Back to basics: The importance of staff training in data protection

It is not glamorous, but the simple truth is that perhaps the most important aspect of a Data Protection Officer’s (DPO) mission is to ensure that effective staff training for the safeguarding of sensitive information and maintaining robust security practices is in place. According to Stanford University Professor Jeff Hancock, 88% of data security breaches result from employee errors. The message for companies and organizations is clear: To improve your data security, begin with staff.

Employee awareness

Following a survey conducted at Infosecurity Europe 2024, a report by ThinkCyber revealed alarming trends in employee awareness and behavior regarding cybersecurity. 50% of employees fear repercussions from their company should they report a security mistake. This fear is a hindrance to open communication and proactive security measures, creating a vulnerability in the organization’s defense mechanisms.

In addition, only 51% of respondents feel that the majority of people in their business are focused on security, with 39% indicating that only executives and security teams are truly engaged in this area. The disparity indicates a shortfall in the security culture within organizations, underlining the need for much more effective and inclusive training programs.

Key concerns

Addressing risky behavior

Cyber security experts are concerned about several risky behaviors among employees:

  • The clicking on malicious links in phishing emails (53%)
  • The sharing of usernames and passwords (51%)
  • The sharing of corporate data outside the company (53%)

Such behaviors threaten organizational security, underscoring the need for better security awareness and training programs.

Ineffective training

The ThinkCyber study also highlighted concerns about the effectiveness of security awareness training practices. One quarter of respondents doubt that their co-workers change their behavior due to existing formation programs. Of those surveyed, 42% think that their organization cannot even somewhat prove whether their present training is changing risky behaviors.

Just less than half of the respondents acknowledge that their business lacks an adequate mechanism for identifying user groups which carry out risky behaviors. In addition, some 60% reveal that training is provided infrequently. This shortfall limits the impact of training and permits numerous risky behaviors to persist.

Enhancing security training

Contextualized and targeted and training

Security awareness training should be more targeted and contextualized. ThinkCyber CEO Tim Ward emphasizes the importance of intervening just before a risky action is to be taken. Real-time intervention aids employees to understand the perils and consequences associated with their actions, rendering the lesson more impactful and grounded in a real-life context.

Shorter and more regular training sessions

Shorter, but more frequent, training segments are known to enhance retention and application of security principles. More than two-thirds of respondents acknowledge a preference for keeping their knowledge fresh via regular, bite-sized training sessions. This form of approach maintains focus on security and strengthens good practices.

Evaluating behavioral impact

Businesses and organizations should develop methods which measure the behavioral impact of training programs. By recognising which user groups require additional support and tailoring interventions accordingly, businesses can target training, making it more effective and relevant. This approach corresponds with the developing field of human risk management (HRM), which favors targeted interventions which change security behaviors.

Creating a culture of communication

Employee fears of repercussions must be addressed head-on. A culture of open communication and proactive security should be created. Employees need to be encouraged to report security mistakes without fear of punishment. This will help organizations to quickly identify and address vulnerabilities. The implementation of anonymous reporting mechanisms and development of transparent follow-up actions further support this culture.

The value of staff training in data protection cannot be exaggerated. Practical training programs are a must for mitigating risky behaviors, developing security awareness, and encouraging a culture of proactive security. Through the implementation of targeted, contextualized, and regular training, organizations can ensure that their staff are not only aware of the importance of data protection but are also equipped to act securely.

Photo credits: janews094, AdobeStock.com

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Eoin Campbell

Eoin P. Campbell is an honours law graduate (LL.B) from Queen's University Belfast and is a qualified lawyer. Eoin has moved from practicing law to lecturing. Eoin is currently lecturing in law at two universities in Lyon, France, including a master's degree course in cyberlaw. Eoin provides commentary with a legal perspective on cybersecurity and data privacy. He is an expert on data privacy laws.
LinkedIn