expenses associated with security incidents, clarify security responsibilities, maintain credibility and reduce risk.” Security awareness training should be the same for direct, permanent employees who work within a primary organisation as well as those working for third parties to ensure they all follow safe online behaviours when they are handling sensitive information. This could include freelancers, consultants, interim workers, temporary staff or special service providers who work for companies either on premises or off-site. “Firms may want to offer data security tips to their clients as an added value,” says Velentzas. “A good example of this would be a bank offering suggestions to help protect clients from fraud and theft. This also would help to reduce the number of incidents the bank has to process. In many situations, professors and students have access to a university’s systems or research that must remain protected, and therefore faculty, staff and students are all required to take security awareness training.” In addition, providing all people working for an organisation both directly and indirectly with the same security awareness training makes it easier to ensure regulatory compliance. For instance, organisations serving European Union consumers must comply with General Data Protection Regulation standards whilst those working in California, USA, must comply with the Consumer Privacy Rights Act. If a third party fails to comply with these regulations, it may negatively impact a firm’s cybersecurity compliance status. Fortra’s Terranova Security encourages organisations to invest in cybersecurity training that is engaging and tailored towards individuals and their role. “The most successful security awareness programmes are relevant to the people taking the training and specific to their function in the wider business,” says Velentzas. “Training also needs to be engaging, interactive and fun, delivered in segments that are not too long as well as being tailored to their learning capacity and motivation level.” As no organisation has the same supply chain framework, there is no one-size-fitsall formula to follow. Instead, firms should evaluate the risk posed by their own third parties, whilst continuously monitoring for potential security threats, planning incident responses, reviewing and negotiating thirdparty contracts and cyber insurance. 79 According to Velentzas, security awareness training should be the same for both direct employees and third parties to ensure they all follow safe online behaviours
RkJQdWJsaXNoZXIy NzQ1NTk=