GDPR: Is Employee Data Security Training Essential?

Last year a number of ransomware campaigns affected thousands of high-profile organisations around the world, forcing hospitals to turn away patients and manufacturers to stop production. The worst part is that it wasn’t a technical error but a human one…

Humans in cyber security – the weakest link

According to the IBM’s Cyber Security Intelligence Index, 95% of cyber security breaches are due to human error. Hard to believe? Here are some stats from the National Fraud & Cyber Crime Reporting Centre:

• 23% of people who receive phishing emails will open them
• 95,556 is the number of phishing reports made between November 2014 and October 2015
• It takes 82 seconds for cyber criminals to ensnare their first victim

If the people within your organisation do not understand the importance of data protection or do not appreciate the gravity of the consequences, then all of the IT systems in the world will not save you.

Something as simple as sending a sensitive email to a wrong person, can put you in breach of new GDPR regulations. With fines of up to 4% of annual global turnover or €20 million (whichever is greater), internal compliance and security should be given priority.

Education is key to building a culture of security

Put simply, it is your employees who are responsible for processing your customer’s data and no tool or process will ever be effective if people aren’t on board. Therefore, to ensure compliance, it is essential to share best practice and educate employees about their responsibilities under GDPR.

Start with the basics

Most web crime still happens via email and therefore it is important for the staff to be aware of ‘phishing’ attacks. A quarterly internal email to raise cybersecurity awareness would be a good start.

Top Tip: Don’t just click – there are plenty of checks you can do yourself – for example spelling and bad grammar are usually an indicator of a phishing email.  Find out more here >

Make the training relevant

One size does not fit all. Training needs to be specific to your organisation so employees can relate to the GDPR policies and procedures in their day to day roles.

This can range from password security to confidential waste destruction and encrypting data in e-mails and attachments through to keeping paper files secure and confidential when out of the office.

Top Tip: The education shouldn’t end as people leave the training, though. You’ll want to keep promoting awareness using internal posters and ongoing training sessions to keep people up-to-date.

Have a universal security policy

No matter how advanced your security controls are, protecting your data assets will heavily depend on your people. Consequently, a well-designed information security policy will address the human factor, enforcing formal, written policies and guidelines which govern their behaviour.

Top Tip: Your company security policy should be written in plain English and avoiding the use of jargon. This should form a key part of staff induction – for permanent employees as well as contractors.

Train employees to take responsibility

Given employees will often be the first to notice a breach, there has to be a clear remediation plan in place so your business can minimise the damage and comply with its GDPR breach reporting obligations.

Top Tip: In case of a breach, training should include specific rules – such as unplugging a machine from the network in the event of attack.

This blog post should not be relied upon as legal advice on how to comply with GDPR. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.