GDPR countdown: Making your staff ‘data aware’

Chris HunterGDPR, General Interest, News, Security

As part of his regular blog counting down to the introduction of General Data Protection Regulation (GDPR), Chris Hunter of HM Network focuses on what steps businesses can take to address their biggest data risk – their staff. 

Another few weeks have passed since our last encounter, and hopefully you’re making progress with your GDPR preparations with just 32 weeks left to go.

We recently exhibited at the North Lancs Expo, organised by Lancaster Chamber of Commerce. It was a good turnout, and it was nice to exhibit alongside Jennie and Helen from TITAN (the police’s North West Regional Organised Crime Unit).

The expo was superb opportunity to talk to businesses about what they are doing to get ready for GDPR. We showed the following video (which TITAN brought to our attention originally) about how a Lancashire business lost over £100,000 due to Cyber related crime, it definitely opened a few eyes.

Is the penny finally dropping on GDPR?

Our #GDPRexpress banner seemed to be somewhat of a magnet in bringing people to our stand. Although not everybody knew what the four magic letters G.D.P.R actually stood for, the percentage of people who were mildly aware that big changes were afoot with data privacy seems to have increased compared to past events we have attended.

This is definitely a good thing. It shows that businesses are starting to pay attention. The topics that came up time and time again were cyber security, staff training and awareness and IT hardware disposal.

Whether you have your own in house department, outsource it, or do it yourself, you will know that businesses can spend a lot of money and time on IT. Making sure that networks run properly, that they are safe and secure – implementing firewalls, installing antivirus software and so on.

Strengthening the ‘human firewall’

However, something that organisations often forget is the so-called ‘human firewall’ – their own staff.

It is all well and good asking your IT people to keep digital intruders out, but what about the people who use the systems and computers within your business every day. If staff are not thinking about who they are sharing data with, checking if they are sending information to the right destination, copying people into emails by mistake, or sending unencrypted documents that contain sensitive information, then they may be the weak link in the chain that could cause a data breach.

Malicious and unintentional breaches from within an organisation occur more often than external breaches. This could result in severe consequences for a business.

You can focus on prevention and reduce risk by:

  1. Educating staff on the importance of data privacy and data protection.
  2. Investing in face-to-face and online training from specialist providers (such as ourselves)
  3. Teaching them to be vigilant and know what to look out for, such as phishing scams.
  4. Making sure that information is not kept unnecessarily and especially not locally on individuals computers.
  5. Ensuring you install software updates and patches as soon as possible as these address vulnerabilities.

These all a play vital part when it comes to preparing for GDPR. You will find that by following the steps above, your staff will also employ this cyber safety knowledge at home too. Hopefully, this good practice will soon become second nature.

Destroying old hardware securely

Investing in new IT is great, but this process could also create a flaw in your security procedures.

You need to consider what you do with your IT hardware – old mobile phones, laptops and servers – once they become redundant or end of life. You might be taking all the right steps for security while these devices are in use, but you could be literally giving away data if you are throwing old equipment in the skip, giving it to a charity shop or selling it on eBay.

Make sure you use a reputable company when it comes to IT asset disposal. You should have an audit trail of what equipment you have disposed of, where it went and, if it was being repurposed, guarantees that the equipment is being wiped securely.

If you have a breach after equipment leaves your business it will be easier to prove how it happened and why it happened if you have a documented paper trail. Ultimately, it could point to who is responsible or liable.

LCWS & GDPRexpress

Some companies charge a premium to take equipment away, others like LCWS who are friends of the #GDPRexpress, do this in most cases free of charge.

For news of our free upcoming GDPR awareness sessions and our “Social” events please see our Eventbrite page

If would like a further information on any of the areas discussed in this blog post or you want us to put you in touch with specialists who can provide training you can email us or call on 03333 444 190.