Home » Technology » Security » 5 effective ways to raise privacy awareness

5 effective ways to raise privacy awareness

Tech Page One

provacyHave you made plans for Data Privacy Day (DPD) yet? What, you’ve never heard of DPD?  You can see more about it here. Or, have you heard about DPD, but you’ve not yet had time to plan for it? Well, I love doing information security and privacy awareness activities and events! I’ve been doing them for 2 ½ decades, and have written about them often, and included a listing of 250 awareness activities in my Managing an Information Security and Privacy Awareness and Training Program book.

Here are five of the ways that I’ve found to be very effective for raising privacy awareness throughout the years.

1. Wheel of security and privacy fortune

I was responsible for information security and privacy for a large financial company throughout the 1990s. One year we set up a “Wheel of Security and Privacy Fortune” outside the cafeteria for international computer security day. As people entered or left they would spin this huge wheel, and answer a question for the topic the clicker-pointer landed on. The questions incorporated our information security and privacy policy requirements and presented them in a way that related to work responsibilities and performing daily business activities.

They were of varying degrees of difficulty, and we gave prizes of various sizes for correct answers; from candy-wrapped mints with a picture of our information security mascot on it all the way up to a gift certificate to the cafeteria for a full meal. This was a great success; well-received, plus we were able to establish some metrics based upon the participation and percentage of correct answers for how aware our personnel were about the various information security and privacy topics.

2. Doing an information security and privacy contest

Several years ago I was responsible for creating and managing the Information Security and Privacy department and supporting activities for a large multi-national financial and healthcare organization.  For our annual awareness event, I worked with the lead corporate artist, describing a large number of security and privacy risks common within a business environment. I then asked him to take those risks and visually incorporate them into a poster showing a 3-story building, the side of which was cut away so that you could see all the workers and their work areas inside and the streets, grounds and parking area around the building.

I sent the poster to each business department throughout the worldwide locations (around 130 – 140 of them). Each department team had a week to document a listing of each of the privacy and security risks they found in the poster and send them back to me. I gave a prize to the team that correctly identified the most infractions; a pizza party during lunch for all their team members, recognition in the company magazine, and a photo of the winning team, along with their names and department. There was a fantastic response.  Approximately 93 percent of the business departments participated. If you want to see more about this event, and my measurable positive results, you can read about it here.

3. Helping employees protect their own information

One of my large healthcare insurance clients brings me into their facilities once a quarter and I provide a 30-minute discussion about a topic four to five times throughout the day. Employees can attend at a time that works best for them. I talk about how the employees can help protect their own personal information for specific situations. For example, one quarter I explained the risks of wireless home networks and how to secure them. Another quarter I talked about common identity theft causes, and how to protect against them.

At the end of each talk, the information security officer and/or privacy officer then talks for around 5 minutes pointing out how the actions I described related to their own information security and privacy policies, and they point them to the specific related ones. We then leave around 10 minutes for questions. And, there are always great questions, related directly to the employees’ own experiences and personal lives. You can do something similar to effectively raise privacy awareness within your organization.

4. Regularly providing publications that show real-life examples

Personnel love to know the information security incidents and privacy breaches that have happened in real life. There are no shortage of examples with the almost daily reports of incidents and breaches! Incorporating information about how information security incidents and privacy breaches could have been avoided by describing the controls and protections that would have prevented them is extremely useful to not only the readers, but raises their level of awareness.

I’ve been providing my Protecting Information Journal to businesses for the past five years, and my subscribers have provided me with fabulous feedback about how successful it has been for them in raising their employees’ privacy (and security) awareness, and also how auditors have noted in audit reports their approval for them providing such awareness publications.

5. Ask your governor to officially declare DPD for your state

I just received word that Terry Branstad, Governor of Iowa, has once more agreed, at my request, to release a proclamation for Jan. 28, 2015, to officially be Iowa Data Privacy Day. This will be the sixth year that I’ve successfully petitioned the governors of Iowa to make such a proclamation. You can see the official certificate of proclamation for 2014 here. By making the day an official day in your state you can then plan public events, and get widespread media attention, for the need to address privacy by everyone in the public, as well as by all organizations that collect, use, share or otherwise access personal information. Consider asking your governor to make a similar proclamation for your state.

Also, I’m very excited about the activity I’m doing for that day; it will be televised on the Great Day morning show here in Iowa on Jan. 28, 2014. I’ll be sure to write about it and point to the video of the segment when it is available.

For white papers to help keep the awareness levels high for those responsible for information security, see Dell Security Solutions.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

 

Rebecca Herold

Rebecca Herold

Rebecca has over 2½ decades of information privacy, security and compliance expertise. Rebecca is CEO of Privacy Professor® and is partner for the HIPAA Compliance Tools® and SIMBUS Tracker®. Rebecca has led the NIST SGIP Smart Grid Privacy group since June, 2009. Rebecca has been an Adjunct Professor for the Norwich MSISA program since 2005. Rebecca has written 16 books and hundreds of published articles, with the most recently published books being “The Practical Guide to HIPAA Privacy and Security Compliance, 2nd Edition,” and “Data Privacy for the Smart Grid.” Rebecca is widely recognized and respected, and has been providing information privacy, security and compliance services, tools and products to organizations in an extensive range of industries for over two decades. Just a few of her awards and accolades, include being named in the Top 2 Female Infosec Leaders to Follow on Twitter in 2014 by Information Security Buzz.

Latest Posts:

 

Tags: Security, Technology