Governance, Risk & Compliance: GRC
Managing the biggest data breach risk – your people
Countries worldwide are considering mandatory data breach notification schemes and protocols. And Australia is no different. If your organization is one of the many affected by these new laws that came into effect on 23 February 2018, your people should be a key focus in your continuing efforts to ensure compliance.
Even with the best IT security technology in place, it's ultimately a person that's going to recognize a data breach and raise a red flag. And it's your frontline people, rather than security experts, who bear a large part of the burden of protecting data.
Here are four steps toward getting your people on board and managing the risks around data breaches.
Step 1: Create an authentic corporate culture
A clear and authentic message about the protection of data must come from the top, with a strong and proactive compliance program that goes to the very heart of protecting data. Middle managers should communicate the reasons to support the message that data protection is extremely important to the organization. They should also go one step further by walking the talk and, if someone does raise a potential breach, handling any reports appropriately.
By communicating the behaviors you want to see in your staff, and empowering others to speak up when things go wrong, you encourage the actions you want to see in staff when it comes to managing data.
Step 2: Define clear responsibilities
Make sure everybody knows the part they play in identifying and reporting a breach. This includes handling reports, assessing the impact of a breach, and following up with remedial actions and potential notification to the regulator.
Responsibilities for your frontline employees are going to be very different to those with specialist roles, so cascade your information throughout your organization to support the clear distinctions in responsibilities. Most staff probably don't need to know the fine details of the legislative provisions. Instead, a practical focus on the principles of the legislation is important: how to identify and detect a breach and how to report a breach.
Step 3: Provide support with clear processes
Clear responsibilities need to be supported by simple processes – and you need to make sure the processes are plainly communicated to the right people.
For example, in Australia there are several things that need to be completed as part of Australia's Notifiable Data Breach Scheme. These include making sure the information is contained once it's identified that a possible breach has been uncovered, putting remedial actions in place following a breach, and making sure a notification is made when required. Having clear processes for these things is important, along with clear and updated policies.
Step 4: Deliver a campaign of training and awareness
Consistent and clear messaging and communications about data privacy helps to keep the topic and the risk area top of mind for everybody.
Key in this endeavor is a robust training program that addresses prevention, detection, containment, reporting, and notification. Training for the sake of delivering training on an annual basis doesn't work anymore, whether it's a one-stop or annual refresh. Enable a campaign-based approach with training and awareness and communication tools – not just training courses – to remind people on a regular basis of the importance of data privacy and the organization's support of data privacy.
Data breach prevention: the final step
So, you've put all your efforts into making sure you've got the message about protection of data coming from both the top and middle. You've defined responsibilities clearly, established processes and invested in robust training. A final, and important, element in the equation is incorporating 'speak-up' culture in any training program. If people – your biggest data breach risk – fear reporting a breach or an incident to security… you've failed.
Remember, your people may be your greatest data breach risk but they also provide the opportunity to detect and prevent serious data breaches.
To find out more watch our SAI Global webinar on this topic. Click here.