To make sure the ICO don’t come knocking, follow Ian Osborne’s easy GDPR advice.
The world as we know it is as data dependent now as it has ever been and with that comes new potent challenges for individuals and companies alike to ponder. As the UK welcomed the ground-breaking legislation that is GDPR, companies acknowledged the need to be more thorough in teaching employees how to be more data vigilant and protective of sensitive information.
Despite the earnestness GDPR brought, only two-thirds (66%) of large British businesses and 26% of small business owners have offered their employees specific GDPR-related training.
The concern here is that the importance of training has not sunk in. Aside from just the compliance aspect, employees could be falling victim to security faults they may well never have received training for.
More alarmingly, research has found that many businesses were terminating contracts due to employee negligence, even when they admit employee data security negligence is a high risk and that the training they offer is woefully inadequate.
Where companies dedicate more effort to data security training, unnecessary termination of employees’ contracts could be greatly reduced, as well as the risk of a data breach and GDPR fines.
GDPR has adequately brought awareness to businesses’ security measures but also elicited a call for action when handling confidential data. The danger is that it becomes a point in history, not a change in how people approach the handling of data at work.
With training in place employees can be better aware of common risks and the safeguards they need in place. Here are five recommendations to steer businesses towards improving data security training:
- Root out the weaknesses. Businesses can solve half of their data flaws by purely unearthing the problems at their infancy. This encompasses things like training on the use of public Wi-Fi, knowing what a fraudulent email might look like and what personal information should be saved on your computer – all things that even many large companies are not currently doing according to this survey.
A common method to gauge training success is to consult and engage with staff for feedback on what common security concerns they are oblivious to, as well as focusing on those that are clearly required as part of GDPR. This once again helps businesses better come to grips with underlying issues which might be leaving them vulnerable.
- Develop trusted training methods. Whilst companies can be apprehensive about the amount of time they’d like employees to invest in training at the expense of company productivity, the long term gain to a company of being better equipped to combat cyber-attacks is hard to quantify.
Place a strong emphasis on interactive training as one of the most effective exercises to keep employees attentive and more receptive to new information. Interactive training will have the additional benefits of being repeatable and with the same employees and also aid with recall.
- Help employees understand what data security means and the cost of being negligent. From this research, one in four (27%) employees confessed to leaving work documents or notebooks on their desk, while one in six (16%) leave their computer on and unlocked when they leave work for the day.
A great deal of this seemingly cavalier attitude is in fact due to a lack of understanding into the likely consequences. Leaving hard copy materials in the wrong place, for example, is easy to do amidst the throng of a hectic day.
The solution rests in training around a clean desk policy and a more guarded approach to documents and devices that hold personal information. Additionally, warning signs of high security risks can in most instances trigger a switch in the mind of employees to be more rigorous in securely locking away information in their day-to-day work.
- Set the bar and lead from the front – Quite naturally, the onus is ordinarily placed on the leaders to enforce and enact processes that will benefit the company. The duty may fall on them to proactively drive adherence to the training programmes but also reinforce the importance of being acutely aware of data security risks.
Training professionals need to feel empowered to ask C-suite executives to undergo the same training as the rest of the company, and be able to champion that fact.
- Document closely training participation – This is largely centered on proving that as a result of implementing the various procedures the company can be far more confident in being able to defend a data breach.
If the ICO come calling, it is helpful to be able to demonstrate all of the steps that were taken to prevent data breaches. Documenting training is also an important step in identifying which training formats are leading to better outcomes on data security practices – especially when training new employees who are potentially less aware of procedures.
While learning passports are increasingly common for tracking participation, there is also an important internal communications element to ensure this is happening.
There are numerous tips outlined above which if applied are bound to better protect a business. Training can have long-lasting effects for both employees and businesses. Not only does the business learn and develop but they also create an avenue to educate other companies on data security.
About the author
Ian Osborne is vice president UK & Ireland of Shred-it