Managing employee security-training completion: what changes with automatic certificates and digital badges

Employee security training: why ‘proof’ is harder than ‘running it’

The real burden of employee security training comes not from running the training but from confirming completion and compiling the proof. Article 28 of the Privacy Act mandates training for personal-data handlers, and after the training, proof materials organizing the targets, completers, non-completers, and training dates are needed for internal reporting and for responding to client audits. At many companies, this tallying is still done by hand.

BizMarket, which runs a benefits and promotional commerce service for corporate clients, had the same concern. Because of the nature of B2B and B2E commerce, BizMarket’s client information, user information, and order and settlement records span the work of several departments - an environment that requires basic security awareness from every employee, not just specific staff.

The existing approach ran on two tracks. In-person training was conducted by gathering department by department in a meeting room, then collecting attendance-sheet signatures and tallying by hand. For online training, off-the-shelf courses were selected from free training sites for employees to take, and an administrator gathered attendance and survey information to report. The training itself ran, but compiling the results of in-person training all had to pass through the manager’s hands.

On top of this came external demand. BizMarket recently had the experience of being asked by a client to have its personal-data handlers complete online security training, and participated. BizMarket’s read is that in B2B transactions, demand for clients to verify a supplier’s level of security management is increasing.

Looking at the detailed types of work-negligence breaches: posting personal-data files to boards or group chats accounted for 27 cases, email broadcasting for 10, and wrong file attachments for 7 (PIPC 2024 breach-report trends). It’s a structure where a single employee’s mistake in sending mail becomes a breach incident - so company-wide basic security training and managing its records is less a choice than an operational requirement.

BizMarket’s approach: security consulting, training, and credentialing in one

BizMarket adopted a package that bundles security consulting, online security training, and Kolleges’ automatic certificate and digital-badge issuance into one. The biggest reason for the choice was that training content written by a consulting PM to fit BizMarket’s work environment could be used directly as employee training material on the Kolleges platform. Therein lay the difference from the existing approach of having to pick from off-the-shelf courses.

The training was titled “Privacy and Information Security Practical Training,” composed as an incident-case-centered program for general employees. It consists of two VOD lectures, about an hour in total. Its distinguishing feature is that it addresses scenes employees actually encounter in their work, rather than the generalities of a statutory-training format.

The training goals were clear, in three parts: distinguish suspicious mail and links, handle personal-data files safely, and report immediately when an incident occurs. The incident types covered are concrete too. Wrong-recipient email, smishing, lost USB drives, and even situations of entering company information into external generative AI - the four most frequent security incidents in everyday work were built into the training.

The action procedure for when an incident occurs was also taught, organized into the five steps STOP, DISCONNECT, PRESERVE, REPORT, FOLLOW. The goal of the training was to make people “able to act,” not stop at “knowing.”

Certificates and digital badges were auto-issued to completers. A digital badge is a verifiable digital credential based on the 1EdTech Open Badges standard, with the issuer, criteria, and completion details embedded as data, making forgery difficult.

What actually changed with automatic certificates and digital badges

The biggest change is that completion confirmation and certificate issuance became connected within the Kolleges system. Previously, after training you had to compile the roster and confirm completion separately, but after adoption the completion results are confirmed in the system and flow straight through to issuance. In this round of training, 166 certificates were issued, and the issuance status could be seen at a glance in the admin view.

The issuance-management view shows recipient, certificate type, issue number, issue date, status, and alert channel in a single row. Each certificate carries a unique issue number in the BIZM-202606 format, is managed as permanent verification, and the issuance alert was auto-sent via KakaoTalk. The manual work of compiling rosters and checking completion one by one turned into a matter of looking down a list.

This is exactly where BizMarket’s representative pointed to the core benefit.

Compared with the existing in-person training approach, the changes are clearly visible.

A digital badge doesn’t end at issuance. Completers verify their credential through identity authentication, and can register it on a LinkedIn profile or share it via Kakao, Instagram, blogs, and more. It’s a structure where training the company conducted remains as the individual employee’s record, and verification and sharing flow on from one screen.

This single case holds the three things Kolleges aims for, together: verifiable credentialing that leaves completion records as hard-to-forge data, the operational efficiency of auto-issuing and managing 166 credentials, and the amplification that follows from badge sharing.

On-the-ground assessment and what’s expected next

The benefits BizMarket pointed to are clear: a structure where completion confirmation and certificate issuance are connected, training content tailored to its own work environment, and verifiable completion records. The accompanying feedback is closer to tasks for settling it in. The expectation is that guidance for employees new to digital badges, and an expansion of admin statistics and reporting features, would widen the scope of use.

Digital badges aren’t a familiar concept to every employee. At BizMarket too, there was feedback that it would be good to provide guidance on how they differ from existing certificates and where to check them. For a company adopting a new credentialing method for the first time, adding just one more line of badge guidance to the training notice changes the pace of adoption.

The expectation from the administrator’s perspective is concrete too.

Based on the results of running this employee training, BizMarket is keeping open the possibility of using it not only for privacy and information-security training but also for new-hire training or internal compliance training.

Which companies should consider this approach

For companies where security-training completion management and proof compilation pile up as repetitive work, and companies asked by clients or auditing bodies to verify their security level, this is a model worth referencing. Rather than asserting it applies identically to every company, BizMarket advises comparing it with your existing training-operation approach and applying it starting from the parts you need.

The PM organizes the company types this model fits as follows.

BizMarket’s next picture is phased too. First it will steadily manage internal employees’ basic security training and completion records, and review expanding training to suppliers and tenants after confirming the internal results. Conducting even outsourced-vendor training through the same system was also mentioned as a long-term task.