Have you made plans for Data Privacy Day (DPD) yet? What, you’ve never heard of DPD? You can see more about it here. Or, have you heard about DPD, but you’ve not yet had time to plan for it? Well, I love doing information security and privacy awareness activities and events! I’ve been doing them for 2 ½ decades, and have written about them often, and included a listing of 250 awareness activities in my Managing an Information Security and Privacy Awareness and Training Program book.
Here are five of the ways that I’ve found to be very effective for raising privacy awareness throughout the years.
1) Wheel of Security and Privacy Fortune: I was responsible for information security and privacy for a large financial company throughout the 1990s. One year we set up a “Wheel of Security and Privacy Fortune” outside the cafeteria for international computer security day. As people entered or left they would spin this huge wheel, and answer a question for the topic the clicker-pointer landed on. The questions incorporated our information security and privacy policies requirements and presented them in a way that related to work responsibilities and performing daily business activities. They were of varying degrees of difficulty, and we gave prizes of various sizes for correct answers; from candy-wrapped mints with a picture of our information security mascot on it all the way up to a gift certificate to the cafeteria for a full meal. This was a great success; well-received, plus we were able to establish some metrics based upon the participation and percentage of correct answers for how aware our personnel were about the various information security and privacy topics.
2) Doing an Information Security and Privacy Contest. Several years ago I was responsible for creating and managing the Information Security and Privacy department and supporting activities for a large multi-national financial and healthcare organization. For our annual awareness event, I worked with the lead corporate artist, describing a large number of security and privacy risks common within a business environment. I then asked him to take those risks and visually incorporate them into a poster showing a 3-story building, the side of which was cut away so that you could see all the workers and their work areas inside and the streets, grounds and parking area around the building. I sent the poster to each business department throughout the worldwide locations (around 130 – 140 of them). Each department team had a week to document a listing of each of the privacy and security risks they found in the poster and send back to me. I gave a prize to the team that correctly identified the most infractions; a pizza party during lunch for all their team members, recognition in the company magazine, and a photo of the winning team, along with their names and department. There was a fantastic response. Approximately 93% of the business departments participated. If you want to see more about this event, and my measurable positive results, you can read about it here and you can get a kit to do this type of event at your organization here.
3) Helping Employees Protect Their Own Information. One of my large healthcare insurance clients brings me into their facilities once a quarter and I provide a 30-minute discussion about a topic 4 to 5 times throughout the day. Employees can attend at a time that works best for them. I talk about how the employees can help protect their own personal information for specific situations. For example, one quarter I explained the risks of wireless home networks and how to secure them. Another quarter I talked about common identity theft causes, and now to protect against them. At the end of each talk, the information security officer and/or privacy officer then talks for around 5 minutes pointing out how the actions I described related to their own information security and privacy policies, and they point them to the specific related ones. We then leave around 10 minutes for questions. And, there are always great questions, related directly to the employees’ own experiences and personal lives. You can do something similar to effectively raise privacy awareness within your organization. Get in touch me and I can provide you with more information about this type of event.
4) Regularly Providing Publications that Show Real-life Examples. Personnel love to know the information security incidents and privacy breaches that have happened in real life. And, there are no shortage of examples with the almost daily reports of incidents and breaches! Incorporating information about how information security incidents and privacy breaches could have been avoided by describing the controls and protections that would have prevented them is extremely useful to not only the readers, but raises their level of awareness. I’ve been providing my Protecting Information Journal to businesses for the past five years, and my subscribers have provided me with fabulous feedback about how successful it has been for them in raising their employees’ privacy (and security) awareness, and also how auditors have noted in audit reports their approval for them providing such awareness publications.
5) Ask Your Governor to Officially Declare DPD for Your State. I just received word that Terry Branstad, Governor of Iowa, has once more agreed, at my request, to release a proclamation for January 28, 2015, to officially be Iowa Data Privacy Day. This will be the sixth year that I’ve successfully gotten the governors of Iowa to make such a proclamation. You can see the official certificate of proclamation for 2014 here. By making the day an official day in your state you can then plan public events, and get widespread media attention, for the need to address privacy by everyone in the public, as well as by all organizations that collect, use, share or otherwise access personal information. Consider asking your governor to make a similar proclamation for your state.
Also, I’m very excited about the activity I’m doing for that day; it will be televised on the Great Day morning show here in Iowa on January 28, 2014. I’ll be sure to write about it and point to the video of the segment when it is available.
For white papers to help keep the awareness levels high for those responsible for information security, see the Dell security site.
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit TechPageOne (http://techpageone.dell.com/). Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.
Tags: Data Privacy Day, Dell, dpd, Information Security, information security risks, infosec, personal information, policies, privacy, privacy awareness, privacy information, privacy professor, privacy risks, privacy training, privacyprof, procedures, protecting information journal, Rebecca Herold, risks, sensitive information, sensitive personal data, training