When I’m conducting a data protection or information security audit, I’m generally looking at the potential cost to the company of a failure to provide adequate training. Does the organisation have sufficient governance rules in place to guard against data leaks, and are these rules communicated to and understood by all employees? Is training a “once in a lifetime” experience, or something that is regularly repeated and tested? Could poor training lead to data loss or corruption, resulting in a significant fine from the ICO or a dramatic drop in brand value through unwelcome publicity?
Recent events though have led me to consider the human cost of inadequate training. The tragic death of Jacintha Saldanha following the hoax call from 2Day FM to the King Edward VII Hospital made me think about the guidance on call handling she might have received. This hospital is accustomed to high profile patients and could be expected to provide exemplary direction to its staff. But the story did highlight for me how vulnerable we leave employees if we fail to ensure that appropriate rules and education are in place.
Yes, a failure in data protection or a security breach arising from staff carelessness or inexperience can be costly for the organisation. The Information Commissioner can now levy fines of up to £500,000 and the FSA can impose far higher penalties on financial sector organisations. Poor publicity can lead to loss of consumer confidence and trust, brand damage and ultimately a fall in customer numbers and revenues. We talk about “investing” in training and people because we know that this is an expense that reaps a substantial return.
But what of those individuals who err through lack of knowledge or understanding? How many individuals are disciplined, reprimanded or demoted for failing to meet inadequately communicated standards? What’s the personal cost in loss of confidence, loss of earnings or loss of a valued job?
While there will always be rogues who exploit their access to data to help a friend or for personal gain, our experience is that the vast majority of employees want to support their employer and “do the right thing”. It’s not sufficient to have a culture of “personal best practice” or to expect people to “use their common sense”. Your staff deserve to know what security the company considers accurate for home working; what data they are allowed to take off site and for what purposes; how to minimise the risk of accidental or deliberate access to personal data by unauthorised individuals. They deserve to know under what circumstances they can divulge data, and to whom – and to have rules that they can quote in the face of coercion or bluster. They deserve regular, thorough training in data security and data protection principles and standards. Anything less, and you leave your employees – and by definition your organisation – vulnerable. And as recent events have shown, vulnerability comes at a very high price.