The Importance of People in Risk Management
Thank goodness GDPR is done with. Right?
So, May 25 has come and gone – you’ve hit the deadline to update your data protection policies, processes and procedures, put your staff through GDPR training and made sure the information you hold about your stakeholders and where it’s stored is transparent. Now breathe…
But in the rush to get the GDPR boxes ticked, did you consider that this regulation is simply to protect data and data privacy, and that it’s merely a part of the bigger cyber risk picture?
If your data is secure, ongoing GDPR compliance is a natural by-product. This isn’t just about technology, it’s about your people and their behaviour as well.
“We often hear hot topics such as GDPR and cyber resilience discussed in silos,” explains Richard Whittington, Product Manager at Unicorn Training. “But GDPR is basically just good data protection behaviour, which is inextricably linked with an organization’s cyber security approach.
“Regardless of their role or responsibilities, you need to help your people become your greatest information security asset by embedding and sustaining cyber resilient behaviour. What culture do you have in place to achieve this now the immediate panic of the GDPR deadline is out of the way?”
Building human vigilance and resilience
Investment in global cyber security technologies continues to grow. Yet the quantity and impact from cyber attacks is also escalating. There’s something missing in our corporate response to cyber risk.
The reality is 90 per cent of all successful cyber security breaches rely on human error. 90 per cent!
(Reference: Verizon Annual Data Breach Report)
A Ponemon Institute report highlighted that each data breach costs the affected UK company a total of £2.4m. The average cost to an individual of a lost or stolen record is £98.
Though data is everywhere, data security is still widely viewed as an IT issue. However, firewalls, encryption and anti-viruses will only get you so far. While advances in personalized technologies, such as biometric security (e.g. fingerprint and retina scanning) and Artificial Intelligence (aka AI), might provide an extra layer of security, your people should always be your first line of defence.
Given the evidence, you might think upskilling this critical first line would be at the top of every organization’s GDPR priority list. Yet, as Nick Wilding, General Manager, Cyber Resilience at AXELOS Global Best Practice (a joint venture between the UK Government and Capita plc) reveals, that isn’t the case.
He said: “Recent UK Government research showed that only 20 per cent of organizations provide cyber awareness training for their staff, and those that do still largely rely on annual, functional ‘tick box’ training that has no impact on staff behaviour.
“We’re in a brave new post-GDPR world where you can’t separate cyber security from data protection. GDPR is a chance to build reputation and customer trust through good cyber security behaviour.
“To achieve this, organizations need to go beyond GDPR compliance. Staff should be given the skills, awareness, knowledge and confidence to make the right decisions in the face of growing cyber threats to better protect the business.”
As Elizabeth Denham, the UK’s Information Commissioner said recently: “Staff are your best defence and greatest potential weakness – regular and refresher training is a must.”
So, in this brave new world, how do you ensure your people know what they need to do and, most importantly, why?
A new approach is required
The security industry is guilty of creating language that is impenetrable to the general public. If the aim is to make cyber resilience and ongoing GDPR compliance part of your organization’s DNA, data privacy needs to be demystified. Simple, practical guidance should be provided that is easy for your staff to understand.
As Angela Sasse, Professor of Human-Centred Technology at UCL, attests, “you need to make it easy for people to do the right thing.”
Nick Wilding insists ensuring staff value what they are being asked to do comes down to effective awareness training and making it relevant.
“People remember stories and scenarios they can personally relate to, rather than facts” he explains. “You have to get the learner to see themselves as an owner of data. With regards to data protection and GDPR, the question to ask is ‘How would you want your personal information to be handled?’
“Would you be happy for someone to talk about your personal information to a family member or in a pub? Would you be ok with your information being put on a USB and used on a personal device connected to an unsecured network outside of an office?”
To raise awareness, and to change staff behaviour, cyber security requires organizations to re-think their cyber security training in line with four critical principles.
1.Real behavioural and cultural change is only achieved through ongoing continuous learning – we can’t rely on yearly tick box tedium if we want to sustain behavioral change.
2.Providing short, adaptive nugget-based learning is key – attention spans are short and time is precious. Giving staff long protracted online training courses isn’t effective.
3.Your training content needs to be engaging, relevant and valuable – people learn in different ways, so organizations must deliver a lively a mix of content (for example, games, stories, animations, tests, refreshers, audio stories, eLearning).
4.There must be a measurable benefit – fostering a culture where your staff are no longer seen as the weakest link but regarded as your first line of defence, and where sensible behaviour is rewarded.
These are the principles that underpin the AXELOS RESILIA® Frontline suite of cyber security awareness training. Nick adds, “We need to learn from our mistakes. Creating an environment where we encourage our people to admit ‘I’ve done something wrong’ is a huge step.”
Two months on
If it isn’t happening already, we’re at the point post-GDPR deadline where organizations will perform compliance audits around their new policies, processes and procedures to understand if and how they are being adopted across the business.
One question all organizations should ask is ‘If the ICO knock on the door now, would they see us delivering effective cyber and data protection awareness training?’ The regulator is not going to accept a tick box approach, so if your honest answer is ‘no’, you need to think about how you will train your people in the future.
As systems evolve to keep up with the pace of change in the global marketplace, and as we adapt our technical security controls to manage the changing risks we face, we need to reassess the way we engage our people to ensure they understand their responsibilities and actively support our corporate vigilance and resilience to growing cyber-attacks.
Richard Whittington concludes: “The fundamental ethos of GDPR was never about getting people through a little bit of GDPR training and carrying on as they were. This is why data security can no longer be treated in isolation to cyber resilience.
“The need to build a human firewall around your business has never been greater, and as cyber criminals become ever more sophisticated and data remains vulnerable, the only guarantee is that the human firewall will need to keep getting higher. You should be getting at least the first bricks in place now.”
This article was originally published in T & C News. To access the full content of all articles, please subscribe here.