Data Security Awareness
We assist several clients with their data security awareness. We help ensure their technical security measures deployed are commensurate with identified risks such as GDPR, data and cyber security. Listening to our clients revealed a forgotten, yet crucial tool, their staff.
Giving staff the right information and setting parameters of operating through a clear set of processes and procedures, is extremely important. It allows everyone to have the confidence to act when necessary.
Above all, staff have a critical role in protecting an organisation. It is important that data security awareness, rules and any adopted technology enables users to do their job and not put the organisation at risk. This can be supported by a delivery of awareness training that helps establish a security conscious culture and create accountability. Moreover, actions and behaviour become second nature, a habit.
Data security awareness points to consider
Your staff must be able to do their jobs effectively. Organisations that do not successfully support staff with the right tools and awareness may be vulnerable to the following risks:
Removable media and personally owned devices:
Provide clearly defined and usable policies on the use of removable media and personally-owned devices. Staff may inadvertently connect unsafe devices to the infrastructure. Big or small, the device might lead to the inadvertent import of malware or compromise of sensitive information.
Legal and regulatory sanction:
Awareness is key, if staff are not aware and supported in how they handle sensitive information, organisations may be subject to legal and regulatory sanction.
Incident reporting culture:
Implement an effective reporting culture. Without one there will be a lack of quality dialogue between staff and those responsible for the systems (security team). In addition, it is essential to uncover where gaps in technology and processes can be improved, as well as report actual incidents. Similarly, promote a security culture that empowers staff to voice their concerns about poor security practices and security incidents, without fear of recrimination for managers.
Endorse balanced security procedures. If they are not balanced to support how staff work, then security can be seen as a blocker, therefore ignored.
Many staff have legitimate access and rights to the systems. Therefore, they are often the primary focus for external attackers and criminals. Attacks such as phishing or social engineering attempts rely on taking advantage of legitimate user capabilities and functions.
Is there an insider threat? Changes over time in an employee’s personal situation could make them vulnerable to coercion. For example, they may release or steal personal or sensitive commercial information to others. It is common for unhappy staff to abuse their system privileges or coerce others to gain unauthorised access to information or systems.
How can you manage the data security risks?
Create a staff corporate security policy:
Above all, develop a user security policy, as part of the corporate security policy. Consider applying procedures for all systems to different business roles and processes. A ‘one size fits all’ approach is typically not appropriate for many organisations. However, ensure policies and procedures are described in simple business-relevant terms with limited jargon.
Establish a staff induction process:
Firstly, make new staff (including contractors and third parties on system) aware of their personal responsibility to comply with the security policies as part of the induction process. Secondly, the terms and conditions for their employment, or contract, should be formally acknowledged and retained to support any subsequent disciplinary action.
Maintain user awareness of the security risks faced by the organisation:
Give your staff regular refresher training on the security risks to their organisation. Consider providing them with the opportunity to ask questions about security risks and discuss the advice they are given.
Monitor the effectiveness of security training:
Establish mechanisms to test the effectiveness and value of the security training provided to all users. This will allow training improvements and the opportunity to clarify any possible misunderstandings. Ideally, training will allow for a two-way dialogue between the organisation and its staff. Finally, do not be afraid to work together and have difficult conversations about security risks.
Establish a formal disciplinary process:
Make your staff aware that any abuse of the organisation’s security policies will result in disciplinary action. Any sanctions detailed in the policy will be enforceable at a practical level.
If you would like to have a conversation about your security posture or assistance in reaching an applied standard, contact us via firstname.lastname@example.org.
Data Breach & Incident Response
Digital Forensic Investigations
Data Audit & Assessment