6 May, 2021

Creating a Culture of Privacy Awareness

By Leana El-Hourani, IVE Head of Governance, Risk and Compliance

Data is arguably the world’s most valuable commodity and protecting the privacy of that data is crucial to any business’ success. As Privacy Awareness Week comes to a close it’s important to reflect on what makes a data secure culture in the workplace.  

More and more, we see news about the latest Cybersecurity incident that’s brought a company to its knees. Take just this week for example.  NSW Labour was hacked demanding a ransom within 240 hours, Uniting Care was cyber attacked by notorious ransom gang REvil/Sodin and insurance companies have hiked premiums by up to 30% to counter cyber attacks. That’s is all during this week!  

Privacy and data breaches are what keeps CEO’s and CIO’s up at night, and rightly so. Having military grade systems in place is a necessity, and even then, there are no guarantees. During Privacy Awareness Week, ask yourself the question, does your business have the resilience needed to survive when a cyber attack happens? 

If the answer is no, or you’re not sure, here are some tips on how to create a culture of Privacy Awareness to prevent data breaches. 

1.       Align with partners that invest in the security of data 

Look for certifications such as ISO 27001, PCI-DSS, IRAP and SOC2. Having certifications is a massive investment and demonstrates an organisation’s commitment to the protection of information. It’s vital if you want to build trust with your customers – especially when they hand over their data to you every day. Having certifications means the business must undergo regular scrutiny to meet the requirements of those standards, this requires an ongoing review of controls to ensure best practice processes and continuous improvements are in place, and with malicious actors becoming more sophisticated, it’s not an easy feat to achieve or maintain. 

Organisations are also responsible for how third-parties use and collect personal information.  The third-party should have policies on how they collect, store, use and share personal information. 

Cyber incidents such as those that affected ASX-listed aged care operator Regis in August last year, Isentia in November, and more recently the entire UnitingCare Queensland internal IT system attacked by ransomware software, demonstrated that the cost of these incidents is profound with costs in the millions of dollars, damage to reputation and impact on customers. Working with organisations who invest in certifications goes a long way in mitigating risks. 

2.       Educate your staff 

With human error still a major cause of data breaches, ensuring that you have a meaningful and relevant awareness training program is essential. We are all responsible for data security, from the operational floor, to the executive level, it is imperative that all parts of the business understand the obligations of the Privacy Act, and the Policies in place to protect your information.  

From January to June 2020, the number of data breach notifications attributed to ransomware attacks increased by more than 150% compared to the previous six months — increasing from 13 to 33. As a result, simulated phishing attacks with appropriate reporting procedures are an excellent example of a strong security culture within an organisation. Thereby reducing the chances of fraudulent activity.  

Ensure there’s a process for capturing when things will occasionally go wrong and learn from them.  

3.       Make the business resilient 

Having a plan for when things go wrong is critical, as the recent pandemic events have taught us. Ensuring that a Business Continuity Plan is in place and tested regularly shows that a business is prepared for known risks.  

Covid meant that a privacy impact assessment was necessary to evaluate the impact of remote working, potential site closures, and reviewing suppliers to ensure that the privacy of information was still being maintained.  

Get your teams involved in audits. By ensuring that your staff know what the auditors are looking for, they’ll value the importance of the policies and procedures in place and will be able to make them more effective and relevant to the business. 

Do your due diligence and monitor any partners and vendors.  If you don’t know what your third-party’s policies are, ask. This may prompt them to become more privacy aware. Remember if a vendor or partner’s data is compromised, your data could be too! 

4.       Use Risk Language 

Have a robust risk management process and ensure every team member knows how to identify and report a risk. Risk management language such as mitigation, risk treatment plans and risk ratings should be spoken at every meeting. Risks should not just be discussed in the boardroom, but within all levels of the business.  

5.       Have a good Data Breach Policy 

Ensuring that everyone understands what to do in the event of an incident is imperative, and not having one could have a disastrous effect on the business and impacted individuals. A good data breach policy will provide step by step instructions and the tools to facilitate communication through the business.  

No matter what an organisation does, there’s always the chance that something could go wrong. Focus on the 5 steps and watch your culture change. 

For more information on how IVE’s data security specialists can help click here.

How can we help you?