Human error is consistently identified as the most significant cause of data breaches:
- The ICO’s financial report of 2017/18 identified that four of the five leading causes of data breaches could be attributed to human error. These errors were really simple little things including sending data to the wrong recipient, loss or theft of paperwork, failure to redact data, failure to use blind copy when sending emails and unencrypted devices being lost or stolen;
- Some 43% of global data breaches result from phishing emails – and humans clicking where they shouldn’t;
- Experion exposed the personal information of 145 million people in the United States and more than 10 million UK citizens because the IT department failed to address a known software vulnerability despite the fact that they had been warned about it;
- In August 2018, it appears that an employee at Strathmore secondary college accidentally published more than 300 students’ records on the school’s intranet.
It’s no surprise then, that the GDPR requires that your staff receive cyber security awareness training, on the GDPR and how to protect personal data. In fact the ICO’s data breach reporting form includes the question “Had the staff member involved in this breach received data protection training in the last two years?”
CSAT from PAAC IT
We offer a Cyber Security Awareness Training course for staff of small organisations. It’s often difficult to keep what can be a dry topic interesting and we have tried different techniques that seem to be working. The Directors of GTA Civils said “We have had very positive feedback from members of staff and the course was a real eye opener for them. All said that you managed to make very boring subject interesting.” They must have been impressed as we have just completed a refresher course.
Our course is conducted in a face to face environment and we encourage discussion throughout the course. By the end of the session, participants should
- Understand the key elements of the GDPR;
- Understand the risks posed to the business by cybercrime and data breaches;
- Know how to protect themselves, their workstations and your business from cyber crime and data breaches; and
- Where to go for help.
We have a standard course outline that we adapt for each organisation:
- Our course kicks off with a discussion on why this is important to the participants – in no small measure because under the GDPR, fines and other enforcement actions can be levied against individuals. We use a series of recent enforcement actions from the ICO to make the scenarios and implications real.
- The GDPR sections of the course cover the principle definitions of Personal Data, Controller, Processor and data breaches. We move on to look at the 6 principles and what they mean together with Subject Access Rights;
- The main section of the course discusses:
- Statistics on the likelihood of data breaches and the potential financial impact of a data breach;
- The main causes of data breaches and how to protect against them – phishing, access controls, malware (including ransomware) and human error
- The summary wraps up with best practices extracted from the throughout the course; and finally
- Where to go for help.
More recently we have included “Martin the florist” our fictional Lego florist – we even have a little poem to introduce him. The story follows Martin as he sets up his business, builds his customer database and starts marketing to customers. It recognises that Martin can’t do everything on day one, but he can and does progressively increase his cyber security defences over time. We use a Lego castle, guards, spears and horses to bring the story to life.
We would be delighted to run CSAT for your organisation – please call us on 01428 770 290 or click to send us a message.