- Security TWENTY
- Women in Security
The Data Protection Act means protecting personal data is now an issue affecting any organisation storing or using personal information about its prospects, customers, members, employees or anybody else.
“Any organisational head who has not ensured that all staff have received appropriate data protection training is sitting on a data loss time bomb.” So says Barry Seward, Information Security Specialist with DLP Assured.
The consequences of a data leak can be very serious and very expensive. Currently, organisations are under a legal obligation to protect personal and sensitive personal data under their control. A data leak can lead to the imposition of large fines by the Information Commissioner. “Apart from fines, anyone in breach could face huge cleanup costs and a damaging loss of reputation and trust.” adds Seward. “It has been reported that in 2011 the hack of the Sony Playstation Network led to a $171 million dollar cleanup bill.”
The ways in which a data breach can leak of “personal” or “sensitive personal” information data (as defined in the Data Protection Act) or other breach can occur are many and varied and in addition to criminal activities include inadequate organisational procedures, employee carelessness or general ignorance of the appropriate practices and behaviours.
Significantly, it is widely held that eighty percent of data breaches involve employees not integrating adequate data security into their routine procedures. HMRC, for example, lost personal data concerning 25 million people because someone sent unencrypted CDs in the post.
The increasing use of mobile devices on unsecured networks in public places by staff also greatly raises the risks of data loss or theft.
Organisational managers need to consider every member of their staff who hasn’t received comprehensive, engaging, rigorous and up to date training as a potentially catastrophic loss of data waiting to happen.
According to Olivia Whitcroft, solicitor and sole principal of OBEP, an English law firm specialising in data protection and information law, “Breaches of the Data Protection Act arise from a failure to use personal data in accordance with certain key principles. This may include, for example, accidentally sending data to the wrong person, failing to give an individual a copy of their personal data upon request or inadequate destruction of data at the end of its lifecycle. It is therefore important for all staff to have at least a basic understanding of the obligations; the Information Commissioner’s Office expects this.” Data Controllers are required to register with the Information Data Commissioner’s Office unless they are exempt, but exemptions are very unlikely to apply to large organisations. As part of the notification process organisations must confirm that they’ve trained their staff so they’re fully aware of how personal data should be protected. This is a requirement of the Data Protection Act.
So what is likely to constitute suitable training to protect organisations from data loss breaches through employees’ mistakes?
Whatever route organisations take to train their staff, the content needs to be engaging. Steve Bownass, pictured, Head of Educational Design for training producer New Compliance says: “Many people who handle confidential data on a daily basis see the subject of data protection itself as dull or technical and probably beyond their understanding and influence. So it’s vital they appreciate that the issues at the centre of data protection are both simple to understand and easy to incorporate into daily working practices. An ideal medium is video which is contemporary and familiar, as well as being powerful and easy to take in.”
Another hurdle is that people don’t appreciate how important is their own implementation of security measures. How many people do we know, for example, who protect their computers with a password like “Fido” or “Janice”? How many people do we know who spend at least a little of their working day opening and reading ‘round robin’ emails? Do we know anyone with a mobile ‘phone on which all the personal information is encrypted (as it should be)? An engaging training medium is vital in convincing them that they need to change their attitudes and practices.
In this digital age, protecting paper based data can easily be overlooked, as can the manipulative activities of colleagues and suppliers who may be trusted but may not be trustworthy and so the training must be comprehensive and cover these areas too, alerting people to the many routes to data loss and theft.
The best training will be rigorous too. Mechanisms for participants to positively confirm their understanding such as quizzes will go a long way towards increasing their confidence and motivation, persuading them that the issues are “for them”, that is, relevant and achievable.
Having the ability to monitor and record individuals’ performances in tests will provide organisations with evidence both that the training has been carried out and uptake of the key messages achieved, which will be very useful in identifying weaknesses and in providing mitigation in the event of a data loss incident. This argues for a technology-delivered approach such as an internet or intranet-based Learning Management System that includes automatic capture of performance statistics.
Refresher training based on the most up to date information should be delivered annually to fulfil the requirements of the Data Protection Act. Re-testing should then be carried out and the results retained to demonstrate compliance with the measures taken.
Data loss breaches are bad news and the biggest risk of the bomb going off lies in the people who handle the data. The best way to minimise the risk is to provide high quality training to engage people, give them the full picture, keep them up to date and to record the results. “Anything less,” says Seward,“is a gamble no organisation can afford to take.”