Case Study: The Impact of Awareness on a Security Incident in a National Charity
A leading UK charity made up of 200 staff and volunteers needed to meet the requirements of the General Data Protection Regulations (GDPR) and the Data Protection Act (DPA2018), to implement appropriate organisational measures in order to protect the personal data they held. They were concerned by the number of email incidents that they were having, as users were often clicking links, opening attachments or replying to spam emails. Further exacerbating the issue was the high turnover of volunteers, which meant the many devices being used lacked anti-virus software. The training needed to be supplied on a tight budget and also needed to produce records that could be evidenced, in case they were ever audited. Additionally, the management had found that subject right requests where taking too long to handle. They suspected this might be because users were unsure of what to do with them and so they were looking for a training programme that included this.
Our training platform provided them with beginner and intermediate levels of cyber security and data handling training over a period of 6 months, starting in November 2018. The training was to be delivered via web browsers, or via an app to allow the users to engage with the training anywhere at any time. Users were sent a link with their details and instructions on how to use the training platform. At the same time the Charity’s Human Resources department sent out emails asking users to engage with the training, stating that the result would form a part on their annual review. In addition to the training, we also supplied the Cyber Warden, which is a set of monthly cyber health checks on anti-virus, password use, device management and data handling. These checks use the same platform as the training and use the same credentials, apps, and logins as the training. The platform includes a comprehensive reporting library and reports on the progress of users were sent to the upper management each week, as well as detailed overview reports each month, which included the response to the Cyber Warden surveys as well as their training. The cost of this programme including the Cyber Warden, reporting and setup, was within the agreed budget based on a 12-month commitment.
The effectiveness of the training was immediately apparent. The number of email related incidents reported prior to the implementation of the training program had been over 100 per month and this has now steadily decreased, dropping to 32 in the final reported month. Graph 1.1 below shows the trend in reported email incidents.
Graph 1.1: The number of reported email incidents per month.
In addition to the reduction of email incidents, the number of devices that were missing anti-virus software also steadily decreased. The graph 1.2 (below) shows the trend prior to November 2018, where typically 15-20 devices each month lacked protection and then dropping down to under 10 as the training programme commences.
Graph 1.2: The number of reported email incidents per month.
Finally, since the training programme was implemented the average time to handle data subject rights requests now complies with the legally required maximum period. The graph 1.3 (below) shows the trend prior to the training regularly exceeding the legal maximum and then after the training they become within, or under, the legal maximum.
Graph 1.3: The number of reported email incidents per month.