An example of how the staff training on information security, data protection and privacy (IS/DPP) could look.
This part is on the reason why we should live up to the rules of IS/DPP, from a "negative" perspective (what do we want to avoid?) and from a "positive" perspective (what do we want to accomplish?).
The slides come with notes that in short explain the visuals on the slides.
12. 12
- Internal - Page
It Can and Does Happen To Us
Email from the CIO (the day after)
I am please to inform you that the virus infection we suffered yesterday is now resolved an the file
servers are back online.
The cause of the issue was an infected attachement in an email that appeared to be from a trusted
external organisation but was actually spam. I would like to remind everyone to be aware of the threat
of what can often appear to be legitimate emails. We have the latest and completely up-to-date virus
checking software installed in the organisation, but the hackers are one step ahead. So it is impossible
to automatically detect everything. We need you to be vigilant. If you receive anything fro external
sources with attachments that you are either not expecting or appears in any way suspicious, please,
shut down your pc immediately and contact the helpdesk.
The impact of this particular incident was 24,000 files were encrypted on the file server and could no
longer be opened. The IT team was working all night to restore the situation.
22. 22
- Internal - Page
Key Takeaways
We avoid the bad.
No sanctions.
No negative financial impact.
No negative reputational impact.
No negative practical impact.
We try to capture the good.
Be trustworthy.
Manage our data.
Lower our cost.
Support the customer experience.
Be future proof.
30 sec IS/DPP survival kit
WrapUp
Hinweis der Redaktion
Welcome to the second part of the baseline training IS/DPP.
Herein we look at why ABC Group cares about IS/DPP.
Well, we try to avoid the bad, and
pick up some advantages along the way.
Let us start by looking at the downsides we want to avoid.
Non-compliance with the legal obligations can lead to criminal or administrative sanctions like fines or the prohibition to continue processing certain data.
(The initiative does not only lie with the district attorney, but also with the data protection authority and the financial supervisor.)
The initiative for legal actions can also lie with competitors (claiming ABC Group by bending the law competes in a dishonest way)
or with customers (who could claim for damages).
A competitor may also succeed in peeking at our ideas or client list.
Getting IS/DPP wrong can also impact ABC Group’s reputation.
Before you had the complaining customer, who talked to his family and friends,
and the media that had a big effect;
That has changed now: a defaced website
and an angry customer shouting out on social media have quite similar effects.
Finally it is worth mentionning that a failed IS/DPP framework can have a practical impact.
For example: say that the company were impacted by ransomware.
A phishing email that included a virus infected attachment, was opened by an colleague. The ABC Group IT infrastructure was impacted. 24k files were encrypted by the virus. To stop the virus from spreading the servers were shut down. Staff had no access to the files on the server drives for half a day. IT had to pull an all-nighter to fix it.
But it doesn’t have to be an attack.
“Dirty data” impacts us every day.
The customers’ address, email, telephone number not being correct adds to the cost of trying to contact our customers.
And it prevents us to use the data for statistics and to improve the service.
No need to focus entirely on the bad.
When you get IS/DPP right, it can be a source of trust,
both for our customers (especially the once that are privacy-minded, and yes, even corporations ask us for evidence of our commitment on the topic), and
from institutions (which allows banks and insurance companies – for example - to connect to authentic government database like the Belgian national register via Identifin).
Getting IS/DPP right also means having an overview of your information assets and the requirements we set for them and have an organisation in place to manage it. That is just as well the basis for good information management. And that… should make things easier like
retrieving data,
not having to collect the data multiple times,
having proper backups which avoids loosing your work and having to start all over again,
and so forth…
Part of that is also paying attention to data quality.
It is a good basis for proper accounting, relationship management with the suppliers and customers, our authentication procedures, etc.
All that should allow us to give the customer a better customer experience.
We think working on IS/DPP, will also bear fruits in the future. It should give us more options in terms of processing data within the confines of the trust we get from the individuals involved. And it should arm us for the future and make us face it with confidence, even with stronger enforcement of the law.