One in five companies do not ensure data protection training

Eighty-one percent of SME companies train their employees in data protection, but almost 3/5 do so only once - upon hiring. In contrast, it is highly alarming that as many as 20 percent of entrepreneurs do not do it at all, according to a survey commissioned by ChronPESEL.pl and the National Debt Register under the auspices of the Personal Data Protection Office. Meanwhile, lack of training or sporadic training can be very costly, as often unintentional human errors are the cause of data leakage or theft by hackers.

Untrained employees are the weakest link in any company's data security system, regardless of size. Such people make basic mistakes: opening suspicious emails, clicking on links contained in them, using weak, easy-to-guess passwords, emailing unencrypted files or storing unsecured documents with personal data in the cloud, or losing them to unsecured flash drives or external drives. As a result, at best a company can lose the trust of employees and customers, and at worst incur a severe fine.

While the information that 81 percent of SME companies train employees in data protection sounds good, it looks much worse when you take a closer look at the survey results. Well, as many as 59 percent of those surveyed, do so only at the beginning of employment. Among them, micro companies dominate (59 percent) compared to medium  (52 percent) and smasizedll (40 percent) companies. Entrepreneurs in the service (67 percent) and construction (61 percent) industries are the most common, with sole proprietorships (63 percent) more prevalent than companies (55 percent).

- Employers' lack of training is evident in many notified data breaches. This can be seen in cases where personal data are disclosed to the wrong person as a result of incorrectly addressed data shipments or ransomware attacks, which would not have happened if staff had been properly trained for such situations. It is also important for training to be cyclical, reminding people of the relevant security rules and adapting them all the time to new emerging threats, says Jacek Młotkiewicz, Director of the Inspections and Breaches of the Personal Data Protection Office.

Unfortunately, only 22 percent of respondents say they renew employee training during employment. Interestingly, among them, small companies (41 percent) compare more favorably to medium - sized (35 percent) and micro (21 percent) companies. One reason for this may be lower staff turnover. Companies in manufacturing (57 percent), trade (35 percent) and transportation (34 percent) stand out. They are more often companies (31 percent) than sole proprietorships (12 percent).

Man the weakest link

Worryingly, an extremely dismissive attitude is held by as many as 20 percent of respondents, who do not train employees on data protection at all. Of these, the biggest sin is committed by micro companies (20 percent), with smaller ones by small (18 percent) and medium-sized companies (14 percent). The most frequent perpetrators of this offense are representatives of the transportation industry (32 percent), as well as manufacturing and services (20 percent each). Sole proprietorships (25%) are more prevalent than companies (15%) that have been in business for more than 10 years (46%).

- Many SME business owners underestimate the threat from hackers. They think they are not an attractive target for attacks. They also often don't know that humans are the weakest link in a clash with cybercriminals. As a result, even if businesses have strong security measures in place, as a result of any lack of training of the staff they hire, they greatly increase the risk of human error, which can end in data theft or leakage. Not only of their own employees, but also of their clients and customers," warns Bartlomiej Drozd, an expert at ChronPESEL.pl.

One in eight companies targeted by hackers

And the risk is very real. There are 2.3 million micro, small and medium-sized companies in Poland. Meanwhile, 12 percent of respondents say they have experienced an attempted theft of personal data. As a result, 281,500 SME companies could be at risk of attack. In contrast, one in four respondents say (3 percent) that the hacking attempt was successful for cybercriminals. As a result, hackers may have stolen data from 70.4 thousand companies.

However, it is important to remember that we are only talking about detected cases. Unfortunately, many respondents may not be aware that hackers have successfully stolen data from their companies. Computer intrusions do not leave traces visible to the layperson.

Among respondents who say they've had an attempted data theft, it's a tad more common in medium-sized companies (10 percent) compared to micro (9 percent) and small (7 percent) companies. Among them, twice as many are companies (12 percent) than sole proprietorships (6 percent), which have been on the market for five to 10 years.

Cyber criminals are particularly fond of companies in the transportation industry, which, according to respondents' declarations, they by far the most often attempted to break into (32 percent). In contrast, the theft of personal data was successful for 19 percent of companies in the manufacturing sector.

- Transportation and manufacturing companies are a glutton for hackers due to the large number of orders they process. As a result, they process the personal data of many customers. All the more reason why their leakage or theft by hackers due to the mistake of an untrained employee can be very costly. The result will not only be a severe fine, but probably loss of reputation among business partners meaning a decrease in profits, says Bartlomiej Drozd.

And personal data stolen from a company can be priceless to hackers. According to respondents, 86 percent of SME companies process the name of their employees. Slightly less frequently, the phone number (80 percent), home address and personal identification number (75 percent each). This is followed by e-mail address (70 percent), bank account number (68 percent), ID card number (62 percent) and health data (43 percent - e.g. about absences or past illnesses).

Costly ignorance

Seemingly, entrepreneurs seem to know what steps to take if or after hackers attempt to steal, leak, lose or defraud personal data. Unfortunately, there are not enough of them. 59 percent of respondents would report it to law enforcement authorities. On the other hand, 57 percent of respondents would inform the affected individuals and change passwords on computers. In turn, 52 percent would increase the level of security. Unfortunately, but this means that as many as 40 percent of SME business owners do not know how to behave properly in the event of a cyber attack.

It's also disturbing that only 42 percent of respondents say they would notify it to the Data Protection Authority if their data were stolen. Despite the fact that according to the regulations, entrepreneurs as controllers have such an obligation if there is a probability (higher than low) of a harmful impact on data subjects . If they fail to comply with it, and there is a risk of, for example, so-called “identity theft” for those whose data have been stolen, controllers risk heavy penalties from the President of the Personal Data Protection Office. This could mean that almost every other company will rather try to trivialize the effects of the loss or hide the data theft.

-A notified breach may provide the impetus for the OPA President to investigate how an controller complies with GDPR regulations, and only when the investigation reveals irregularities can a penalty decision be issued , adds Jacek Młotkiewicz.

In contrast, 41 percent of respondents would, in the event of data theft or leakage, assist victims by including a service to monitor the use of their PESEL number at the company's expense. In contrast, 15 percent would hire lawyers.

The survey was conducted by TGM Research on behalf of ChronPESEL.pl and the National Debt Register under the auspices of the Personal Data Protection Office in May 2024 using the technique of online interviews (CAWI) on a sample of 400 representatives of SMEs meeting the criterion of decision-making and processing personal data.