Recent research commissioned by Citrix and carried out by Censuswide returned some concerning results regarding employees’ attitudes towards data security in the workplace. The research found that only 35% of employees regularly use passwords to protect files at work, and just two in five are vigilant about shredding sensitive documents. It’s no wonder then that IT insights and trends website Tripwire reports that 59% of data breaches occur not because of malicious hackers, but simple employee carelessness.

While customer data breaches most often hit the headlines, attacks on data pertaining to product information, design, marketing and financial plans could all have significant consequences to a business.

The good news is that Censuswide also found that 90% of the employees surveyed were aware of the importance of data security. Clearly, employee training is essential to bridge the gap between recognising the value of vigilance, and knowing how to protect data

Employee knowledge is your hidden weapon

While up to date security software is vital, it will be of little use if your employees aren’t properly trained to use it. Further training to establish policies and procedures concerning security are also vital. All too often staff simply aren’t aware of their central role in maintaining security. Michael Cobb, founder and managing director of Cobweb Applications, says an effective training programme “has to make it clear that information security is an integral part of everyone’s job with ownership, responsibility and accountability for risk made obvious in policies and job descriptions.”

Furthermore, it’s important that such training is periodic: as technology advances faster and faster, so too must staff be kept informed of the very latest procedures and techniques. “Due to continually evolving technologies and threats, you will need to update and repeat your awareness programmes as you update your security policies,” continues Cobb.

In between formal training sessions, information on how to stay vigilant against data breaches must continue to flow. Chris Mayers, Chief Security Architect at Citrix advises providing “an internal web page with a one-page list of enterprise services – e.g. ‘to do that, use this’ – and a cheat sheet for each service.” He cautions that being rigorous about updating this page is imperative.

“Simply purchasing the new technology won’t increase your level of security,” concludes Dejan Kosutic of 27001Academy.com. “You also have to teach your people how to use that technology properly, and explain to them why this is needed in the first place. Otherwise, this technology will only become what business owners fear the most—a wasted investment.”

VinciWorks’ vast and expanding cyber security training suite prepares users for all cyber risks. It includes hours of training, hundreds of micro-learning modules and topics from social media to IT security. These courses and micro-learning units can easily be configured into a multi-year training plan.

It’s rare for one of the world’s largest corporations to oppose a court order, ostensibly made in the name of national security, and be applauded for it.

Yet Apple declining to help the FBI access San Bernardino shooter Syed Farook’s iPhone has been backed by prominent figures including Google CEO Sundar Pichai and NSA whistleblower Edward Snowden, as well as thousands of privacy-conscious consumers.

That’s not to say there isn’t backing for the FBI, with Microsoft co-founder Bill Gates and controversial figure Donald Trump among those suggesting Apple should not obstruct the FBI’s investigation.

Cyber security balance to be reached

Balancing individual privacy with national security is proving to be a compelling subject, and it’s possible that there’s no right answer. Indeed, Apple’s stance – that helping the FBI access the iPhone would set a dangerous precedent for its users’ privacy – has been divisive.

But Apple knows only too well the damage that can be done by losing the public’s trust around privacy. Past hacking scandals and data breaches have significantly impacted their sales and share prices, taking months to recover from. Indeed, some commentators have accused Apple of turning this debate into a marketing campaign.

Regardless of your take on the ethics of this debate, Apple’s stance suggests that, where PR and marketing is concerned, individuals’ privacy seems to trump all else.

About VinciWorks

We help businesses train employees in cyber security topics with online courses including Data Protection, Information Security and Records Management. Contact us now to discuss how our online training can improve your company’s data privacy efforts.

Image Credit: Mike Deerkoski

So you’ve implemented a new data protection policy, trained your employees, and you’re confident your business is now in compliance with data protection regulations.

You might think your work is done, but if you stop there, you’re missing out on a golden opportunity to turn your data protection policy into a competitive advantage.

Privacy has never been more important to consumers than it is today, and with the number of high profile data breaches in the news and the impending General Data Protection Regulation, it’s only going to become more important.

In today’s privacy-conscious marketplace, data protection is about more than compliance – it’s about trust. So, what can you do to make the most of this marketing opportunity? Here are our tips:

1. Make information on how you handle data easily available on your website

This is the absolute minimum you should be doing nowadays. Customers want to know what data you’re collecting and why – and you’re legally obliged to make this as transparent as possible.

A terms and conditions page may help you comply with data protection regulations, but clear, prominent messages explaining why you collect data and how it helps you deliver your services will boost consumer confidence in your business.

2. Make it clear what data you’re collecting and why WHENEVER you collect it

Many websites today ask for permission to store cookies, and paper forms have included consent checkboxes for years, but data protection should ideally be part of the conversation during every transaction whether via your website, email, social media, over the phone, or in person.

