Are British businesses firing employees unfairly as a result of possible data breach negligence? Ian Osborne, Vice President UK & Ireland at Shred-it, tackles this thorny issue.
We all know that humans are invariably the weakest security link, and data breach after data breach reminds us of this fact. It may be an inevitable reality, but it is often a frustrating one for those responsible for networks. After all of the hard work and dedication that comes as part and parcel of maintaining the security and integrity of a network, it's understandable that networking professionals and business leaders alike take simple data security mistakes pretty badly.
Research from Shred-it and Ipsos conducted early in 2018 found that nearly a third of businesses that suffered a data breach, have terminated a negligent employee's contract as a result. Is that a fair response?
Clearly, a sense of accountability is required, and the seriousness of maintaining best practice needs to be underlined now more than ever given GDPR. Many will feel that the only way to do that effectively with employees is by making a strong example of those that are negligent.
It is easy to think this way. After all, many of the most common attack vectors that bring down networks and lead to data breaches could seemingly be prevented by common sense. Think twice before clicking on an email link to ensure the source is trusted, don't use public Wi-Fi to access confidential information or work systems, etc. The trouble is, its common sense not to leave the fridge door open or leave the car lights on, only to return to spoiled food or a car that won't start, yet many of us have done these or similar things. We are busy, we are human and we make mistakes. If we want to prevent routine mistakes in data security, businesses must train people to be ever vigilant and make best practice a habit - something they currently do not do.
In our research, just over half of large British businesses have trained their employees on using public Wi-Fi, but only 70 per cent provided training on identifying fraudulent emails: the latter was the highest response concerning critical security training. Overall, just 46 percent of small businesses offer any of the key employee training that is necessary at all, with only a quarter having provided training on the use of public Wi-Fi and a third having offered training on identifying fraudulent emails. In addition, two-thirds of large British businesses and a quarter of small business owners have offered their employees specific GDPR related training.
As an employee sacked for clicking on a spear phishing attack based on an apparently authentic email from their boss, for example, would you have a right to feel aggrieved if you had never received any training on how to identify fraudulent emails? Opinion will be split, no doubt. That is why it is important that we have a debate and that representatives from IT, HR, and the C-suite consider the question.
It is my personal view that enhanced training has the benefit of building better trust with employees. Team members will feel supported and also understand their responsibilities in terms of safeguarding and information security. It will also reduce the likelihood that network security can be undone in the simplest of ways. Fundamentally, demonstrating that these training steps have been universally implemented will help to make a better response to the ICO in the event of a data breach; simply saying that you have sacked a low-ranking employee may not impress.
It's time for you to decide. Should simple data security mistakes that lead to a data breach always lead to the dismissal of an employee, or should organisations accept that this issue isn't going away, and take responsibility to better train staff?