I believe all security awareness trainers understand that most end users can’t really be “trained” in how to protect their systems and their corporate networks. However, if all systems are security protected and configured, security awareness training can assist in helping end users understand the security risks and know what mistakes to avoid making.
PCI DSS is primarily focused on technological solutions and most organizations have implemented anti-virus, firewalls, IPS, monitoring and logging and a host of others to keep out the bad guys. However, despite all the technology to secure sensitive data, the weakest link is the end user. End users need to interact with sensitive data in order to get their jobs done. PCI DSS recognizes this and outlines to organizations how to mimimize risk by limiting the number of employees that have access to this data as well as clearly outlining that a security awareness program has to exist in the organization. It also outlines in Section 12.6 that employees need to attend at a MINIMUM, an annual awareness training.
As an organization, are you just doing the minimum? A yearly lunch and learn reminder perhaps is what you doing? Something to remind your employees that they need to be extra careful with cardholder data? Do you believe this is sufficient in being able to address the potential risk of sensitive data leakage? Think again. Perhaps it’s time to review Section 12.6.