LEXR — News
26/02/2020
Close
by Anna Maria Tonikidou

Employee Awareness as the Key to IT Security and Data Privacy

Employees are one of the biggest vulnerabilities when it comes to IT security and data breaches within organisations.

From falling victim to a hacker impersonating your company's CEO, to leaving confidential documents in the printer, or sending an email containing sensitive information to the wrong recipient, most IT security and data breaches take place due to human error. This means that the thousands of francs that are invested in state-of-the-art IT security tools can be undone by one absent-minded click on a phishing email.  

To mitigate this risk, IT security and data privacy awareness training highlights the importance of data protection for the company and each employee's role in safeguarding personal data. Data privacy affects all aspects of a business, meaning that staff members need to understand IT security and data privacy threats, be familiar with the security measures in place, and know their tasks in case of a data breach. 

In this post, we will examine the most important reasons for data privacy awareness and the key takeaways for training. 

 

Why is IT security and data privacy awareness important? 

The four main reasons why you should conduct data privacy awareness training for your staff are: 

1. Reduction of the risk of successful hacker attacks and data breaches 

By carrying out regular IT security and data privacy trainings, you can build a culture of privacy that pervades the entire organisation. When staff members are aware of the risk factors that can cause IT security and data breaches, there is less chance of bad actors gaining access to your confidential information, hijacking your systems, or leaking customer data. 

2. Building trust with business partners and customers 

The coming into effect of the General Data Protection Regulation (GDPR) marked a spike in data privacy awareness. Business partners and consumers that share their data with you are increasingly concerned about the security of their data. Trust is the fuel of your business, and a culture of privacy is, at its core, a customer-centric culture. Well-trained staff can create business opportunities by demonstrating to your business partners and customers that you protect the confidentiality, integrity and availability of their data. 

 3. Compliance with privacy laws  

The new revised version of the Federal Data Protection Act (FADP) in Switzerland, the GDPR in the EU, and several privacy laws around the world impose strict sanctions in case of data breaches. It is therefore vital that your staff understands the importance of protecting personal data, is familiar with your policies, and puts your procedures into practice. 

4. Demonstrating commitment to data protection 

Accountability is a key principle of the GDPR. Demonstrating data privacy training for the employees shows the company's engagement and commitment to data protection. Supervisory authorities and business partners can be provided with a record of staff training at their request. 

 

What does every employee need to know? 

While specific roles such as HR or IT development will need additional training to address the special responsibilities of their functions, we have compiled a list of key requirements every employee should be aware of.  

1. Regularly install updates to software 

Every piece of software the employees use on a daily basis requires frequent security updates. Without them, any device could be at risk for becoming a dangerous access point for malware or a source of data breaches. Make sure the employees are aware of the importance of installing updates to software. 

2. Identify social engineering attempts 

Most data hacks begin with a successful social engineering attack. In a social engineering attack, a hacker uses a fake identity or impersonation in order to obtain access to company systems. For example, an employee may receive an email from a fake address in the name of the CEO or CFO, requesting the access code to or simply a copy of confidential documents.  

Here are a few ways to identify and obstruct phishing attacks: 

  • Look for spelling errors in the domain name or email address of the sender 
  • Be wary if anyone is urgently asking for personal data  
  • Do not click on any suspicious links you were not expecting 
  • Do not open files you were not expecting 
  • Regularly back up your data. 

The most important takeaway here is to ensure that employees take time to think before interacting with any unexpected emails. You may also get creative with mock phishing emails as a training tool.  

3. Choose a strong password 

Password theft is one of cybercriminals' preferred weapons for carrying out their attacks. Choosing a password might seem simple, but you would be surprised how many of the employees would use 'qwerty', '123456' or 'password' as their password if you let them. 

Here are some password best practice ideas to include in your company password policy: 

  • Choose a password with a combination of eight or more letters, numbers, and characters 
  • Avoid passwords based on a single, common word that can be found in the dictionary  
  • Avoid passwords that contain the name of the associated system, e.g. 'Sharepoint123' 
  • Use different passwords for your work and personal accounts 
  • Update passwords regularly. 

4. Lock your screen  

It is important that employees don’t leave their computer available to anyone that can cause damage to their identity or the company. Remind them to lock their screen each time they step away from their computer to reduce the chances of unauthorized access.  

5. Respond to IT security and data breaches 

Be it a malware attack, phishing scam or data breach, time is of the essence and it is important for employees to know how to respond to an incident. Employees should be at least aware of the following: 

  • How to recognize IT security and data breaches 
  • What immediate action to take (and what not to do) in case of an incident 
  • How to report an incident (who to call, what information to share) 
  • What to do with a device that is believed to be compromised. 

 

Conclusion 

Creating a human firewall for your organisation is one of your most cost-effective investments in the data privacy and cybersecurity field. Employee data privacy and IT security awareness can help employees go a long way in protecting their company's data assets and IT infrastructure. We at LEXR have partnered with the IT security specialists at ensec AG to provide holistic data privacy and cybersecurity training – see our offering here: https://products.lexr.ch/it-security-and-data-protection