Three steps to help your colleagues prevent data leaks
Human errors are by far the most important cause for data leaks. According to information security specialist Daan Koot these errors are caused by both employees and employers. How can organisation limit the amount of human error with sensitive information?
There is most likely no CISO in Europe that is not thinking daily about the results of the GDPR (General Data Protection Regulation). Recently, I had a talk with Daan Koot of SafeHarbour, who in his function of adviser privacy and information security (CIPM Certified CISO) encounters the impact of this new legislation on a daily basis. One of his tasks is to audit the measures organisations take to prevent data leaks.
In the meantime many organisations understand that their own employees play a crucial part in causing and preventing data leaks. Most of the times ignorance about the sensitivity of the information and the vulnerability of the channels through which the information is being shared causes errors. According to Koot, employers themselves can also do more to prevent data leaks. In this article we will discuss three things employers can do according to Koot that will prevent data leaks.
1. Encourage data awareness
Organisations are performing insufficiently in creating data awareness amongst their employees. Koot advises clients often to classify all available information within the organisation. For this he uses three criteria: availability, integrity and confidentiality. How sensitive is the information? How important is the information? And what are the consequences for the user and organisation if the information is not available on time? Following this process, organisations and their employees get a clear insight in the different data streams within their organisation and the necessity to properly secure these.
2. Avoid fake solutions
Organisations tend to introduce ‘paper solutions’ on a regular basis, however these solutions often have no practical use in preventing data leaks. As an example Koot mentions the obligation of companies to come up with a new password every month or user agreements that have to prevent employees in using their BYOD phones and tablets in an unsafe way. These new passwords are often almost similar to the previous password leaving no struggle for hackers trying to bypass this layer of security. User agreements are often very large pieces of judicial text that most employees barely read, let alone understand. These kind of fake solutions result in a misplaced sense of security.
3. Look for the balance between safety and user friendliness
Organisation that are strengthening their data security can go too far. If increased safety measures have too much impact on the work of your colleagues, they will start looking for ways to avoid them. The challenge is to strike a balance between safety and user friendliness. The ideal solution will not only allow employees to work safer, but will also add to their awareness. One of the ways to do this is to warn them when they are taking a possible safety risk. This way you will prevent data leaks and are making sure that the approach is carried throughout your company.
We have described all the necessary steps you have to take in order to meet the GDPR legislation in our checklist. This document elaborates on things like creating a processors agreement, getting permission for processing personal information and security measures that have to be taken.
Some organisations are already GDPR compliant, others still have work to do to meet the legal requirements. To achieve this, a set of technical and organisational measures is required. There are many step-by-step plans on the Internet to help you with these measures. It is even more important yet to raise the awareness among your organisation’s employees. This is very […]
The GDPR is a hot topic. Due to all messages in the media, many myths circulate about this topic. A frequently-heard comment is: but it is related to privacy, and so it is forbidden under the GDPR anyway, right? To understand correctly what the law requires and what are the reasons for that, you should know what personal data are and how this differs from […]