Online learning is a booming part of compliance training these days—and a seldom-discussed IT weakness in such systems is growing along with it.
First, the good news: e-learning for compliance is humming right along. Statistics specifically for compliance are hard to come by, but anecdotal evidence is strong. “In the early days, online training had to fight to prove that it could be a cornerstone of an effective compliance program,” says Kirsten Liston, associate vice president, learning content strategy with SAI Global Compliance, a provider of compliance solutions. “Now, we take it as a given.”
Now the bad news: while e-learning courses have compelling benefits, they also can carry the same security risks as other information systems. That means compliance officers need to remain vigilant in ensuring that employees actually are studying and learning the material they appear to be learning.
“You can’t just roll out an e-learning system and relax. You have to be diligent with security,” says David Lawrence, chief collaborative officer with RANE, the Risk Assistance Network and Exchange, an information services and technology company.
One reasonable assumption is that the growth in e-learning for compliance is following roughly the same trajectory as e-learning courses overall—and that market has been on a tear. According to one analysis by Docebo, an online learning company, the worldwide market for self-paced e-learning was $35 billion in 2011 and should top $51 billion by 2016, a jump of nearly 50 percent in five years.
The growth reflects e-learning’s benefits. “It’s an efficient, scalable way to convey information,” Lawrence says. For organizations that need to communicate with thousands of employees around the globe, such scalability often makes e-learning the only practical approach.
In addition, the reporting and analysis provided by many e-learning systems can give compliance officers a good idea of how well employees grasp the information they’re supposed to be learning. For instance, a report might indicate that a large number of employees continually answer a particular question wrong, or that employees in one region have more difficulty with some lessons than employees do elsewhere. In either case, instructors can follow up with additional, targeted material.
The Hacking Risk
At the same time, e-learning—just like any other information system—can be compromised. One troubling example: a sufficiently savvy employee could hack the system to make it appear that he has studied the material and passed all the tests, when in truth he did not.
How would he pull that off? Most companies administer e-learning courses via a platform known as the learning management system (LMS) and the Sharable Content Object Reference Model (SCORM) protocol; those two systems govern the management and communication of online courses, and also report training results. The software used to communicate between the course and the LMS can be compromised, so the LMS records an individual as having completed a course even if he hasn’t.
“The weakness is the link between the course and the tracking system,” says Jan Sramek, chief executive officer of Better, an e-learning software vendor. Unfortunately, Sramek says, an LMS can’t currently detect and protect against this hack.
The problem traces back to the origins of e-learning technology in the late 1990s. At the time, Sramek says, security wasn’t as important a consideration as it is today. E-learning was used less often, and in many cases the material wasn’t critical.
In the years since, the applications delivered over such systems became increasingly important. At the same time, however, advances in software, and particularly in web browsers, were making the systems easier to circumvent even for people with little technical expertise. And meanwhile, regulators started stepping up their demands for robust, effective compliance programs.
In the early days, online training had to fight to prove that it could be a cornerstone of an effective compliance program. Now, we take it as a given.
Kirsten Liston, Associate Vice President, SAI Global Compliance
“Now you’re in a situation where both sides of the equation have changed,” Sramek says. “Cheating has gotten easier, while breaches have become more costly for the companies that are compromised.”
Lawrence admits he has never heard of employees using the hack en masse, so whole departments might avoid compliance training or exams. That doesn’t mean compliance officers can rest easy, he says. “Caveat emptor.”
Indeed, the vulnerability underlines a serious concern. One of the benefits of online training is its ability to generate an audit trail that shows a particular employee studied and tested himself on a specific set of material. “If the audit trail is compromised, it goes to the credibility and integrity of the training,” says John Squires, a partner at the law firm Perkins Coie. After all, many organizations are using these programs to assure both themselves and government regulators that they have implemented robust, credible compliance programs.
Getting Around the Risk
Growing Global E-Learning Market
Below, Docebo anticipates trends in the global e-learning market.
There seems to be universal agreement that the worldwide E-Learning market will show fast and significant growth over the next three years.
The worldwide market for Self-Paced E-Learning reached $35.6 billion in 2011. The five-year compound annual growth rate is estimated at around 7.6% so revenues should reach some $51.5 billion by 2016.
A definition of Self-Paced Learning is Education in which learners study at their own pace, without a fixed starting date or regularly scheduled assignment completion dates in common with other students enrolled in the same program.However, there may be a fixed overall completion timeframe.
While the aggregate growth rate is 7.6%, several world regions appear to have significantly higher growth rates.
According to recent regional studies, below are the highest growth rates Worldwide:
The weak point in all this is the link between the course and the LMS. Foiling the hack, therefore, requires gathering more thorough evidence of a student’s completion of a course outside the LMS. “You need to modify the course so it leaves trustworthy, complete evidence,” Sramek says.
That can be done by adding a second software system or platform to power the courses. The second platform uses the SCORM protocol to work with the LMS, which still receives information the way it always has. So the company can continue to use its same software infrastructure, while the new system collects learning logs that validate employees’ training activity with a greater degree of independence and security.
That said, a company’s culture also has a role to play in reducing the risk that employees try to circumvent online training. Ideally, business unit leaders will convey the message it’s in employees own best interests to do the right thing. “They need to set the tone,” Liston says. The goal is to create an environment where employees want to comply with regulations, and want their colleagues to do so as well.
“With compliance, the first barrier is often attitude and whether employees believe in the need to comply,” says Jason Baker, head of instructional design at SAI Global. In the past, efforts to persuade employees to accept compliance initiatives often focused on the need to inoculate the company against risks. Recently, more emphasis has gone to the positive benefits of a strong compliance culture, such as greater visibility into processes and a heightened corporate reputation. “We want to do more carrot and less stick,” Baker says.
And of course, other training methods can be compromised too. Employees in a classroom can fail to pay attention, while paper-based systems for recording training statistics easily can be inaccurate, whether intentional or not. “There’s a risk in any type of compliance training,” Liston says.
Given this reality, companies have an obligation to investors, regulators and clients—as well as their employees who are acting ethically—to thwart those who try to undermine others’ efforts to do the right thing. “You need checks and balances to make sure the content is being absorbed and the lessons being learned,” Lawrence says. “Trust but verify.”