In the last post we talked about why we protect our customers data. It’s all about adhering to regulations and keeping out customers safe. In this chapter, we’re going to start talking about how we go about effectively governing our data, specifically, we are going to talk about the people aspect of data governance.
You may remember from chapter one that people are the root cause of 90% of data breaches so having training, committees and specific data-related roles within the business is vital.
Let’s start by talking about roles, starting with the data owner. Their responsibility is to make sure that the data they own is governed across the business. This can take many forms, but in short, they need to:
- Retain a full data dictionary, defining the data they own.
- Ensure data accuracy through validation efforts.
- Document and manage the lineage of the data (what processing has been done to the data to get it to its current point).
Ultimately, the data owner is fully accountable for their dataset and the individual should be senior enough to carry significant weight when issues are raised. A data owner would be supported by one or many data stewards.
Data stewards are the folks that have the accountability for all the day to day management of data. They’re the people that are absolute subject matter experts and can advise the business around the data that is held.
Finally, we have committee members. The committee are an advisory board for the business. They are responsible for defining and clearly articulating the data governance strategy and guidelines. They are responsible for championing data management across the business and make sure that regulatory demands are met.
Every single member of staff, regardless of their seniority should be accountable for our data governance. Why? Because, we all have the ability to influence this in some way. If you work in building maintenance, it’s true, you may not have access to all the IT systems, but you have access to the building. You still need to make sure that nobody is tailgating you through the door and that you don’t allow unauthorised individuals access to the filing cabinets.
A big part of this accountability is training. How can you possibly expect your employees to support your data governance efforts effectively without investing the time and money to train them properly
Data security policy
People are the weak link when it comes to data security, so we need to do a number of things to help them to help the company and protect your data. One such deliverable is a data security policy. This is the bible as far as data security is concerned and it’ll help your workforce to do right by your customers and their data.
Within our data security policy, we need to give you’re an employees an overview of why they should care. It should talk about the possible impact to the customer, the regulatory requirements and it should talk about what is and isn’t an acceptable way to process customer data.
We should then cover off all sorts of things which will help safeguard customer data. The first, is to create a password policy for your business. If John has a password of John1, he is asking to be hacked. So, we should force our employees to have passwords with: upper and lower case letters, special characters, numbers etc… something like this: ‘_GSE+QW5a+e3NcDy’.
Passwords are a huge problem in businesses, did you know the most common passwords are ‘letmein’, ‘password’ and ‘123456’? When we have phrases, sequential letters or something that relates directly to the user as the password, it’s like giving the hacker the golden key – it won’t take them long to break it. Whereas, our super complex password above, will give them a lot more to think about.
The next part of our policy needs to surround internet usage. We need to make sure that our employees know that misusing the internet can lead to data breaches. If for example, your employee were to download a virus to your corporate network, you’d be in for a bumpy ride! Defining what they can and can’t do and keeping a log of those activities is important for your information security.
We need to also define an email usage policy and train our users on Phishing. As with the web usage, it’s perfectly possible to accidentally download a virus from an email. If that happens, we need a clear process to declare the problem to IT and in turn IT need to know exactly what to do to minimize the impact.
With regards to Phishing. This is where the hacker is fishing for information. They might send an email claiming to be from a supplier or other company and try to draw important information from you. This can be conducted over phone, SMS or email, so you need to train your employees and document what to do when they suspect phishing.
The next key part to the process surrounds mobile devices. It is the employees responsibility to make sure that their device meets the security criteria set out by the company. For example, if they are using their devices for work related matters, there should be password protection on the device; relevant security software; the software versions should be kept updated to keep up with bug fixes and plenty more of other criteria they need to ensure they meet.
Finally, for any breach of security, you need to define a process to report them so that the impact can be assessed, and the company can take steps to mitigate the damage.
Training and engagement
You probably agree by now that the single biggest threat to a company’s data security is it’s own workforce so we need to train them and ensure that they understand the implications of a data breach and what they can do to mitigate such a breach.
The problem is, this kind of training is boring. Really boring. So, we need to find ways to actually engage our employees, rather than simply ticking a box because they said that they read the policy.
I’ve seen this engagement done well in the past. I’ve also seen it done very badly. A few ways I have seen to really pique interest are:
Running Data Days: this is all about showing the value that can be derived from data when it’s handled correctly. You can get your workforce excited about the potential to automate their currently very manual reports; to gain additional insight about their customers or to run machine learning models across the data to make predictions as to whether a customer is likely to respond well to an upselling attempt by the sales team.
By showing the possibilities of the data, it does two things. Firstly, it shows the team the value of the data to the business but it also shows the level of sensitive data that you store about your customers – this is something that many people in your team may not be aware of as it doesn’t directly impact their day to day job.
As part of the day, you can run engaging data governance workshops. You could show some ridiculous phishing emails (like the one from a foreign millionaire who just wants to transfer some money out of the country and needs your help to do so. Don’t worry, you’ll get a 10% cut), coupled with some more serious ones – make a game of it, perhaps you could call the session ‘to phish or not to phish’ to pique some interest on the agenda items too.
There is no escaping some sort of formal training and assessment too. It’s the only way to truly validate that your team were paying attention and that they understand their responsibilities towards your customer data. It also provides you with an audit trail. Remember we said earlier that if you have tried to comply with regulation, it may aid you in a lower fine than if you’ve totally disregarded it? Well, showing that you have trained your employees and were fostering a data culture is definitely a positive thing to show the regulators.
The training can be delivered as an online course with quizzes or as a face to face session. My preference is a face to face as you can get people up out of their seats, interacting and can make the session a lot more engaging. Conversely, should you provide an online training session, you’ll probably find that your team are not listening and are rather surfing the web or responding to emails. As this is a really impactful and important training session, you should make as much effort as possible to deliver it as a face to face session.
Next is certification. The promise of an industry certification is very good for focusing the mind and getting people on board with the programme. It’s not feasible to put everyone through formal training, but you can have a champion in each business area that can advise their colleagues and help foster the data culture you need.
It’s important to keep the momentum. You can do this by running weekly cybersecurity drop-in sessions or running working lunch sessions where you talk about interesting things in the world of cyber security. The key thing is to make sure that you make a conscious effort to make the content engaging. Death by PowerPoint does not drive a data culture, whereas running byte-size cyber security training sessions, which allow the employees to work towards a professional accreditation would. There has to be something in it for them too!
