GDPR (General Data Protection Regulations) and cyber security are interwoven. But do your updated data privacy policies and procedures reflect this? The GDPR deadline may have passed yet the cyber risk remains. Data protection starts with building cyber resilience in your people.
Thank goodness GDPR is done with. Right?
So, May 25 has come and gone – you’ve hit the deadline to update your data protection policies, processes and procedures, put your staff through GDPR training and made sure the information you hold about your stakeholders and where it’s stored is transparent. Now breathe…
But in the rush to get the GDPR boxes ticked, did you consider that this regulation is simply to protect data and data privacy, and it’s merely a part of the bigger cyber risk picture?
If your data is secure, ongoing GDPR (General Data Protection Regulations) compliance is a natural by-product. This isn’t just about technology it’s about your people and their behaviour as well.
“We often hear hot topics such as GDPR and cyber resilience discussed in silos,” explains Richard Whittington, Product Manager at Unicorn Training.
But GDPR is basically just good data protection behaviour, which is inextricably linked with an organisation’s cyber security approach
“But GDPR is basically just good data protection behaviour, which is inextricably linked with an organisation’s cyber security approach. Regardless of their role or responsibilities, you need to help your people become your greatest information security asset by embedding and sustaining cyber resilient behaviour.”
What culture do you have in place to achieve this now the immediate panic of the GDPR deadline is out of the way?
Building human vigilance and resilience
Investment in global cyber security technologies continues to grow. Yet the quantity of and impact from cyber attacks is also escalating. There’s something missing in our corporate response to cyber risk.
The reality is 90 per cent of all successful cyber security breaches rely on human error. 90 per cent! (Verizon 2015 Data Breach Investigations Report)
A Ponemon Institute report highlighted that each data breach costs the affected UK company £2.4m. The average cost to an individual of a lost or stolen record is £98.
Though data is everywhere, data security is still widely viewed as an IT issue. However, firewalls, encryption and anti-viruses will only get you so far. While advances in personalised technologies, such as biometric security (e.g. fingerprint and retina scanning) and Artificial Intelligence (aka AI), might provide an extra layer of security, your people should always be your first line of defence.
Given the evidence, you might think upskilling this critical first line would be at the top of every organisation’s GDPR priority list. Yet, as Nick Wilding, General Manager, Cyber Resilience at AXELOS Global Best Practice (a joint venture between the UK Government and Capita plc) reveals, that isn’t the case.
He said: “Recent UK Government research showed only 20 per cent of organisations provide cyber awareness training for their staff, and those that do still largely rely on annual, functional ‘tick box’ training that has no impact on staff behaviour.
“We’re in a brave new post-GDPR world where you can’t separate cyber security from data protection. GDPR (General Data Protection Regulations) is a chance to build reputation and customer trust through good cyber security behaviour.
“To achieve this, organisations need to go beyond GDPR compliance. Staff should be given the skills, awareness, knowledge and confidence to make the right decisions in the face of growing cyber threats to better protect the business.”
Elizabeth Denham, the UK’s Information Commissioner, recently said: “Staff are your best defence and greatest potential weakness – regular and refresher training is a must.” So, in this brave new world, how do you ensure your people know what they need to do and, most importantly, why?
Embracing a new approach
The security industry is guilty of creating language that is impenetrable to the general public. If the aim is to make cyber resilience and ongoing GDPR compliance part of your organisation’s DNA, data privacy needs to be demystified. Simple, practical guidance should be provided that is easy for your staff to understand.
As Angela Sasse, Professor of Human-Centred Technology at UCL, attests, “you need to make it easy for people to do the right thing.”
Nick Wilding insists ensuring staff value what they are being asked to do comes down to effective awareness training and making it relevant.
“People remember stories and scenarios they can personally relate to, rather than facts,” he explains. “You have to get the learner to see themselves as an owner of data. With regards to data protection and GDPR, the question to ask is ‘How would you want your personal information to be handled?’
“Would you be happy for someone to talk about your personal information to a family member or in a pub? Would you be ok with your information being put on a USB and used on a personal device connected to an unsecured network outside of an office?”
To raise awareness, and to change staff behaviour, cyber security requires organisations to re-think their cyber security training in line with four critical principles.
- Real behavioural and cultural change is only achieved through ongoing continuous learning – we can’t rely on yearly tick box tedium if we want to sustain behavioral change.
- Providing short, adaptive nugget-based learning is key – attention spans are short and time is precious. Giving staff long protracted online training courses isn’t effective.
- Your training content needs to be engaging, relevant and valuable – people learn in different ways, so organizations must deliver a lively a mix of content (for example, games, stories, animations, tests, refreshers, audio stories, eLearning).
- There must be a measurable benefit – fostering a culture where your staff are no longer seen as the weakest link but regarded as your first line of defence, and where sensible behaviour is rewarded.Nick adds, “We need to learn from our mistakes. Creating an environment where we encourage our people to admit ‘I’ve done something wrong’ is a huge step.” If it isn’t happening already, we’re at the point post-GDPR deadline where organisations will perform compliance audits around their new policies, processes and procedures to understand if and how they are being adopted across the business.As systems evolve to keep up with the pace of change in the global marketplace, and as technical security controls adapt to manage the ever-changing risks, the way we engage people, to ensure they understand their responsibilities and actively support corporate vigilance and resilience to growing cyber-attacks, must be reassessed.“The need to build a human firewall around your business has never been greater, and as cyber criminals become ever more sophisticated and data remains vulnerable, the only guarantee is the human firewall will need to keep getting higher. You should be getting at least the first bricks in place now.”
- For more information visit www.unicorntraining.com/cyber-security-courses
- Richard Whittington concludes: “The fundamental ethos of GDPR was never about getting people through a little bit of GDPR training and carrying on as they were. This is why data security can no longer be treated in isolation to cyber resilience.
- One question all organisations should ask is ‘If the ICO knock on the door now, would they see us delivering effective cyber and data protection awareness training?’ The regulator isn’t going to accept a tick box approach, so if your honest answer is ‘no’, you need to think about how you will train your people in the future.
- Two months on
- These are the principles that underpin the AXELOS RESILIA® Frontline suite of cyber security awareness training, including courses across the key areas of Protecting Information, Safe Device Use, Managing Online Risks and Keeping Safe Online.
