Whilst many organisations have overhauled their technical security measures as part of their wider GDPR compliance programs, a high percentage are still failing to properly recognise and address the fact that their employees are their weakest link when it comes to cyber risk.
Cyber security firm, CybSafe, released a report in January 2020 following an analysis of all cyber-related personal data breaches reported to the ICO between 2017 – 2019. With 45% of reported breaches during the period relating to phishing attacks, CybSafe concluded that human-focused attacks continue to dominate the cyber risk landscape – and for good reason. CybSafe identified over 90% of all cyber related personal data breaches reported to the ICO in 2019 as being ultimately attributable to human error.
The hackers and attackers have clearly identified that our employees are our point of greatest weakness (and are not hesitating to exploit it)so why are most of us doing so little to address the issue?
In order to minimise the human risk, organisations should focus on the following three steps:
1) Raise awareness
Employee awareness should be raised through a combination of more formal training and regular, more informal measures such as internal breach updates, discussion at team meetings, floor walks to check adherence to clear desk policies and display of ICO posters around the office. Running mock phishing attacks (and notifying staff of the results) is a particularly effective method of testing employee responses to suspicious emails.
2) Implement clear and easy reporting lines
Make sure that staff know who to tell if an issue is identified and make it as easy as possible for them to do so. Lengthy forms may be great to help your DPO/privacy manager capture all of the relevant information but will become a barrier to reporting if busy employees perceive that every report will entail realms of paperwork. Consider whether a 2-stage reporting process might be more effective with employees notifying issues by telephone/email/IM and the DPO/privacy manager collecting further detail by phone where needed. For smaller organisations in particular, holiday and sickness cover is always an issue that requires consideration – we deal with far too many enquiries from clients asking if they have breached the 72 hour reporting deadline because phones and emails were not diverted/monitored during absences.
3) Remove the stigma
Most employers have ensured that employees are made well aware of the potential consequences of a data breach to the business. Whilst employees do need to be aware of these consequences, it is important that employers avoid creating a culture of fear which will have a chilling effect on incident reporting. A good way to begin normalising incident reporting is to circulate quarterly incident reports to all staff providing basic information about the number and type of incidents reported internally. Once employees can see that others are reporting they will be less hesitant about doing so themselves.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at February 2020.