Have you left an USB with e-mail addresses laying around? Ever sent an e-mail containing sensitive information to the wrong person? Just imagine someone accidentally publishing the address-list of your newsletter on the website of your organization? Accidents happen, so do data leaks.
According to research of the Dutch DPA 63 percent of all data leaks last year were caused by human error. A data leak is not only harmful to the owner of the personal information that was leaked, but to the organization too. Your customers will lose faith in you and you risk a high fine since the GDPR went in effect last year. And last but not least: the security of your company is compromised.
As an organization you can implement a security policy based on the outlines of the GDPR, but there is not much use if your personnel doesn’t follow policy. And not because they don’t want to, but because they are unsure about what the GDPR exactly entails. Often, the basic cyber security knowledge is lacking too.
The first audits to check if companies are complying to the GDPR are in full swing, says Akram Adham, managing director of Aeoglius and Test-IT Online. Adham informs and trains people about the GDPR and cyber security by using online assessments for example.
Time is running out a year after the GDPR went in effect: it’s time to get your privacy and your security policy in order.
Adham noticed first hand how the rules from the GDPR are being followed when giving training at Aegolius. ‘We lend out laptops for the Office 365-training courses. The users were still signed when we got the laptops back. With this information, we could easily harm the organizations they work for.’
What every company has to know a year after the GDPR went in effect
Often companies want to follow the rules of te GDPR, but knowledge to do so is lacking. ‘It doesn’t have to go wrong, but we find that with six out of ten of our students it does go wrong’, Adham says. After a year of training people in how to make their company safe and secure according to the GDPR, he gives us four tips. This is what you should know when implementing the GDPR in your company.
1- Make sure you have an OneDrive/iCloud-policy
‘If the organization doesn’t have a good privacy and security policy, things can go wrong very quickly. The organization becomes unable to check who has access to which documents’, Adham says. Make sure you keep on top of things by handing out different levels of access. ‘If the employee has little knowledge of security and privacy, it’s not a good idea to provide him high level access’, Adham concludes.
It’s not just about your employees but about your organization too. ‘As an organization you need to have a policy that states who has access to what information. This policy has to be about information that stays within the organization, but also about information that is shared outside of the organization’, Adham says.
2- Start checking people at the door
‘HR and the IT-department have different ideas about the knowledge an employee needs to have. Make sure to check people when they join the company, even before you hire someone. That way you can see if the skill set someone needs to work at your workplace is there’, Adham says.
This way you can make sure you don’t hire someone who has never worked in Office 365, for example. Be sure to test the skillset of your potential employee beforehand: saying you have knowledge about Excel for example can mean different things to different people. ‘The employee is the human firewall, if he doesn’t receive the right information, he will glitch’, Adham says.
3- Make sure you have a plan when a data leak does occur
‘Your employees need to be in a permanent state of security awareness’, Akram says. ‘The GDPR is implemented – so fines for mistakes will follow.’ One way to control the damage is to make sure you have a plan before a data leak occurs.
4- Make sure your employees have the right knowledge
‘Measure the knowledge of your employees first. Set a minimum knowledge requirement and see where your employees are. Afterwards, you can train the employee on the level that fits his knowledge’, Adham says. ‘People that are self-sufficient obviously don’t need the help – invest in the people that do need help.’ Remember: the employee is your firewall and the organization is nowhere without him.
Global Knowledge collaborated with Aegolius to build the Security Awareness portal. With this portal your employees can test their cybersecurity-knowledge by playing a game. After finishing, you receive a study program that fits their level of knowledge. That way you can build your skills towards a set goal.
Want to get GDPR-savvy?