Challenge & further assistance

Let's get to work!

Now you know how you can make sure that only the right people can access the right data. Now it's time to test how well you can put this into practice!

On this page, you will find a fun and educational ‘challenge’ you and your colleagues can do together. With this challenge, you and your colleagues will gain insight into the degree to which you may, from time to time, whether intentionally or not, leak data within your team/department. By clarifying this for each other, you will create a good starting point for a discussion, which can contribute towards a greater awareness when it comes to privacy and security.

Good luck!


 

Challenge: Who is the biggest data leaker?

 

All information from this entire course basically comes together in this challenge. By actively searching for data breaches caused by your colleagues, in rubbish bins, on shared hard drives, in cupboards and on unlocked screens, you can make each other aware of how easily a data breach can occur.

Goal: to become aware of the degree to which you and your colleagues leak data within your team/department and come up with measures together to prevent this.

Participants: it is recommended to only do this challenge with a limited number of employees, since all team members may end up seeing personal data about each other. Sufficient trust must exist between team members to be able take on this challenge together.

Execution: In this challenge, you and your colleagues will get to work as a team on trying, as far as possible, over the course of one week, to catch each other in the act of leaving personal data unattended, without touching each other’s equipment or using illegal software to get each other to divulge data. Each participant will save the data collected in an encrypted document: this document will form the starting point for the final discussion about the measures to be taken.

Bonus execution: you can expand this challenge to include data carriers which do not contain personal data!

To carry out this challenge, you should complete the following steps:

  1. Put together the team which will carry out this challenge, keeping in mind that participants may be able to view personal information about each other after one week.
     
  2. Communicate the rules to all participating employees:

- For an entire week, we will try to collect as much personal or other sensitive information which is 'leaked’ by the other participants.

- Keep doing your work wherever possible as usual, but try to pay extra attention during this week to all of the security measures mentioned in this course.

- You can try to uncover data breaches caused by other participants in various ways, for example by:

* looking in each other's rubbish bins

* looking at documents lying around on each other's desks (without touching these documents)

* looking at unlocked computer screens (without touching the computer)

* trying to elicit the sensitive information while having a conversation

* investigating which files and folders on a shared drive may not be properly protected

* peeking into another participant's open or unlocked cupboard or desk

* eavesdropping on another participant's conversation on public transport

* etc.

- If you have found sensitive information, save it in a Word document, which you protect with a password. Do you know how to do that? Then have a look at this step-by-step plan: [insert step-by-step plan for protecting Word documents].

- Keep your activities safe, don't touch any of your colleagues’ things and report any serious data breaches you discover to each other immediately. The object is to increase awareness, not to pillory or make a fool of each other.

  1. At the end of the week, the team leader will collect the documents from the participants and show these on the beamer during the debriefing.
     
  2. The challenge will end with an evaluation discussion, in which the participants will share the information they found with each other and if possible will reach agreements for handling sensitive information more carefully, both online and offline.
     
  3. At the end of the challenge, destroy all files in which sensitive information has been collected by the participants.

 


All quick wins related to the principle 'Only allow the right people access to the right data' can be found in a handy list below:

Data minimisation: Are you going to collect personal data? You should always ask yourself critically whether or not you can also achieve your purpose with less data.

Classification: Look in more depth at the various classifications that exist for all of the documentation at our education institution and the rules associated with each classification.

Data breaches: Be aware that is not up to you to decide how serious a data breach is or whether or not action needs to be taken. Report all data breaches immediately to [insert contact details]: they will follow up on your report.

Lending business equipment to others: one simple rule. Don't do it!

Any other questions? If you have any other questions about data breaches and what action you should take if you experience one, please contact [add contact details].