Posted on

How to Hold an Azure Information Protection Staff Training

How to Hold an Azure Information Protection Staff Training feature image

In light of the latest data security climate, where a risk of a breach is higher than ever, it is of utmost importance to keep valuable data safe. Microsoft’s Azure Information Protection (AIP) helps in achieving this goal and it’s the solution we recommend.

Particularly when you consider that the UK average cost of a data breach is close to £2.87 million ($3.68 million) according to a recent report from the Ponemon Institute.

Azure Information Protection is a cloud-based data protection solution that keeps data safe through advanced encryption, identity, and authorisation policies.

But. 

Adopting AIP isn’t enough – you need to train your staff on how to use it properly. Newly accepted regulations like the EU General Data Protection Regulation (GDPR), combined with concerns about what awaits the UK in terms of free data flow after Brexit, make data security an important aspect to every company, so it makes sense to invest into Azure Information Protection staff training.

Ensuring Your Employees Are ‘On Board’

Change is something many employees are not fond of, so getting them on board with Azure Information Protection Staff Training is the first thing to do before you begin with implementation and actual training.

When your employees are educated on GDPR and data breach consequences, they will become more engaged in Azure Information Protection staff training. Not being compliant and risking a breach could cost them their job because many businesses that suffer a major data breach never recover. 

But, how do you do hold Azure Information Protection Staff Training?

Step #1 Educate on the Risks

Start by making your staff aware of the dangers of security breaches and just how little it takes for one to occur if data protection is lacking.

Step #2 Explain Their Role in Compliance & Data Protection 

Many employees are not aware of just how important they actually are in keeping data safe. Start by explaining their role in the company security and compliance. Explain that whenever they send data – be it email or access to a folder – to somebody inside or outside of the company, it can be a security risk. The risk here is that often there are no resources that would monitor or restrict misuse of that shared data.

The most recent statistics included in IBM’s Cost of a Data Breach Report show that a staggering 27% of all data breaches that happened was caused by a human error – in other words, employee negligence was the cause.

Think about the following scenario: You are sending sensitive financial data to an outside partner. The partner is negligent and sends this confidential data to parties that should not have access to it. This constitutes a data breach.

A data breach has serious consequences far beyond actual financial costs including:

  • Hacking
  • Downtime
  • Loss of customers
  • Loss of personally identifiable information (PII) from customers and employees
  • Loss of intellectual property
  • Loss of financial information
  • Breach of data protection laws
  • Legal fines and claims
  • Reputation damage

Step #3 Show Why Azure Information Protection is the Solution 

Proper training will help reduce the risk of a data breach as a result of human error. Before you fully implement AIP, ensure your staff become familiar with all the features and that each department knows how to utilise its full potential. 

Explain how Azure Information Protection works and how, when integrated, in the organisation it can help on an operational level. 

Step #4 Show off Features They Can Use

During Azure Information Protection staff training, the focus should be on providing specific and detailed guidelines to each department. Present all the important features that AIP offers:

  • You Can Classify Your Data – AIP helps classify and label data based on how sensitive it is through a system of labels that automatically protect it once applied.
  • 24/7 Protection – Once you classify data and protect it, it stays protected. AIP follows data and ensures it’s protected even when shared outside of your organisation or stored on an external device.
  • Track Data and Revoke Access  – AIP helps you track what is happening to data you have shared, and in case it’s needed, you can easily revoke access.
  • Log and Report Support Compliance – Get access to powerful features that help analyse and monitor usage of data. The reporting feature helps maintain compliance with rules and regulations.
  • Safe Collaboration – Thanks to labeling and classification, you have complete control over who has access to data and how they can interact with it.
  • Microsoft Office Integration – AIP is integrated into MS Office so you can secure any document with a single click as well as automatically in the background. 
  • Easy to Manage and Deploy – AIP works in the cloud and on-site equipment too.

Step #5 Make it Specific

Once done, provide each department with detailed guidelines and best practices for using AIP specifically for them. For example, teach your finance department staff on how to use AIP features like the Do Not Forward Button or Sensitivity Bar, or your marketing department on how to apply AIP labels and send data to external partners.

If you want to make your AIP staff training easier, we’ve created an Azure Information Protection Staff Training Course on The TowerWatch Academy.

Posted on

Technical GDPR Staff Training Essentials

technical GDPR staff training essentials feature image

One of the challenges of implementing GDPR for businesses is the technical GDPR staff training.

But, you need to be prepared.

Your organisation’s compliance depends on having informed and well-trained staff, and the larger your business, the more difficult and vital this becomes.

