It is a company’s responsibility to identify information that could be at risk and needs to be protected and also understand the ethical, legal and regulatory requirements relevant to holding and protecting such information.
The company also needs to establish policies and procedures to manage the risks and reduce the impact to the business should a breach occur. Companies can do this through training employees, contractors and suppliers etc. on the policies and procedures in place; this will ensure they are aware of what is required of them.
The company will need a mechanism for managing and reporting cyber security incidents ensuring they do not transfer ownership of risk through outsourcing.
Companies are legally bound by certain acts within the law, the most important being the Data Protection Act 1998. There are eight principles to follow however the following two principle’s are worth highlighting:
Principle 7 – Information security; Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Principle 8 – International; Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
All other legal requirements to be followed can be found in the Companies Act 2006 and Computer misuse Act 1990.
What are the employee responsibilities?
It is important for employees to be aware of the potential risks in their day to day tasks. They need to be aware of and adhere to companies security policies and procedures and understand their personal, legal and ethical responsibilities for protecting the business.
There is always a real and present danger and both companies and employees need to be aware of the damage that can be caused by a cyber incident. Here are some statistics from 2016:
46% of small businesses experienced at least one cyber security breach or attack in the last 12 months (2016 – 2017). The average business faced costs of £1,570 as a result of these breaches.
(April 2017, Cyber Security Breaches Survey 2017)
Cyber breaches are caused by system failure, human error or maicious acts. Not only resulting in the loss of revenue and damage to the companies reputation, but a potential for personal and professional embarrassment, potential legal action and possible career consequences.
HR can put systems in places to monitor:
- Employees working unusual hours
- Employees requesting access to information that they are not allowed
- Employees who are leaving with a thorough exit interview
- Sharing of passwords
- Sharing of computers
- Using company computers for personal emails and social accounts
- Emailing confidential information without adequate protection
- Emailing confidential information to organisations external to the company without adequate checks.
We hope you enjoyed our article, check in tomorrow for the next blog in this series: “Cyber security – Managing the risks”…
Why not get in touch and let HR Revolution run through a GDPR audit to see where and how quickly changes can be implemented.
Call +44 203 538 5311, email: firstname.lastname@example.org or visit www.hrrevolution.co.uk where our expert CIPD HR professionals are waiting to help you with any questions you may have.
HR Revolution; supporting you, your employees AND your business.