Cyber security has in the past few years developed into one of the most essential aspects of an organisation’s operations. Criminal hackers have run rampant, with 62% of UK businesses experiencing an increase in attacks since 2020.
Meanwhile, the introduction of the GDPR (General Data Protection Regulation) in 2018 and the UK Data Protection Act 2018 have marked a turning point in data protection legislation. Organisations across the globe have become subject to stricter requirements as governments attempt to crack down on data protection failures.
But it’s not just the threat of criminal hackers that organisations should be concerned about. Data privacy should be treated with equal importance, particularly considering a recent study that found that three quarters of UK residents are worried about their online safety.
Organisations that cannot demonstrate that they use people’s personal information responsibly run the risk of reputational damage and customer churn in addition to regulatory action. This is seriously compounded if the compromised information contains Special Category data
The escalating threat of cyber attacks and data privacy concerns suggest that, although the GDPR has been in effect for almost four years, organisations are still struggling to address its compliance requirements.
Is this a matter of negligence, or are there flaws in organisations’ approach to compliance that are contributing to its limited success?
Cyber security is an organisation-wide commitment
One of the biggest problems when it comes to GDPR compliance – and information security in general – is that organisations tend to consider data protection as a purely technical issue.
As such, they put their IT team in charge of information security, who in turn focus on their strengths, such as network security, access controls and other technological defences. These are all essential components of a good security system, but they are only one part of the equation.
Article 32 of the GDPR states that organisations must implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
The Regulation provides few specific details about what this might encompass, instead urging organisations towards broader goals. This includes ensuring the ongoing confidentiality, integrity, availability and resilience systems and protecting the organisation’s ability to keep personal data available in the event of a disruption.
These are requirements that demand the involvement of the organisation beyond the IT department.
For example, in the event of a system outage, you must look not only at how to get systems online again, but how employees can still operate while those services are compromised.
This requires a business continuity plan that accounts for the issues that a disruption might cause across the organisation, and the ways in which specific employees might be affected.
A well-designed business continuity plan will be tailored to each department’s needs and shared with employees.
Free infographic: Beginner’s guide to data breaches and the GDPR
Download our free infographic to learn the essentials of data breach notification under the GDPR.
The Regulation requires organisations to report certain security incidents within 72 hours. It also requires organisations to act quickly to identify the nature of the breach and, where relevant, to provide appropriate information.
Our guide provides a step-by-step guide to the process, ensuring that you meet your data breach notification requirements.
Likewise, employees must have a strong understanding of the organisation’s overall information security risks. This is something that the GDPR emphasises with the mandatory requirement of staff awareness training.
Unfortunately, an organisation’s ability to deliver effective staff awareness training remains in doubt. A report published earlier this year by the software firm Tessian found that 85% of data breaches are caused by human error.
Meanwhile, research has proven that employees have a limited ability to recall information over time. A study presented at the USENIX SOUPS security conference in 2020 revealed that employees will recall cyber security staff awareness guidance for four months before their knowledge begins to fade.
This demonstrates two things: that employees are always liable to make mistakes, and that staff awareness training must be a continual part of an organisation’s data protection practices.
It’s not good enough to do it once as part of a checkbox exercise. Employees should be given regular reminders about the risks related to their jobs and encouraged to learn more about the ways they can protect sensitive information.
A holistic approach
Among the biggest challenges to the technology-first approach to information security is the reduced strength of an organisation’s physical boundaries. This is something that directly correlates to the information security vulnerabilities introduced by employees.
Where it was once the case that employees were by and large working from inside an organisation’s premises, meaning they could be protected with strong internal network, this is no longer the case.
The increase in remote working resulting from the pandemic means that employees are scattered across the country (or perhaps even across the globe). This has created a far bigger threat surface, and one that an organisation’s IT team can only protect to a certain degree.
It’s an employee’s responsibility to ensure that their personal technologies, such as Internet routers and devices, are secure.
Likewise, they have a greater obligation to commit to responsible practices. This includes things such as disposing of sensitive information when it’s no longer required and only logging on to trusted public Wi-Fi.
Meanwhile, criminal hackers are targeting employees outside of their working practices, with techniques such as smishing and social media scams potentially resulting in compromised data or devices.
Home working comes with a less defined border between what’s considered work and leisure, meaning employees are more likely to use work devices to check their social media accounts or personal emails.
Of course, the reverse is also true, with employees using their personal devices to do work.
Organisations must identify and assess these risks when considering the threat of data breaches and cyber attacks. There are technical measures that can be used to combat risks, such as multi-factor authentication and VPNs.
However, an equal focus must be placed on staff awareness training and the processes that organisations can adopt to mitigate the risk of security incidents.
You can find out more about which measures are right for your organisation by watching our free webinar: Data breaches – before and after they occur.
GRCI Law’s Head of Cyber Incident Response Cliff Martin and Operations Director John Potts break down:
- The types of data breaches organisations face in today’s cyber landscape;
- The data breach processes organisations should implement to minimise risk;
- What your organisation should do to prepare for a data breach;
- What happens once a data breach is identified; and
- Practical solutions to handle data breaches.