Cyber Risk Aware Blog

EU Businesses: Will Your Human Security Be GDPR-Ready In 2018?

[fa icon="calendar"] Dec 18, 2017 2:01:00 PM / by Stephen Burke

Stephen Burke

GDPR + EU BusinessesCyber Risk Aware wants to ensure every business in the EU is focusing on the most important element of cyber-security while complying with the upcoming GDPR - the human element.

On 27 April 2016, the European Parliament and Council passed the General Data Protection Regulation (GDPR) - a series of binding laws designed to strengthen cyber-security and protect consumer data across the entire EU. A two-year lead time was built into the regulation, and it is going to come fully into effect on 25 May 2018.

Under Article 39 of the GDPR it is clear that creating the right physical and technical security needs the support and attention of senior leaders in the organisation. In order for a company to be truly compliant, all staff must be well-informed and thoroughly trained so that an organisation can prevent sensitive data being accidentally or deliberately compromised.

That doesn't leave much time for European businesses to ensure they are fully in compliance.

Chances are, you have already been following many of its new directives - investing in new technology as needed, drafting internal security procedures, and establishing accountable Data Protection Officers. However, have you been investing time and consideration into your human security measures as well?

Proper cyber-security requires co-operation across an entire company, from the very top down to the very bottom. If your employees and staff are not being prepared for the GDPR, it is high time to start training them.

The Importance of Human Security When Adhering to the GDPR

All too often, the human element is overlooked in discussions of cyber-security - and that is most unfortunate because it is often the weakest link in a business's security setup. One study in 2015 - CompTia's International Trends in Cybersecurity - found that human error was the cause of 52% of data breaches alone. Other studies suggest the number is even higher. A 2017 Lastline survey of cyber-security experts found 84% of attacks as being, at least in part, due to human error.

Simply put, it doesn't matter how much money a company spends on firewalls or anti-malware software or developing procedures, all it takes is a single ''oops!" from a worker to undermine it all.

Employees at all levels must understand the critical importance of their cooperation and compliance with security procedures. Increased training and testing will be key here. Some areas to focus on include:

  • - Awareness of the newest types of phishing attacks and other "social engineering" techniques. Maybe they can spot a "Nigerian Prince" style attempt, but what if the request seemed to be coming from their own CEO?
  • - Proper mobile device security: Strong authentication methods, procedures for reporting and deactivating lost/stolen devices, and the importance of never ever having protected data on a mobile device or laptop.
  • - Strong Internet safety awareness and security: How to spot unsafe sites, understanding HTTPS and security certificates, and why adverts should be avoided - or blocked entirely.

In short, you need a human firewall that's as strong as your hardware firewall.

Training and Testing Strengthens Your Human Firewall

To get your entire staff ready for GDPR regulations, testing can be the best tool to supplement your training. Tools such as phishing simulators and cyber-knowledge assessments can quickly let you know how effective your training is - and who needs more training before next May.

Contact Cyber Risk Aware for the tools that can help ensure strong human security.

Stephen Burke

Written by Stephen Burke