By always telling customers what data you’re collecting and why, you’ll not only ensure compliance, you’ll also demonstrate how seriously your business takes data privacy and earn the trust of your existing and potential customers.

3. Get consent for anything data will be used for

It’s your responsibility to check that individuals have consented to be contacted by you before you make contact, but this is the minimum you should be doing to earn the trust of your customers.

The proposed General Data Protection Regulation states that explicit consent will need to be obtained for any potential use you’ll make of data – an excellent opportunity to make it absolutely clear how the data you collect helps your business to deliver the best service it can.

4. Be clear about how consumers can opt out and have their data deleted

It’s a legal requirement that businesses allow customers to have their data removed, but many businesses fail to make this process clear – perhaps out of fear that too many customers will avail themselves of the service.

This is counterintuitive when it comes to gaining trust, and in the long term will cost you customers who are suspicious of giving away personal information to a company they don’t have confidence in.

5. Create a data privacy culture among employees

Every employee should receive training in data privacy issues, but it’s especially important for those facing privacy-savvy customers. Expect your staff to face some tough lines of questioning about your data protection policies in the future, which may even be the difference between making and losing a sale, especially when it comes to larger companies.

Being able to explain your processes clearly and demonstrate that data privacy is part of the culture will prove your business can be trusted with the customer’s data before they even need to ask the question.

6. Make sure the customer journey is fluid, especially where their data is involved

Your customers expect you to be well organised and in control, especially when it comes to their data.

Whenever a customer has an enquiry, your employees should use the necessary access controls, such as security questions, to verify who they’re speaking to. Once verified, make sure your employees will be able to easily find what they need – you don’t want customers thinking you don’t know what you’re doing, especially when it comes to their privacy!

7. Respond accordingly in the unfortunate event you suffer a data breach

If you’ve done everything you can to create a data privacy culture, then it’s unlikely you’ll suffer a data breach – but if you do, how you respond could be the difference between irreparable damage to your reputation and a minor blip.

Contact everyone who may have been affected immediately. If customers find out you tried to keep a breach quiet, your reputation will be ruined. As part of your response, put as much resource as you can into offering support services and helping customers to take any steps necessary to secure their privacy.

What VinciWorks offer

If you’re looking for a cost effective way to create a data privacy culture then consider VinciWorks’ Compliance Essentials eLearning courses or our introduction to Data Protection eLearning courses. Delivered online and accessible on computers, tablets and mobile phones, our compliance eLearning courses enable you to shape organisational culture and generate an automatic training record for audit purposes.

In a recent blog post, David Smith, Deputy Commissioner and Director of Data Protection at the Information Commissioner’s Office wrote about how businesses can prepare ahead of the upcoming EU Data Protection Regulation reforms which are likely to be finalised before the end of this year.

Once finalised, there will be a two-year transition period before all data protection regulation is harmonised among the EU’s 28 member states.

When in place, it’s expected that businesses will be expected to provide greater control over data to customers, and penalties for data protection breaches are likely to increase significantly.

Start to prepare sooner rather than later

Although the final regulation is yet to be agreed, there are a number of steps businesses can begin to put in place to ensure they’ll be well positioned to comply with them once they are finalised.

These include:

• Establishing clear processes and policies for all data-handling activities and systems which can be audited and communicated should individuals request information on them
• Considering how those processes and policies will be communicated to staff, and how you’ll keep track of who has been made aware of them
• Establishing a process for updating those processes and policies so that they can be updated once EU Data Protection Regulation reforms are finalised

Simplifying staff training

VinciWorks specialise in compliance eLearning, and provide a number of courses related to information governance including Data Protection, Freedom of Information, Information Security and Records Management.

These courses enable your business to rapidly-deliver training to staff online – meaning staff can complete their training when it fits in with their schedules.

And, with an eLearning platform such as Astute, which we use to deliver our eLearning, you can easily keep track of who has completed what course.

When regulations do change, ensuring your organisation is compliant will simply be a case of updating your eLearning courses – and of course, we’ll be keeping all of our eLearning courses up-to-date with any changes to regulations.

In the latest in a series of high profile data breaches, the personal details of up to 2.4 million Carphone Warehouse customers may have been stolen following a cyber-attack last Wednesday.

Notably, the cyber attack is thought to only affect the customers of three of the websites belonging to the group: onestopphoneshop.com, e2save.com, and mobiles.co.uk – leading to speculation that vulnerabilities specific to those particular sites were exploited.

Customers of Dixons Carphone’s Currys and PC World businesses, as well as “the vast majority of Carphone Warehouse customers” are said to have been unaffected by the breach, but have still joined those customers whose data was accessed in expressing concerns over their privacy and safety, highlighting the need for businesses to put consistent and robust Data Protection policies in place which reach every corner of their organisation.

