10 Tips to Improve Data Security

All organisations are legally required to protect any personal data they hold, including that of their customers and employees. 

GDPR (General Data Protection Regulation) came into force across the EU in 2018, and was enacted into the UK’s Data Protection Act 2018. Not only did the GDPR give data subjects more rights, including the right to be forgotten – or ‘erasure’ – it also introduced tough new penalties for non-compliance. 

As well as personal data, covered by the Data Protection Act 2018, organisations also need to be on their guard against the loss of sensitive commercial data. 

Even with the prospect of fines and reputational damage, data breaches are becoming more common. Before digitisation, data losses might happen if paper files were left on a train or stolen from a workplace. 

That can still happen, of course. But In today’s hyper-connected world, where workforces are dispersed and often reliant on third-party software, the risk is far greater. Increasingly sophisticated cyber criminals constantly are targeting system vulnerabilities at scale, threatening the data security of every organisation. 

Without robust security measures within these systems – such as access control, encryption and firewalls – there’s a risk that sensitive information will be compromised. Around 43% of businesses and 30% of charities experienced a cyber security breach or attack, according to UK government figures. 

Human error is the leading cause of cyber attacks, whether it be IT teams not identifying weaknesses in the systems or employees inadvertently clicking on a phishing email.

Employees are the biggest risk but they’re also your first line of defence. A cyber-aware workforce will recognise the risks and take preventative steps, such as choosing strong passwords and not clicking on suspicious links. They’ll also know what to do and who to tell to contain a potential attack. 

Key takeaways

• Everyone is responsible for data protection. L&D and compliance teams must implement effective training and policies to reduce the risks.
• 10 questions to test awareness. Our handy checklist will help you to identify gaps in employee knowledge so they know what steps they can take to protect data.

Identifying knowledge gaps: 10 data security questions L&D and compliance teams should ask employees

Everyone has a role to play in maintaining good information security standards and preventing data losses. L&D and compliance teams lay the foundations with robust training and clear policies, which are clearly communicated and updated in line with new regulations and threats. 

We’ve compiled 10 questions to check awareness levels and practices in your organisation.

1. Are you familiar with the organisation’s IT policies and rules?
2. Do you understand their data handling responsibilities?
3. Is offsite data protected?
4. Are you accessing or transferring data via secure networks?
5. Is information shared on a 'need to know' basis or too freely?
6. Do managers understand and check document classifications?
7. Are password rules being followed?
8. Are you using personal devices and accounts for work?
9. Do you know who to ask for support?
10. Do you know what to do in the event of a security breach or data loss?

1. Are you familiar with the organisation’s IT policies and rules?

All procedures and policies relating to information security, privacy and confidentiality should be available to employees in a secure environment like an intranet. 

These rules shouldn’t remain hidden. They must be regularly communicated and reinforced with good practices every day. Training is critical for refreshing employees’ knowledge – but you can also test their understanding first using pre-assessment tools.

2. Do you understand their data handling responsibilities?

Employees at all levels must know what data they are responsible for, what they are allowed to do with it and what is prohibited (or requires consent). By understanding their responsibilities, they should be able to make better decisions that ensure compliance.

3. Is off-site data protected?

Using third-party cloud-based software means data is technically stored off-site. As a result, anyone responsible for engaging with third-party vendors – including procurement, IT and specific teams such as HR – must understand how data is being stored and secured. It’s important to choose vendors that use encryption and password-protection to safeguard data and hold accreditations such as ISO/IEC 27001 for information security.

4.Are you accessing or transferring data via secure networks?

Accessing a company's network via unsecured networks, including public WiFi hotspots outside the workplace, will make organisations more vulnerable. Teams should recognise these risks and avoid using potentially risky public networks.

5. Is information shared on a 'need to know' basis or too freely?

Employees may not be aware of the risks around forwarding data to groups of people, or they could have become careless when typing email addresses, leading to information being sent to the wrong recipient. A combination of training and company-wide awareness will encourage them to think twice, taking time to check and only distributing data to people who need to access it as part of their job. 

6.Do managers understand and check document classifications?

People in the same department or function may have different access rights, so it’s important managers regularly check who has permission and who does not, and that the documents are properly and consistently classified before sharing. Clear classifications such as Private, Confidential, and Public should be used to grant privileges, while role-based permissions within software can control access.

7.Are password rules being followed?

Employees must use strong passwords and change them regularly to reduce the risk of cyber attacks. They should also avoid sharing passwords with colleagues in case it allows someone to view sensitive data without permission.

8. Are you using personal devices and accounts for work

It’s easy for employees to access work-related information, including emails and documents, on their personal devices, public WiFi and accounts (e.g. email). Something as simple as forwarding a business email to a personal account could result in a data breach.

9. Do you know who to ask for support?

Open healthy workplace cultures encourage people to ask questions and build their knowledge, as well as who to go to if you need more guidance. Information security is a joint responsibility – so they could seek guidance from their manager and IT, as well as L&D and compliance teams.

10. Do you know what to do in the event of a security breach or data loss?

If employees make a mistake – such as clicking on a suspicious link – they need to understand who to tell first. Escalating the incident to their manager and the IT department immediately can help to contain the threat, shutting down systems if necessary and communicating it to the wider team. 

Cyber attacks should be reported to the government’s National Cyber Security Centre, while a suspected GDPR breach can be reported to the Information Commissioner's Office. 

Want to learn more about Information Security?

We’ve created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses. You’ll also find additional free resources such as e-learning modules, microlearning modules, and more.

Explore our collection of Information Security resources.