Employees clueless about data breach procedure, Deloitte report

The employees of 43 per cent of top 100 brands have no idea whether or not their company has a data breach procedure, according to a Deloitte survey.

The vast majority of those unaware about their business' breach action plan worked in the education sector, closely followed by healthcare and retail.

The Deloitte Privacy Index 2017 – released today as part of National Privacy Awareness Week – surveyed more than 1000 employees across 100 leading organisations both listed on the ASX and not, gauging opinions on privacy, complaints and information handling.

“We wanted to see if there was any difference between what organisations and what staff members believe is occurring when it comes to protecting data and honouring customer privacy,” explained Deloitte cyber risk services partner Tommy Viljoen.

The figures support a recent study of the ASX 100 companies’ cyber stance. In a survey released in April, 59 per cent of organisation said they had a documented and approved response, recovery and resumption plan to a cyber attack and had tested it. A quarter of respondents had not yet determined how they would communicate a confidential data breach to customers.

Organisations that ranked the best on the Deloitte survey in terms of risk awareness and privacy protection had a privacy officer, regular training programs, and ensured their third parties notified them in the event of a breach.

The most trusted industries in the index were financial services, government, telecommunications, energy and utilities and industrial companies.

“We believe one of the reasons the financial sector ranked at the top of the index again this year, followed by Government and, for the first time in the top three, telecommunications and media, is because all three sectors are highly regulated,” said Viljoen.

“Financial services conduct frequent privacy training. Their employees can correctly identify a privacy impact assessment, and they know the process to follow in the event of a data breach.”

Ad hoc privacy training

The Deloitte survey found nine in ten respondents believe their organisation could be more transparent with consumers about how their information is used. Some 58 per cent of employees believe that regulatory compliance is more important to their organisation than building trust with customers (36 per cent)

“An organisation may feel for example, it has all the requisite boxes ticked and all its policies and procedures in place. Yet it appears that many staff members may circumvent these processes, and find what they consider to be easier ways of doing things, even if ‘adequate’ monitoring processes are in place,” said Viljoen.

“To preserve and indeed build trust, organisations need to be authentic. This requires transparency of how customer data is being managed and staff members who are fully aligned to managing the information safely and securely and so act accordingly.”

Staff were found to be woefully undertrained with regards to customer privacy with 40 per cent of the saying they only received privacy training at induction or on an ad hoc basis.

“Given this current situation of ‘could do better’, plus the future direction for organisations both here and around the world, for individuals to have greater controls over the collection and sharing of their data, our organisations have a big challenge ahead to maintain and or build trust, develop resilience and create an environment of real consumer and business confidence,” said Deloitte cyber risk advisory director Marta Ganko, who co-authored the index.