Want to protect your organisation from a cyber-attack or data breach? Make sure your staff are “security aware”
Over the past few years, cybersecurity has gone from being a niche concern to something people think about on a day-to-day basis. Data misuse and breaches at major international organisations have cut through into mainstream news cycles and highlighted the need for more stringent controls on how personal information is managed and stored within operations.
Yet, even in this environment, where regulations such as “the GDPR” are well-known to consumers and businesses alike, complacency reigns. A series of industry surveys have shown that many small and-medium sized enterprises (SMEs) believe that data breaches are most likely to occur within larger, more complex, organisations. While, in multi-nationals, where privacy and security budgets are considerable, there is a view, among some, that investment alone makes them bullet-proof.
The truth is, any enterprise, can be vulnerable to a cyber-attack – be it a phishing scam, which preys on the vulnerability of staff, or a human-error incident when it comes to the storing or processing of data. Constant refresher training and promoting awareness are therefore, the best lines of defence.
I thought it could be useful, given my role at an organisation that handles millions of visa applications each year on behalf of national governments, to set out how organisations, both large and small, can mitigate their risk through improved awareness and training, without incurring huge cost.
Introduce regular training
Many organisations see compliance with major regulations, including the GDPR or CCPA, as a one-time action and do not believe that this work requires a long-term ‘assess and update’ approach. Training, and information and system updates, should be ongoing and be a fixture of the induction process of any new employee.
A key component of this training should centre on risk. For this, I would suggest adopting a NEED–WANT–DROP, in all business activity, and with particular across data handling. By using this simple filter, employees can easily understand whether they “NEED” to perform a high-risk action or process sensitive data for their business activity, whether they “WANT” this said data, typically for marketing, or whether they should “DROP” this information for lack of use or the risk it poses.
As a minimum, I would recommend that all staff are trained to recognise what constitutes risk, particularly around their holding and processing of personal data, in their day-to-day business; are aware or have easy sight of their organisation’s cybersecurity and data protection policies; and know the escalation procedure in the event of an attack or breach.
Remove the “fear factor” associated with reporting a breach or leak
Invariably, when an information breach or attack occurs within an organisation, it is exacerbated by delay and fear among staff about whether to report it to their employer or whether to tackle it themselves. As humans, we all make mistakes and it’s important to distil this reality across your teams, and to encourage staff to take steps to mitigate any damage or loss as soon as possible.
To this end, business leaders should ensure that their employees are briefed about what they should do in the event of a leak or attack. They should also adopt a blame-free, “identify and report” approach across their teams. This can be embedded into staff training, so employees know how to recognise a breach and the procedure by which they should report it. The latter, of course, will vary depending on the size of an organisation, but will often require staff informing their line manager, HR department and or appointed data protection officer (DPO) at the earliest opportunity.
Create an environment of awareness
All staff – from entry-level operators, right through to CEOs – are responsible for protecting the machines and personal data they handle and process. It is, therefore, crucial that every single employee in your organisation is properly apprised of their duty towards the upkeep of their hardware, data they hold, and how they can mitigate risk.
To help achieve this, staff should be informed of where they are likely to encounter high-risk scenarios and where they might be vulnerable to a cyber-attack. This can include how, and where, they store highly sensitive personal data, as well as red-flags to watch for, in the event they are targeted by third-party phishing scams. This will mean they’re “aware” day to day and will be in a position to identify particular activities that will require sensitive care. One low-cost method to achieve this is to use a “Privacy Champions” model where experts in the business functions are trained in protection principles and can better understand how these apply to their business function.
Conclusion
It can be easy for senior management to take comfort in the fact that they may have experienced little or no risk to their organisation’s activities when it comes to cyber and data security. However, if their workforce is not apprised of what constitutes a risk, and how it can be prevented or mitigated, there is still more work to do.
In my view, its always “better to be safe than sorry”. And, by adopting and scaling some relatively simple and admittedly basic changes to staff training, I believe organisations can better prepare themselves, and their staff from the unlikely event of an attack upon, or breach within, their organisation.
By Suraj Tiwari is the Global Head of Information Security at VFS Global,
Responses