International: Implementation series part 9 - training and awareness
The concept of 'training and awareness' within a security and privacy environment refers to the strategy implemented by firms to prevent and mitigate security breaches and leakage. In essence, 'training and awareness' is designed to assist employees in appreciating the important role they play in preserving data security and integrity within a working environment. Effective 'training and awareness' will enable employees to make a distinction between what would constitute a good privacy practice and what not, what the security risks are and how those relate or materialise on the basis of employee behaviour, and generally how employees can identify security threats they may encounter on a daily basis and what actions to take.
Following part 8 of the implementation series, which looked at data protection audits, in this article Grigoris Sarlidis, Partner at A.G. Erotocritou LLC, explains the importance of security awareness training, sets out key types of training that firms may consider adopting in order to strengthen their data security, and shares some tips for making employees becoming more privacy aware.
Importance of security/privacy training and awareness
In today's world of hacking, phishing, malware, and other (technology and non-technology related) never-ending threats, the need for security and privacy training is more important than ever. The reputational damage caused by a data breach can be unquantifiable and have grave consequences on revenue and business continuity. When robust data security strategies are implemented and adhered to, they can safeguard a firm's information against unauthorised access, and at the same time offer protection against insider threats and human error, which arguably is amongst the primary data leaks causes.
Therefore, cultivating a culture within a firm where security and privacy is everybody's business – and not just the IT team's – is fundamental. Building a 'security and privacy first attitude' requires a multidisciplinary effort across the entire firm - a task that can, admittedly, be quite challenging. In this regard, set out below are some useful types of training that can (generally) be implemented by a firm to create and promote a 'security conscious culture'. The frequency and extent of the below suggestions need to be assessed on a case-by-case basis, taking into account, amongst others, the size of the firm, services such firm renders, workforce (and type thereof), and budget available.
Types of training
- Seminars/webinars: Employees, and especially those handling personal data, need to have a solid understanding of the data protection framework (including the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') ). Accordingly, firms can educate their workforce through regular (e.g., quarterly) seminars and/or webinars followed by practical tests. This will enable employees to understand the privacy and data protection rules and how such rules impact them. As employees become more aware, they are transformed into a 'human firewall' and thus, the risk of data breach/leakage arguably decreases significantly.
- Phishing tests: Creating mock phishing emails and/or websites that are circulated amongst employees in unexpected periods of time is a great way to spread awareness through a real-life scenario to improve security behaviour as these dummy attacks may enable employees to understand the various forms a phishing attack may take, and thus avoid clicking on malicious links. In addition, as these phishing tests are taking place in a controlled environment, firms can establish a baseline metric (i.e., identify what percentage of the company's workforce was 'phished') and, therefore, focus particularly on that group of employees. Another key metric that a firm can potentially measure when performing a phishing test is the number of employees who reported a phishing email - a high number of reports would signify progress.
- Security champions: Security champions can be regarded as an additional layer of protection and enforcement that fills the gaps that exist between the IT/security team and the rest of the teams. Security champions are employees designated to receive ongoing training in relation to security/privacy issues so that they stay up to date with the latest practices and ensure that the latest security-related information is spread through their firm offices. In principle, security champions act as an extended member of the IT team who continually strive to raise security awareness across various departments.
People are the weakest link of a firm when it comes to data security and integrity. 'Unauthorised' data leakage is not only caused by malice or intent. Inadvertently, employees may behave in a way that can cause information leaks and thus jeopardise their firm. However, unintentional data leakage still confers the same impact in terms of damage, as referred to above. Below are some practical tips that we all should have in mind in order to mitigate any risk of information leakage.
Social media: Employees should avoid posting on social media or sending pictures whilst at work as they may accidentally expose confidential information that are visible in the background to the outside world.
- Clear desk policy: Employees need to ensure that all important and confidential documents are kept safe and locked away, especially, when they leave their workstation, so that any visitors/outsiders are prevented from gaining any access to such documents.
- Avoid unsecured devices and/or networks: Given the fact that working outside of a traditional office environment is becoming a norm now, it is also important for employees to understand the risks inherent to such work model. Accordingly, employees should avoid connecting to unsecured Wi-Fi networks, maintaining confidential information on their personal devices, sending confidential material from unsecured messaging applications, or browsing on websites that seem untrustworthy.
- Insider threats: Departing employees may also leak confidential information. Certain measures need to be implemented by an employer in order to prevent incidents from occurring. By way of indication, employees' devices should not be able to recognise external USB drivers so that they are prevented from extracting sensitive information. Moreover, departing employees should have restricted access on confidential projects and not be able to send emails outside the firm during their notice period. Lastly, depending on the circumstances, it may also be prudent to include a 'garden leave' clause in employment contracts to ensure that access to sensitive information, during a notice period, is restricted as much as possible.
In today's ever developing technological and working landscape, security and privacy training is critical to a firm's stability, growth, and existence. Firms need to cultivate a culture where all employees are security/privacy conscious, and not merely reliant upon the IT team as a line of defence, particularly because many data leakage incidents occur by accident.
Grigoris Sarlidis Partner
A.G. Erotocritou LLC, Limassol