Shares in Dixons Carphone, the umbrella corporation containing Carphone Warehouse, have fallen by 1.75% following the attack.

The incident will now be investigated by the Information Commissioner’s Office, which has the power to impose a fine of up to £500,000 should the data protection in place be found to be inadequate.

Fines aside, it’s damage limitation for Dixons Carphone, which must now work to regain the trust of the 2.4 million affected customers, millions of concerned customers of its other businesses, and its shareholders.

The business world has been excited about the potential of big data ever since the term was first coined in 2001.

While information has always been a critical element of forming business strategy, big data means taking advantage of modern levels of computational power and data availability to extract meaningful insight from extremely large datasets in ways previously impossible.

Business possibilities

The possibilities promised by big data seem limitless. There is the famous example of US superstore Target reportedly identifying a teenager’s pregnancy before her father, having found a correlation between her purchases and those of pregnant women and sending her vouchers for baby products.

And, yesterday it was reported that Manchester City have teamed up with German software company SAP to use big data analytics in an attempt to improve performance on and off the pitch.

Put simply, by using big data, businesses hope to improve their products and services, create more effective targeted marketing campaigns, and improve productivity by analysing staff behaviour.

To implement a big data strategy and start extracting these meaningful insights, a business requires two things: a large amount of data, and a software system with which to analyse that data.

Luckily, as computers increase in power at almost the same rate that available data grows – roughly doubling every two years – both are now readily available, even to small businesses.

Risks to businesses

As businesses process increasing amounts of data in search of new opportunities, they also expose themselves to a number of risks, with concerns over cyber security increasing in the wake of the recent USA data breach, now confirmed as having involved over 20 million names.

People continue to be the weak link in data protection – vulnerability to social engineering and individual mistakes can inadvertently grant hackers access to data, putting organisations at risk of serious data breaches. If and when proposed EU-wide data protection laws come into play, the risks will also include cripplingly large fines if security measures are not in place.

As companies increasingly utilise cloud-based software-as-a-solution (SaaS) services and implement CRM systems to manage big data strategies, they must ensure that individual employees follow correct procedures to maintain data integrity and security.

Now, more than ever, data protection cannot be seen as just the concern of the IT team, especially when employees increasingly have remote access to large amounts of sensitive data.

Businesses must ensure that every single member of staff is acting in a way that protects the organisation’s data – or face the consequences.

Find out more about our Data Protection training – aimed at giving all employees the training they need to protect your business from data protection breaches.

Earlier this week, the European Council reached a general approach on regulation for Data Protection, bringing a complete overhaul of EU Data Protection law a step closer.

Before the proposed regulations become law, the approach will be debated by European Parliament, the European Commission and the European Council.

If made law as they stand, there would be significant implications for businesses operating in or with companies in the EU. Described as “rules adapted to the digital era” by the European Council, they could be agreed as soon as the end of this year, so it’s not too early to start considering how they could affect you:

One-stop-shop approach

While currently there are independent watchdogs responsible for regulating data privacy in each member state of the EU, the new approach would standardise rules across the EU – in theory, simplifying doing business in the EU.

This would mean that companies within the EU, or those doing business with them, would have to refer to one single unified data protection authority and data privacy regulation.

What this means for your business: the changes to the law are expected to be relatively imminent, so now is the time to start planning for a potential overhaul of your own data protection policies with a view to complying with new EU legislation.

Increased consumer protection

The new proposals include strict regulation around the collection and use of personal data, essentially giving more control and rights to individuals where their data is concerned.

This would include making it easier for consumers to access their data, the ability to remove data from companies’ databases (the ‘right to be forgotten’) or easily transfer data between companies.

What this means for your business: when collecting any data about consumers or staff, businesses will need to be increasingly transparent about what that data will be used for. The regulation also mentions ‘unambiguous consent’, which will have implications in all instances where customer data is collected, across businesses.

Security measures

With proposed fines of up to €1m or 2% of global annual turnover, which for large corporations could amount to figures surpassing seven figures, there will be an increased need for businesses to implement security measures.

As well as the increased fines, data controllers would be responsible for notification of individuals affected by any data breaches, protecting consumers whose data is compromised.

What this means for your business: potentially huge fines for breaches, and additional requirements around data privacy are likely to increase the required investment in data protection for all businesses.

Data protection expertise

Our Compliance Essentials eLearning Suite includes a number of modules related to Data Protection which are aligned with the latest regulation. As the EU Data Protection law evolves, so too will our eLearning courses.

Implementing a programme of eLearning as part of your Data Protection policy ensures your staff have access to training on the latest legislation, minimising risk of data breaches and fines resulting from non-compliance.