance of protecting your customers' data? You’ll be glad to know that via small, daily actions, your employees can learn important security practices and your company can become more trusted and more secure.

PCI DSS requirement 12.6 states that you must "implement a formal security awareness program to make all personnel aware of the importance of cardholder data security" as well as educating personnel "upon hire and at least annually" (sub-requirement 12.6.1) and requiring employees to "acknowledge at least annually that they have read and understood the security policy and procedures" (sub-requirement 12.6.2).

Train your personnel to reduce the risk

As explained by the PCI Council (PCI SSC), requirement 12.6 is important because "if personnel are not educated about their security responsibilities, security safeguards and processes that have been implemented may become ineffective through errors or intentional actions."

One common cause of breaches (even major ones) is human error, whether that be someone leaving their work phone in a bar, because they haven't set up a strong password for their work accounts, or even because they fell victim to social engineering and were unaware of which information they should not reveal to those outside of the company.

A large part of the employees risk can be referred to a number of social engineering techniques, as nicely reported in an article from Tripwire:

  • Phishing
  • Pretexting
  • Baiting
  • Quid pro quo
  • Tailgating

In the recent IOCTA report about data breaches, the organisation found that although 25% of 2014 breaches were due to crimeware, one third of breaches occurred due to “miscellaneous errors such as sending sensitive information to the wrong recipient or accidentally publishing sensitive data to public servers", so you can understand just how great a problem this is.

Educating your employees upon hire and regularly afterwards, is important as in failing to do so, "key security processes and procedures may be forgotten or bypassed". Everyone in the organisation, from the financial officer to the assistant who files your paperwork, has the potential to forget what you've taught them in terms of security best practices. When they are working hard at their job it has to be expected - and it must be reminded - that they still know their roles when it comes to cardholder security; failure in this sense, it could result in "exposed critical resources and cardholder data".

And finally, it is also important that you get it in writing (either physically or electronically) that they have "read and understood the security policies/procedures". Rather than being an accusation that your employees are lying when they said they've read your company's security policy, this acknowledgment is designed to make sure that they will "continue to make a commitment to comply with these policies". Having written it down that they understand the security policy, they are far more likely to uphold and follow it.

How to implement a Security Awareness Program?

The implementation of such a program needs to be taken serious as it could mean the difference between a devastating breach of your company’s network, or lasting success.

The first thing you need to do when putting your program together is establishing just who the security awareness team is. This team is in charge of "the development, delivery, and maintenance of the security awareness program" and, says the PCI council, it is advised that this team is made up of different people from the company, who have different responsibilities. This way, you can address the "specific needs" of every branch of the company - which is useful given how many people will have to follow the program once it’s in place.

Next up, you should determine roles for security awareness as:

"role-based security awareness provides organizations a reference for training personnel at the appropriate levels based on their job functions"

Part of this involves figuring out the responsibility of employees with all employees having the same understanding of cyber security (e.g the knowledge to report potential security threats, making security a habit) while specialised roles have a different understanding (e.g recognising their accountability, handling processes securely), as do those in managerial positions (e.g encouraging and reinforcing security awareness, setting security expectations). The level of awareness is best set based on the level of risk each employee has.

Maintain your Program!

It’s also important to define the metrics of your security awareness program as this way you have a tangible measurement of just how effective the program is - something which can help you change and update it in future. These metrics may be things like an increase in the reporting of security concerns or reduced system downtime, you may even use multiple to help you get an accurate gauge on how well the program is performing.

Below is a further list from the PCI council on the upkeep of your program:

  • Review it to verify it provides awareness to all personnel about the importance of cardholder data security.
  • Examine its procedures and documentation and perform the following;
  • Verify that the it provides multiple methods of communicating awareness and educating personnel (for example, posters, letters, memos, web-based training, meetings, and promotions);
  • Verify that personnel attend security awareness training upon hire and at least annually;
  • Interview a sample of personnel to verify they have completed awareness training and are aware of the importance of cardholder data security;
  • Verify that it requires personnel to acknowledge, in writing or electronically, at least annually, that they have read and understand the information security policy.

These are not the only aspects you have to remember when putting together your program. Creating the right Security Awarenes Program for your organisation is a complex task that will help you achieve, monitor and maintain PCI DSS compliance

Igor Mancini

Written by Igor Mancini

Marketing Director at Advantio. The articles published in the Advantio Blog have the goal of supporting our mission: making IT Security simple for everyone.

My intention is to discuss IT Security related topics with the eyes of a non technical person, speaking a simple language and trying to show to the readers the benefit of IT Security best practices.