Cyber attacks are the most talked-about threat to organisations these days, no matter the organisation’s size or which sector they are in. But as we become increasingly vigilant about mitigating external threats, what about the risks that originate from within the organisation? Whether compromised by a cyber attacker or by a staff member, intentionally or accidentally, the effects are the same:
- Loss of customer confidence.
- Possible loss of turnover.
- Possible follow-up action from relevant authorities such as the ICO (Information Commissioner’s Office).
It’s essential to look for internal threats to information security with the same urgency as external ones. Creating a culture that respects personal data, and recognises the need to protect it, is of the utmost importance and can be achieved with consistent action in several areas.
Training
It makes good business sense that all your staff and any data processors you use are aware of their personal responsibilities with regard to the handling of personal data. A consistent and mandatory level of training for both existing staff and new starters will give you that confidence, and keeping records of completed training may provide evidence of your commitment to information security in the event of an audit or a breach.
This training should cover information security and data protection basics, aiming to mitigate preventable breaches caused, for example, by the dangers of autofill, or failing to use Bcc in an email. The training programme should also make staff aware of the organisation’s policies and procedures in relation to information security and data protection, where to find them and the fact that they must be adhered to.
Action: Develop a staff training programme and monitor progress through staff appraisals.
Staff awareness training courses are available through our sister company IT Governance Ltd.
Communication
Your data protection champion (e.g. the DPO (data protection officer), data privacy manager or similar job role) should be up to date with the latest threats, vulnerabilities and solutions, which they can find through industry news, partners and regulators. This information should be shared with staff members. This will keep the topic of security fresh in their memory, and remind them of the importance of updating software when prompted and the consequences of not keeping personal information secure. Data breaches that occur within the organisation should also be communicated to prevent the same thing happening again, particularly if caused by human error or process failure.
Action: Make your data protection champion responsible for communicating information security and data protection updates, as well as breaches, throughout the organisation.
Reporting
Staff need to be empowered and confident to report a breach. This is something that begins with training, and is nurtured through a culture of open communication. Staff should have steadfast knowledge on what constitutes a breach, the urgency of reporting it and which channels to report it through. Reporting a breach should be a straightforward and quick process to enable the breach response team to take action as quickly as possible.
All breaches, whether reportable to the ICO or not, should be documented, with details of what happened and how reporting decisions were made – it’s possible the ICO will want to see it.
Action: Add a link on the front page of your intranet, linking to a report form addressed to the data protection champion.
It’s possible to greatly mitigate insider threats – whether with malicious intentions or not – by implementing these simple steps, which will also show the relevant authorities that you’re committed to keeping personal data safe.
GRCI Law offers many services to our clients to help them comply with data protection laws. Our GDPR Data Privacy Manager Service brings our team’s data protection knowledge and experience into your organisation, reducing room for error. Read more about this service here.
If you require a DPO, our DPO as a service solution might be more suitable.
