GDPR and Educating Employees on Cybersecurity
Out of the many negative outcomes of cyber threats in 2017 legislation change is another financial risk business dealing with Europe will need to embrace. So how can we reduce the risks?
The General Data Protection Regulation (GDPR) is a new data protection regulation to protect individuals in the European Union (EU). The concern for global business is that is also covers the export of personal data outside of the EU. When enforced from May 2018, companies that fail to comply and suffer a data breach they could face a fine up to 20,000,000 EUR or up to 4% of their global annual revenue of the preceding financial year.
Cyber-attacks are now as much a part of business risk assessment as fire and safety. In a recent interview for Chris Butler, Principal Consultant of Sungard Availability Services stated that “an organizations readiness to adapt to the new challenges of data privacy and reduced tolerance for data breaches as both an opportunity and a threat.” Will GDPR compliance become a standard customer assurance for all business dealing with European based data? The threat to business a hefty fine.
In America GDPR will directly affect companies that offer good and services to EU citizens. US businesses that do not comply will risk losing 4% of their global revenue to the EU. In a recent roundup of the top five impacts of security breach, reputational damage from the loss of customer data could sink customer confidence in an organisation. The recent National Health Service hack, resulted in an outdated version of Windows XP being breached and patient’s private records transferred into the hands of organised crime. This is the kind of negative PR a financial organisation would find hard to repair.
Aside from the GDPR compliance and growing your cyber defence team, educating employees on basic cyber security is a solid investment. Knowing the risks and consequences of the threat helps nurture a sense of responsibility. The onboarding process of new hires needs more than a tick box for “I have read and understood the company’s IT policy”.
Aside from the IT and legal teams surveying the GDPR legislation, the first line of defence for any company is deploying the Human Resource team to deliver on tips to educate employees. could help nurture the shared responsibility we all face from cybercrime.
1) Risk analysis workshops
Creating scenarios in a workshop environment is a technique that exposes how unhealthy habits of staff can spiral into a massive fine and loss of global reputation. The laptop left in a bar, with sensitive data stored on the desktop, is a familiar story tell. Demonstrate how 4% of global annual income leaving the business will affect staff.
2) Broadcast the call for responsibility
Everyone in your company’s infrastructure is only as secure as its weakest link. A unifying sense of responsibility can help break dangerous habits. Each team lead needs to be an ambassador of safe computing.
3) Onboarding process, set the right tone
Anyone who has ever had the joy of training their pet knows that they only learn what you teach them and reinforce with positive praise. The cyber security on-boarding process needs to be relevant and engaging and rewarding those that comply helps set standards.
4) USB sticks need tobacco industry warnings
They can resemble Lego and are often handed out like sweets at a conference. A crime syndicate can compromise these USB sticks and leave them laying around. One stick could hold up to 20 gigabytes of malware waiting to launch. What’s you company policy on USB sticks?
5) Response plan to a cyber attack
PR is a big part in the response to a cyber-attack. Announcing that you are GDPR compliant and adhere to all internationally recognised legislation is needed for business confidence. The public need reassurance their data is safe and not lost. In the recent UK ransomware attack sustained by the NHS, patients arrived for operations and were sent home due to loss of records. All they had was Twitter and speculation as to the next steps.