GPDR has been creeping up on us for quite a while and with less than four months to go, organisations are finally starting to worry about whether they are compliant and if their IT systems and databases are protected. These very organisations may turn to expensive technology to secure their environment but they forget about one of the many reasons a company may face a data breach – the human factor. Staff are the biggest threat to your cyber security and no matter how much you spend on technology, if you don’t train them to be cyber aware, your business will always be at risk.
You need to understand your users and the way they work so you can manage risk without reducing productivity. Using technology and the human approach means that you can provide context around a user behaviour. For example, a member of your sales team downloads 5 customer records a day, it’s reasonable to assume their intentions are legitimate, however if they suddenly download 10,000 a day, that’s a cause for concern and should be investigated.
The silly mistakes that can be avoided
Now I am not saying that the technology side to GDPR is not important but staff awareness plays a big part. Take myself for instance, I am new to the IT industry and didn’t know anything about it six months ago (I thought the cloud was somewhere information was stored in the sky!) But over the past few months I’ve gained key understandings of how the simplest of tasks can make a huge impact to the business, such as how easy it is to hack into user’s accounts when they have easy passwords or if they click on dodgy links. Educating your staff to change passwords on a regular basis and to make them harder to crack are key factors in maintaining a basic level of cyber security.
Additionally, you should make sure employees know how to use confidential waste destruction, encrypt their data in e-mails and attachments as well as keep paper files secure and confidential when out of the office. As many as 80% of cyber security incidents involve staff so there is a clear need for all workers to have a basic understanding of IT Security. Whilst staff training has always been a vital element of Data Protection compliance, with GDPR regulations dawning on us, it highlights that staff training is even more important given the fines being so substantial.
What to be aware of outside of the cyber security practices
When we think of GDPR some businesses only thought is cyber security and what we need to do in regard to implementing the best security practices, but there is so much more than that (not to scare you). A vital aspect of protecting your systems is teaching your staff on how to identify personal information and what they can and can’t do with it. Such as receiving information from a client and passing it onto third parties, would be a breach of personal data. It’s something that can be taught so simply to avoid a breach that could be so substantial.
Staff are the foundations to your business so teaching staff on how to handle and process data should be paramount to ensuring your business and data is safe. As a starting point, staff should understand what GDPR is so they can understand what the regulation expects from them and what the importance of certain policies and procedures have on their job roles. If you as an employer can show you are periodically training and updating staff on security measures, not only are you proving to the ICO that you take the regulation seriously but also mitigating yourself against the risk of a security breach.
But don’t kick your feet back just yet, maintaining this training is paramount to preserving high levels of security. How many times have employees kicked back into their habits a year later? I know I do.
The human factor is not just about spotting the malicious employee out to hack your systems – many data breaches occur from accidental user missteps because cyber security is not their main focus. Making them Cyber Aware means you get into their subconscious and put security at the front of their minds whilst not affecting staff productivity.