It might not seem like it, thanks to the added work it has created for organisations inside and outside of the EU, but the new GDPR compliance regulations were designed with the benefit of people in mind. The goal: “to protect all EU citizens from privacy and data breaches in an increasingly data-driven world.”
People want to feel safe. GDPR is intended to help protect EU residents from digital threats to their privacy brought about by the potential misuse of personal information by organisations. This misuse includes the intentional or unintentional leakage of data by employees or contractors of these organisations.
According to a recent independent report from The Ponemon Institute, nearly two-thirds of insider threat incidents are caused by unintentional employee or contractor actions. It’s crucial to educate your team on how to avoid opening up your organisation (and its sensitive employee, proprietary, and customer data) to additional risk, particularly post-GDPR.
Here are three ways to protect employees and your organisation from the unnecessary risk of an insider threat incident:
1. Be Clear and Transparent with Your Policies
Any insider threat program worth its salt has a people-centric policy at its core focusing on all activity, rather than just privileged users (such as IT staff or administrators). It’s critical that every employee understands the following aspects of your organisation’s cybersecurity policies (including GDPR compliance), specifically as it relates to insider threat.
All employees should understand the following:
- Which software and services they’re authorised to use on company networks
- What (if any) external devices are permitted for use
- How, if ever, company devices may be used to access personal email or social networks
- Exactly how and why they may be monitored on corporate IT systems
Whether intentionally or unintentionally, certain types of employees pose bigger risks to an organisation than others. These “high risk” insiders may include:
- Development resources with access to source code
- Business users that have access to files containing corporate strategy
- Employees who have given notice or are on performance plans
- New employees to the organisations unfamiliar with company policy
- New employees that are onboarded after a merger or acquisition
- Third party vendors or contractors
Taking these factors into consideration, a one-size-fits-all policy may not be the right approach for your organisation. You may want to consider establishing onboarding and offboarding processes for employees, as well as including special levels of policy for groups of employees or vendors/contractors with access to potentially sensitive data or systems.
GDPR Pro Tip: Article 5 (Principles relating to personal data processing) requires that organisations adopt new processes and technology to insure data confidentiality. While it’s important to implement continuous monitoring of user activity to identify and prevent data loss, be sure that user behaviour data is anonymised to protect employee confidentiality.
2. Continuously Educate Personnel
Under GDPR rules, any organisation that processes personally identifiable information (PII) on a regular basis is required to appoint a data protection officer (DPO) to be responsible for monitoring and advising on compliance, training staff, and processing requests from individuals regarding their personal data.
Specifically, as it relates to training staff, it’s important that training extends beyond just the people who process PII directly.
Any employee with access to company servers, systems, or data should know the basics of how to avoid exposing the organisation to an unintentional insider threat incident. This coaching process should happen on a continual basis in partnership with the HR team, to demonstrate policies in action, and instill confidence that these policies are designed to protect them.
GDPR Pro Tip: Article 39 (Tasks of the DPO) requires that a DPO conduct training for staff involved in processing operations. Be sure these training sessions are up-to-date and occur at regular intervals to account for new hires. Also consider how you might be able to notify users of a potential breach in policy in-the-moment, and coach them on best-practices.
3. Create Awareness of Processes with Key Stakeholders
This shouldn’t come as a surprise: fire drills exist to give people an idea of what they’d do in the event of a fire. It’s the same reason companies responsible for processing PII should create detailed plans and conduct incident response simulations -- to raise awareness of how a process may play out in the real world if a data breach ever were to occur.
Consider the key stakeholders and teams who might be involved in containing and responding to a data breach, including leadership from:
- Security
- Compliance
- HR
- Executive Team
- Public Relations
- Customer Service
Gather these teams together to create a cross-functional incident response plan detailing the chain of command (in other words, who does what in the event of an insider threat incident). Play out specific scenarios, and what the roles and responsibilities of each person on the team are.
Perhaps just as important as external customer communications, work with HR and internal communications teams to develop a plan for how a data breach will be communicated to internal employees.
GDPR Pro Tip: Article 33 (Notification of a personal data breach to the supervisory authority) requires that organisations notify customers of a data breach within 72 hours of becoming aware of it.
Final Thoughts
Considering only 16 percent of insider threat-related breaches are identified and contained within 30 days, many organisations have a lot of time to make up. Quick notification of breaches and threat indicators allow you to kick your plan of action into high gear.
For more information, see how Proofpoint can help your organisation comply with the new GDPR requirements.