Inadequate employee training exposing large businesses to cyber risks
25 June 2018
Even though many large businesses in the UK have employees working off-site and a majority of them expect the option to work to remotely increase in the next five years, many of them have failed to adjust their data protection policies to safeguard their data from emerging risks.
A recent study carried out by Shred-it has revealed that despite allowing their employees to work at off-site locations, many large businesses in the UK are failing to adjust their data protection policies to meet emerging risks or to appropriately train their employees in identifying risks and exposures.
The option to work remotely gives employees the flexibility to maintain their efficiently even when they are not at their desks and to stay in touch with their colleagues using company-supplied devices. However, doing the same also exposes them to new risks such as being exposed to unsecured public Wi-Fis, loss of devices in the field, or getting infected by malware from malicious websites or apps.
As such, it is important for organisations to device appropriate data protection policies so as to ensure the privacy of enterprise and customer data being handled by employees working off-site. Even though this is the most logical course of action, many organisations are either not curating their data protection policies or are not able to educate their employees about new policies.
Inadequate employee training on cyber risks
According to research by Shred-it, even though 75 percent of C-Suites in the UK have policies in place for storing and disposing of sensitive data for employees working off-site, employees at 22 percent of such organisations are not aware of these policies.
To be more precise, 30 percent of large businesses do not train their employees in identifying fraudulent emails, 35 percent do not explain the importancee of reporting a lost or stolen device that contains enterprise or customer data, 43 percent do not train their employees in keeping sensitive information out-of-sight when working in a public space, and 45 percent do not educate their employees about the perils of connecting to public Wi-Fi hotspots.
This is despite the fact that 95 percent of large businesses and 52 percent of small businesses in the UK have employees using off-site or flexible working models, and 90 percent of large businesses have no plans of changing such working models.
“In open-concept workplaces, sensitive information is often on display with nothing stopping prying eyes from peeking at confidential data. When modernising their working environments, employers should take precautions to mitigate the increased risks of open
offices. The best way to do this is to have solid policies in place and provide thorough and regular training to employees.
“The overwhelming majority of large British businesses (93 percent) provide some form of training on physical information security to their employees, but only 46 percent of SBOs report doing the same. In both cases, large proportions are not training in critical areas,” Shred-it noted.
The firm also noted that even though a whole month has passed since GDPR came into effect, just 46 percent of large businesses have reviewed policy notices in light of GDPR, just 44 percent have documented the lawful basis for data processing, 44 percent have assigned a data compliance officer, and just 39 percent have updated procedures for detecting, reporting and investigating a data breach.
“Businesses need to take a holistic approach to data security and privacy. By incorporating information security into all aspects of their operations, business leaders can help create a global environment in which data risks are minimised and consumers trust companies with the information they need to deliver products and services,” the firm added.
Increasing awareness among consumers
While the threat of huge fines under GDPR should propel large businesses to fine-tune their data protection policies and practices, businesses should also take note of the fact that consumers are nowadays getting savvier and more informed about data security issues.
A large proportion of British consumers are now demanding better protection and more information about how their data is being stored, distributed and used and therefore, businesses should take all steps possible to ensure they do not suffer embarrassing breaches or leaks.
For instance, while 86 percent of consumers consider data protection credentials of organisations as a major criterion while choosing banks, 79 percent of them consider data protection while picking a legal firm, 76 percent while taking a job, 70 percent while choosing a car dealer, and 69 percent while choosing a hotel.
“By addressing consumers’ concerns about the way businesses handle sensitive information and communicating the shared responsibility of consumers to safeguard their data, British businesses can also protect themselves from the financial and reputational consequences of breaches,” Shred-it added.