We’ve dealt with many GDPR staff training sessions approaching from the technical standpoint and often consult with organisations to ensure they are passing on their knowledge correctly.

As such, we’ve decided to put together this brief list of essentials for a technical GDPR staff training session to get you started.

Before Your GDPR Staff Training

Data protection should already be part of the company culture meaning that your staff aligns with a privacy-first approach.

In practice: Incorporating privacy and data protection to your core values ensures you adhere to the GDPR “data protection by design and default” guideline – this means that your default settings should be privacy friendly, and all processes and operations, from sending GDPR Compliant emails to app development, include data protection measures at their core.

What To Include in GDPR Training Sessions

A well-rounded GDPR training should start with the basics and work towards the technical aspects of GDPR compliance like new policies and frameworks that you’ve adopted as an organisation. Key points to include are:

1. Consent

GDPR is all about consent, and ‘legitimate interest’ cases when contacting others and this needs to be thoroughly understood and explained.

If not, any one of your employees could contact someone without permission and it could lead to a complaint to the ICO and fines. This is one of the most misunderstood points of GDPR currently, particularly for marketers and businesses that thrive from reaching out to potential customers. You and your staff need to understand where the line is, and how not to cross it. 

2. The Risk of Non-Compliance

Your staff should learn about all the principles of data protection and be aware of the financial risk of not being compliant, how it hurts reputation, and what disciplinary measures the business (and they) can face. When they can connect the risks and arguments on why GDPR is necessary, they will understand just how important it is.

3. Understanding Your Business’ Role

Ensure your employees understand where your business stands. Participants should learn the difference between data processors and collectors, which category the business falls into, and the category of any other third party they conduct data-related business with.

4. Knowing Regulations & Regulatory Bodies

For example, your staff should know the role of the ICO and relevancy of the Data Protection Act 2018 and Privacy and Electronic Communications Regulations.

5. Being Specific To Your Business

There’s no point in explaining the rationale behind GDPR and the fines without some context. Your employees need specific guidelines about data-related operations and processes they do daily.

For example, your GDPR email training might be highly technical, so make sure that everyone understands how new regulations affect their daily email communication and work in general, with a focus on how it makes it better.

6. New Company Policies

Your business’ policies should be at the core of the staff training. Ultimately, you’re the ones to police your own staff and if it is enforced companywide, it’s more likely to be adopted (and stuck to.)

Every department should be aware of new company policies that ensure GDPR compliance and how they affect them – from developers working on a new app to the sales team dealing with customer data, to marketing staff sending out emails.

7. How To Spot Data Breaches

The staff should also learn how to recognise red flags – because a data breach has to be reported to ICO within 72 hours, knowing to spot one is crucial. They should also learn the correct procedure in case of a data breach, such as who to report it to in the company and whether additional measures are needed.

8. SAR Requests

Under GDPR, a company has to respect a subject access request – request for data. SAR requests need to be handled within 24 hours of being received, so having a policy in place and making sure your staff knows the correct way to respond to it is key, because the public and customers don’t always send requests to the right location straight away. 

The Technical Side of GDPR Staff Training

Implementation of new technologies and software solutions that ensure data safety is the next logical step for GDPR compliance. But this can be difficult to implement itself. 

This means that you and your staff will have to learn about new encryption technologies and software you decide to integrate into your business operations.

Article 32 of GDPR states that this can be achieved through:

  • Pseudonymisation and encryption of personal data
  • Ensuring your processing systems and services are confidential and resilient
  • Being able to restore access to personal data quickly if there was a physical or technical issue that prevented access
  • Regular testing and evaluation of technical and organisational measures that were implemented to ensure data security

For example, your email communications should be secured through solutions like Azure Information Protection – which provides email and file encryption that protects data in such a way that it’s secure no matter where it goes. Deploying systems like Azure Information Protection across your organisation can be tricky if you don’t know what you’re doing, but training your staff to use AIP should be easy – from GDPR email training to sharing documents securely – to ensure the highest security and your ‘best effort’ towards GDPR.

Continuous GDPR Training Ensures Compliance

The last point to note is that reminders and refreshers are the way to really reiterate the importance of GDPR to your business, to staff. 

Hold refresher sessions after the initial GDPR staff training on a regular basis. Data protection should be ingrained into every single business process. Make sure new members understand this too – make GDPR training an integral part of the onboarding process and make sure it becomes part of your company culture.   

If you need help with implementing Azures Information Protection in your small business, check out our fully comprehensive and supported course here:

https://towerwatchacademy.thinkific.com/courses/get-file-and-email-encryption-for-small-businesses-microsoft-aip-course