Developing Staff as Human Firewalls to Detect Privacy Breach
Approximately 90% of privacy breaches are caused by human error. This is according to a recent analysis by the UK Information Commissioner’s Office (ICO). A privacy breach can pose a serious threat to an organisation and leaders can no longer overlook the primary significance of educating staff in matters relating to data privacy. Cyber crooks continue to work hard to discover new ways to exploit the human layer of an organisation’s infrastructure. This happens across many industries. Cybercriminals are bold and continue to reveal through their tactics that they consider untrained employees to be an organisation’s Achilles heel.
Employees should be taught how to detect privacy breaches. They must also understand the importance of data privacy and the concrete implications that violations of privacy can have on individuals, the workforce and the organisation as a whole. People will pay more attention to managing data privacy once they understand its importance.
A privacy breach occurs when there is an accidental or deliberate breach of security leading to the unauthorized disclosure, modification or access to an individual’s personal data. Examples include hacking or computer intrusions, devices containing personal data being stolen or lost and sending personal data to an incorrect recipient.
Privacy breaches can be expensive. Businesses may have to account for several costs such as legislative fines and penalties, third party compensation, customer compensation and reputational damages. Reputational damage resulting from a data breach can be devastating for a business. News travels fast and organisations can become a global news story within a matter of hours of a breach being disclosed. Consumers are all too aware of the sensitivity of their personal data and, if companies cannot demonstrate that they are taking all the appropriate measures to secure the data, customers will simply take their business elsewhere; perhaps to a competitor who takes data protection more seriously.
Company activities can also be seriously affected as a result of a data breach. Organisations will need to contain the breach and conduct a thorough investigation into how the breach occurred and what systems were accessed. Operations may need to be completely shut down until investigators get all the answers they need. This process can take days, even weeks, depending on the severity of the breach and can often times have a huge knock-on effect on revenue and on an organisation’s ability to recover.
Privacy training will equip staff with the knowledge and understanding of industry regulations concerning private data, existing company policies, and how to comply with both. Privacy awareness training involves becoming familiar with the policies and procedures for daily operations to ensure that the privacy of information is considered at every level. Training may also be customized based on staff roles and functions within a company. Some individuals may need to have more thorough training than others - however data privacy is everyone’s responsibility. Every employee who comes into contact with customer information should learn the basics of data privacy and the rights of a data subject. They should also be versed in the proper ways to classify and store the data. The appropriate channels for reporting a breach should be created and documented and placed in a centrally accessible area to facilitate easy retrieval.
Symptai Consulting Ltd. offers certified training for businesses seeking to build their staff’s capabilities in this area. Training sessions in Privacy Management (CIPM) and Privacy Technology (CIPT) are offered in conjunction with the International Association of Privacy Professionals (IAPP), the leading global body for privacy professionals.
Having staff that are well-trained in privacy management is recognised as a vital mitigation strategy. A human firewall will form as employees learn to recognise the signs of a data breach. I would also advise organisations to take the first step to identify the areas of weaknesses by doing a privacy risk assessment. Once a privacy risk assessment is completed, the organisation will be able to develop a remediation plan and focus on having its staff properly trained in developing a privacy program framework.