Cyber Security

Cyber Security

Cyber security for employees: why data protection isn’t just for techies

Data protection and cyber security isn't just a concern for those at the top of a business, it's for everyone, as Tom Hanson reports...

Most young people are falling short when it comes to basic data protection methods, according to the government's Cyber Aware campaign. Despite the 18-25 demographic being more familiar with the latest technology, researchers have found that 52% are using the same password for more than one service. Additionally, all 2,261 respondents to the survey admitted they’d sent some form of identification, such as a passport or driving licence, as well as their bank details via email, mobile or online messaging systems. The findings have since elicited a response from the national cyber-protect coordinator with the City of London police, Detective Inspector Mick Dodge, who said: “Your email account is really a treasure trove of information that hackers won't hesitate to exploit.”

A secure system isn’t enough

This idea that unsecured systems and unprepared users are ripe for picking is something major security firms are constantly warning against. From a technical perspective, businesses should have a number of systems in place with regards to data protection. As well as using software to identify data security vulnerabilities, companies should also be following privacy guidelines such as General Data Protection Regulation (GDPR). In other words, any business that has an online presence needs the right physical and operational data protection safeguards in place. But, as the government research shows, a secure system only solves half the issue. Yes, the latest data security software uses machine learning to study user behaviour and identify dangerous patterns, as well as data masking and other sophisticated methods. However, a company should be looking to mitigate these risks before they happen.

Without a basic understanding of cybersecurity, an unprepared user can still cause damage to a secure system. On a day-to-day basis, not every given employee needs to know the intricacies of GDPR. Although these guidelines outline the ways in which businesses processing data within the EU must handle the information they collect, the onus falls on a designated data controller to implement and monitor how that happens. Indeed, with fines for individuals topping as much as £500,000 and 4% of a company’s global turnover, the penalties for breaching GDPR are stiff. However, the average worker still needs to know some basics that will help shield the company from GDPR fines - and of course, leaks themselves.

Everyone needs a basic level of knowledge

What all employees need to know is basic security practices. The first piece of training any new staff member should undergo is navigating any and all internal IT systems. Learning to spot official requests from the tech team, knowing which system messages are legitimate and how to update their computer accordingly are all important. Indeed, although a security team can provide complete protection, they can put the necessary framework in place, which users should then be taught to operate within. Beyond maintaining the strength of a corporate system, users should be told which data should be kept online and which shouldn’t. Storing sensitive company as well as personal information such as bank details, addresses, passports and more should be avoided if necessary. Moreover, every user should update their passwords regularly and try to use an all-in-one service such as LastPass. As well as generating unique, secure passwords, LastPass can autofill entry forms, which reduces the risk of a password being stolen by a keylogger. This sort of training should be offered to every employee, regardless of their position in the company.

According to the Ponemon Institute, the average cost of a single lost data file is now $141/£101, which suggests that average small business in the UK wouldn’t need to have too many records stolen before it hit financial trouble. Indeed, with government research showing that young, supposedly tech-savvy types are making basic data protection mistakes, training every member of staff should no longer an optional extra.