Shane Chambers 1 Comment

The Information Commissioner’s Office in the UK has issued a statement that organisations who train their staff in data security will be less likely to receive a fine or monetary penalty. The ICO recommends that at least 80% of an organisation’s staff are trained on how to handle sensitive data and keep it secure from data breaches, with a spokeswoman stating that “reasonable steps” must be taken to secure data, with “full account of the facts” taken into consideration in the event of a data breach being discovered.

At least 80% of an organisation’s staff should be trained on keeping data secure. Human error remains the top cause of data breaches.

“In deciding whether it is appropriate to impose a monetary penalty and in determining the amount of that penalty, the commissioner will take full account of the facts of the contravention and of any representations made to her,” said the ICO spokeswoman. “That includes whether or not ‘reasonable steps’, such as staff training, were taken to prevent the contravention.”

In 2015, phishing and malware (31%) overtook human mistakes (24%) as the leading cause of data breaches. However, due to the nature of phishing attacks targetting staff who are untrained and may lack cyber awareness, it is believed that in total, human error or lack of staff training accounts for more than half of data breaches. In particular, the majority of phishing emails are believed to contain some form of ransomware, which can also be treated as a data breach, especially under the upcoming GDPR. Training staff on how to handle sensitive data, avoiding phishing scams and prevent cyber/data breaches is becoming increasingly important is today’s digital environment. Traditional training using Powerpoint presentations or dull training videos are falling out of favour, with companies now finding it more effective (and cheaper in the long run) to provide their staff with ongoing security awareness training.

Even more worryingly for companies who have yet to train their staff, fines will be increasing substantially under the new EU directive, the GDPR, coming in May 2018. Under the new regulation, companies may be fined up to €20 million for a data breach, or up to 4% of global turnover (whichever is bigger). Last year, the ICO handed down fines totaling £880,500 – which would have been a whopping £69 million if the breaches had occurred after the GDPR comes into effect. In fact, the GDPR mandates (Article 39:b) that staff who are involved in processing data be trained in data protection and cyber security, and the processes must be evidenced. Data protection training for staff has long been crucial, with cyber security awareness now becoming an integral part of any company’s strategy to prevent data breaches.

In June, the local council in Medway, UK, was handed down an enforcement notice to roll out mandatory training to all staff, with a requirement to monitor and document the process. This decision was made following two data breaches, after the council had previously ignored the ICO’s recommendation to provide training for staff. This is a trend we fully expect to see going forward, with both national and international laws closing in on companies who do not provide a significant portion of their staff with data/cyber security training.

However, while awareness training for staff is critical, it is not the only step required by the ICO and GDPR to mitigate fines for breaches. Tim Turner, a data protection trainer and consultant, has said that if the data breach in question is serious enough, the amount of trained staff may not be enough. “If there is another obvious breach – like a lack of encryption, or poor or absent procedures – it may make no difference,” he said. “But having trained the large bulk of staff is part of building a case that it was an unavoidable accident, where someone makes a mistake.”

We always recommend a comprehensive approach to cyber security, with GDPR-aligned policies and procedures in place, a regularly tested backup & disaster recovery solution and next-generation antivirus and firewalls implemented in addition to ongoing training and testing of staff.