Don’t Let Training Be a Compliance Risk
Many companies today are faced with the reality that cybersecurity is a critical issue and it is difficult to protect customer and employee data. Coupled with the rise of cloud technologies and an unpredictable hacking culture, data security challenges have emerged within every part of the organization.
Learning and development is typically immune to dealing with security issues, but so much of training, especially programs for front-line employees, are dependent on technology. This can be in the form of a CRM or ERP system, knowledge base, marketing databases, social tracking sites, and more.
TIt’s usually the training department that is responsible for making sure employees are in compliance with security policies and regulations. But what happens when the training environments become the actual risk? Most employees understand the types of workplace conduct that are obviously improper, however many legal and policy requirements are not obvious or may run counter to some employees' social or cultural norms. There are many subtleties in the laws related to anti-competitive conduct, data privacy, insider trading, and similar workplace issues that go beyond a common-sense understanding.
With on-premise contact center solutions, companies typically had two sandboxes or testing environments for every production system, which training departments had access to. But with the shift to SaaS and cloud deployed systems, many companies now operate without the traditional sandbox and QA environments.
Without these redundant applications, training departments are now left with production systems for conducting onboarding and ongoing training. Combine this with the fact that IT is focused on external cybersecurity threats, and it means that onboarding and systems training now leaves training departments extremely exposed as a potential security and compliance risk.
On a basic level, new and departing employees may have access to customer contact info, company IP, and market research. This frequently occurs since customer-facing employees, for example, need access to full customer data, especially in industries like insurance, finance, and healthcare.
At minimum, companies in these industries have many types of quality management and security measures in place within their production environments. This includes screen-recordings when employees are accessing customer data, call recordings, and more. But rarely is the same security infrastructure used in the training environment, especially within onboarding.
As of a result of these factors, new employees often receive training on production systems with access to personally identifiable information and HIPAA data, but without the quality management and security measures in place.
A study conducted by Biscom and published by Entrepreneur.com highlighted this exact issue. The research discovered that across all size companies, employees admitted to taking important company data and information when they left. More specifically:
- 85 percent of employees admitted to taking company documents and information they had created.
- 30 percent of employees admitted to taking company documents and information they had not personally created.
The research was particularly concerning for startups that retain and manage intellectual property and sensitive customer data closely. The study found that:
- 25 percent of employees reported taking source code and patent filings.
- 35 percent of employees took customer data, including names, phone numbers, and email addresses.
- 85 percent admitted to taking company strategy documents and presentations.
So, the real challenge presented to trainers and the learning and development groups is, how do you get everyone trained on all these different applications without exposing the company to a major security risk?
In a perfect world, every system has a sandbox available to training and development, as well as training models that use clean data to replicate the real-world experience. Since this is not always the case, we’ve outlined a few best practices for leveraging sandboxes and simulated training to avoid security risks.
1. Use scenario cards to create reusable simulation training. Scenario cards are a core part of creating engaging systems training. The goal is to take your most common use cases, e.g., creating a profile, updating a customer’s information, placing an order, etc. and build scenario cards that are distributed to learners. This accomplishes a number of things:
- Users learn the proper workflow for the most common use cases.
- User can avoid having to “make up” workflows to get familiar with the software or system.
- You can build your sandbox to support these scenarios with the ability to reset the data each time training is complete. This way every user gets to go in and create an “ACME Brick Company” and the sandbox stays relatively clean.
2. Create a hybrid sandbox training environment with guided workflows and mock screens which have limited interaction. This setup gives the learner hands-on experience and familiarity with the most commonly used systems. While not fully functional, the hybrid sandbox is a great solution when the real systems are not available.
When setting up the hybrid sandbox, it’s very common to take data from the production environment to create a real-world feel. The risk, however, is immense. Exposing customer data opens the company to multiple compliance concerns. Would the learner normally have access to this data? What if he or she uses this information outside the company?
The following practices can help avoid these security issues:
- If the data is available in a spreadsheet before importing into the sandbox, mix and match first name, last name, and any identifiable information. Make sure the method for mixing the data is not so obvious that a user can easily reverse engineer your method.
- If you want to use a prebuilt tool, there are options available online. Check out https://randomuser.me/ or https://www.mockaroo.com/
3. Pay attention to the data. One thing that gets overlooked on many occasions is how clean the data is, so make sure that training data does not accidentally reflect any actual customer information. It’s critical that the data is thoroughly scrubbed, but also that it’s not a distraction. For example, it can be easy for a class to get distracted, so avoiding celebrity names and crude references will simplify your life.
4. Build a reset button in the sandbox. As users go through the training scenarios and input information, it may get saved and change the experience for the next user. So it is critical to build in functionality that allows data inputs in the system to reset back to a default state.
It’s unquestionable that cybersecurity and the protection of sensitive data are more important than ever. It’s up to organizations to enforce policies that allow for efficient business processes without putting customer data and other sensitive information at risk. After all, security measures are only as strong as the weakest link.