The government reported in its latest Cyber Security Breaches Survey, published in March 2021, that 39% of businesses report having had cyber security breaches or attacks in the 12 months before the survey and it stated that breaches are a ‘serious threat’ that can result in substantial costs for businesses. A recent independent report indicated that, amongst executives surveyed, 52% believe that employees are the biggest threat to operational security.
What are the risks of failing to comply with data protection law?
In addition to the risk of significant reputational damage, fines under the UK GDPR can reach up to £17.5 million or 4% of total global turnover, whichever is higher.
What is a data breach?
A data breach can be any of the following:
1. A confidentiality breach that occurs when someone accesses personal data they shouldn’t have access to. For example, where personal data is emailed to the wrong recipient.
2. An integrity breach happens when personal data is changed by someone who is not authorised to change it. For example, where data is accidentally altered by an employee.
3. Availability breaches happen where data can no longer be accessed and this was accidental or unauthorised. For example, a server failure.
What risks can employees present?
Whilst employees can be your greatest asset, they can also be a significant risk. Data released recently by the ICO details incidents commonly reported as breaches. These include data being sent to the wrong recipient, use of the ‘bcc’ field rather than the ‘cc’ field in emails, phishing incidents, the loss or theft of data, unauthorised access to data, and failure to redact. Many of these incidents will inevitably involve employees.
What steps can we take to mitigate those risks?
In addition to implementing appropriate policies and procedures, ensuring that employees are appropriately trained will help both to reduce the risk of a data breach happening in the first place and make sure employees know how to identify one and take the appropriate steps if one does occur.
How is training carried out?
3CS provides the following training:
1. General GDPR training covering the key aspects of GDPR compliance.
2. General data breach training for employees. This session covers what employees need to know about data breaches including how to prevent breaches, how to identify them, and what to do if there is a breach. We also go through case studies as part of the session.
3. Data breach training for management and those responsible for data protection. This training session is aimed at those responsible within an organisation for making decisions about data protection including senior managers. It covers general compliance strategy for preventing breaches as well as putting in place a data breach response plan and what organisations should do if they suffer a data breach. This session will also include practical case studies.
The ICO recommends that those carrying out specialised roles or functions with key data responsibilities be provided with additional training which goes beyond the general training provided to employees.
Separating training in this way also helps to ensure that all individuals are provided with training appropriately tailored to their roles. If you would like further information about the training we provide or assistance with preventing or dealing with data breaches, please contact the Corporate and Commercial department at 3CS or your usual 3CS contact.