Many companies know it: In theory, there is a clear rule on how the requirements of the GDPR should be implemented in their own operations. But in practice it often looks very different. Rarely do employees deliberately handle sensitive data in a negligent manner. Rather, they supposedly lack the time to deal with the topic sufficiently or to see that their behavior violates the GDPR.
Trust Is Not Always Good
Modern business software is becoming more and more intelligent and is – supposedly – always better protected against hacker attacks. That’s why fraudsters are now more likely to use humans as a weak point. One method is what is known as social engineering, in which interpersonal influence takes place with the aim of inducing certain behaviors in people and thus gaining access to confidential information. Social engineers pretend to be identities and pretend to be technicians or executives in order to query secret company information or personal passwords.
In contrast to the much more individual social engineering, phishing emails also pose a risk. Criminals either use a trick to get email recipients to pass on their data voluntarily, or they use spyware that secretly spies on data in the background. The artificial word phishing is derived from the English terms »password« and »fishing«. Although many people believe that they are immune to this, it is not without reason that this method has enjoyed great popularity among scammers for years. It is now proving to be increasingly difficult to identify fake emails as criminals have developed better and better methods to get hold of users’ data. For example, they use email addresses that look similar to known users, but differ marginally. With so-called pharming, hackers sit between the user and the original website, so that even if the Internet address is entered correctly, the user accesses a fake website and reveals sensitive data there.
Although everyone has probably heard that a strong password should consist of at least eight characters, including numbers, uppercase and lowercase letters, and special characters, they still represent a major security gap in companies. Employees often use the same passwords for years , which often consist of simple sequences of numbers such as 123456 or the letters QWERT next to each other on the keyboard.
Text files that list all the company’s relevant logins and are stored on employees’ computers or printed out on their desks are also an easy target for fraudsters. However, since most people cannot remember the large number of different and possibly complicated passwords, So-called password managers are available. They generate and store secure passwords in encrypted form and fill them out automatically when you log in.
In general, every company that handles personal or personal data must define and document the technical and organizational measures it takes to protect this data. Technical measures include many physical procedures, such as protecting the company building, for example with a lock. In this case, an organizational measure would be to document the key issue.
But even in everyday life, managers should remind their employees of data protection-compliant behavior. So it should actually be taken for granted that sensitive data such as personnel documents are not lying openly on the desk. Hösel also advises: “It is advisable to avoid loud phone calls about sensitive company data in public as far as possible and to use privacy filters when using company laptops on the go.
Also Read: Big Data Isn’t just For Big Companies