GDPR has forced changes in security training, says expert panel

George Tunnicliffe of the National Theatre called the GDPR "A massive advert for two-way security"

Training staff in cyber security is just as important as having the appropriate software and processes, but too often this boils down to half an hour watching a Powerpoint presentation, four times a year. In the fast-moving world of modern security, that isn't a sustainable solution.

The GDPR has been a training wake-up call for many organisations, said panelists during the ‘Training your staff and security awareness' polylogue at Computing's Enterprise Security and Risk Management Summit last week.

George Tunnicliffe is head of IT operations at the National Theatre, which employs a huge number of non-IT staff, such as actors, chefs and makeup artists - all of whom need to be educated. For a long time the Theatre's main security focus was PCI, but the GDPR has forced a change: "We're now going round each part of the organisation, gathering information and understanding what PII [personally identifiable information] we hold - it's a lot!" He added, "The GDPR is a massive advert for two-way security."

"We also have mandatory training like PCI, which carries on from year-to-year," said Jan Langham, head of security at Paddy Power Betfair; "but this year [the training] was more varied. We had our baseline security, plus anti-phishing, risk management and more. We have ‘security champions' embedded across the organisation and drop messaging in elsewhere - we even have cupcakes with messages printed on them!"

The final panelist, Colin Mallett, is CEO of Trusted Renewables, which focuses on using IT for eco-friendly projects. The firm employs many ex-BT engineers who are very familiar with cyber security, and so the approach is quite different from the National Theatre or Paddy Power: "Our internal training has mainly been sitting around and discussing good practice, and trying to understand new developments like blockchain and GDPR. Training by conferences is the main thing; it allows team members to train each other." Mallett did add, however, "We need to evangelise awareness [of social engineering and phishing]."

Training doesn't only apply to non-management; executives are often less aware of changing technology than workers on the front line. Mallett thinks that that is one of the purposes of the GDPR; or as he puts it, "The buck stops with the seniors."

Training is crucial, but quantifying its effectiveness is like trying to measure a negative. It's easier to look at the effect that any changes made have had on the business as a whole. Tunnicliffe, for example, was able to lessen the burden on the IT department by focusing on personal responsibility:

"When I joined, people used to share passwords a lot, just to ‘get the job done' - it was a big risk which I quickly changed. One of the other things that came out of [my joining] was training people to be more responsible as a whole. We have customer service advisors, and those on the front line use a chip and pin device that, for the day, is ‘theirs' - they're responsible for performing tamper checks and so on; they can deal with low-level troubleshooting, and it helped IT out too!"

Despite the differences between the panelists' businesses, all three agreed on their biggest security concern: users. Tunnicliffe pointed to a lack of knowledge and understanding, while Langham and Mallett both mentioned social engineering. Short of entirely removing employees from the security chain, education is the best way to combat these challenges.