Privacy: Employees Often the Weakest Link

GDPR will celebrate its first anniversary later this month. The California Consumer Privacy Act (CCPA) will go into effect Jan. 1, 2020. Protecting consumer data is going to be a priority for every organization, large or small—if not now, then very soon.

However, putting privacy regulations into practice is a lot like enforcing security best practices. No matter what steps the organization takes to be in compliance, it all comes down to employee behavior. And according to new research from MediaPRO, organizations are failing in training employees on how to handle data with these regulations in mind.

It isn’t just the new regulations where employees are in the dark about best practices. For example, the study found 58% of employees said they had never heard of the PCI Standard for credit card data protections. How much an employee understands sensitive data and the privacy protections surrounding that information depends on their job duties. The IT department was found to be least aware of what constitutes sensitive data, with 73% in the tech sector ranking Social Security numbers as most sensitive, compared to 88% of employees in all other sectors.

Hurting the Organization’s Privacy Stand

When employees don’t know the fundamentals of privacy protection, they can bring some catastrophic things down on their company, said MediaPRO’s chief strategist Tom Pendergast. When they lack the skills to identify personal information, they may not apply the correct data handling restrictions on data or fail to encrypt data, which leads to critical consumer information being left exposed to risk. Or when employees don’t understand the obligations their company has to the consumer, they may design a marketing campaign or a software or website experience that violates consumer privacy. Or if they don’t recognize what issues require prompt action, they may fail to report an incident that ends up leading to a data breach.

“Basically, by understanding how to identify personal information, how to handle it in their realm of the business and how and what to report as an incident, employees can be a big factor in keeping their company in compliance and protecting its reputation,” said Pendergast.

Have We Hit Privacy Fatigue?

The root of the problem may not even be a lack of awareness, but rather that they’ve hit privacy fatigue and are tuning out the steps needed to protect data. I’ve heard that a lot when it comes to cybersecurity and data breaches; there have been so many major breaches that we’ve tuned them out, just figuring that our data is already compromised. As consumers, I get that, but how does that same type of fatigue occur in the workplace, especially if data privacy regulations are still fairly new?

When I asked Pendergast what he thought was the most surprising result in the study, he said it was the generally poor performance of people across this spectrum, especially since cybersecurity and data privacy are headline news. “Did the Facebook and Cambridge Analytica and 2016 Election stuff force people to tune out in self-defense? I suspect that’s part of it,” he said.

The other part is that people don’t connect privacy and security between work and personal. “If they haven’t personally been impacted by identity theft, it doesn’t seem like a big deal,” he said. “When we build our training and reinforcement, we’re really trying to give people a reason to care about privacy, and to apply what they learn to both their home and their work lives.”

Instilling Best Practices

Security and privacy aren’t the same issue, but best practices and employee training should follow a similar path because, Pendergast pointed out, the distinctions are all that meaningful to most people.

“There are things you need to know to handle personal information at work and then you also need to know how to protect that information and not fall prey to cybercrime,” he said. “I think it feels pretty continuous to most folks, and I often urge people to combine their security and privacy awareness efforts in order to make them more meaningful and more practical to people.”

So what should organizations do to ensure their employees are prepared for ever-changing privacy regulations and the new laws coming on board? Pendergast advised building your program and policies around the highest privacy standards and educating people on the core principles and actions they need to know in order to follow the new standards.

“Common people—that is, the vast majority of employees—do not need to get caught up in the minutiae of the law,” he added. “They need to know a few keys things and they need to know how to put them into action. Period. That should be the goal of your employee awareness program.”

Featured eBook
A Simple Guide to Successful Penetration Testing

A Simple Guide to Successful Penetration Testing

How effective are your existing security controls against a skilled adversary? Discover the answer with penetration testing. The main difference between a penetration test and an attacker is permission. A hacker won’t ask for permission when trying to expose your critical systems and assets, so pen test to protect. A pen test is not just ... Read More
Core Security
Sue Poremba

Sue Poremba

Sue Poremba is freelance writer based on Central PA. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 58 posts and counting.See all posts by sue-poremba