Preparing Staff

When people think of data breaches, they often picture large-scale cyber-attacks or regulatory investigations. But for most organisations, the starting point is far simpler: an everyday employee who clicks the wrong link, sends the wrong email, or misplaces a document.

As a Data Protection Officer (DPO), one my your most effective risk-reduction tools isn’t a technical control, it’s preparing staff with clear, practical steps they can take before, during, and after common incidents.

Why “Before, During, After” Works

Employees often freeze when something goes wrong. A “before, during, after” framing:

• Before encourages habits that reduce the chance of error.

• During gives a simple containment response.

• After builds awareness and supports reporting.

This approach avoids overwhelming staff with technical details and instead equips them with bite-sized, actionable routines.

Everyday Scenarios Employees Face

Here are the most common employee-level breaches and the practical preparation

leaders should build into awareness programmes:

The Top 5 Staff-Level Breach Risks

1. Email Sent in Error

• Before: Set a short “send delay” and double-check recipients/attachments.

• During: Alert the DPO; recall the email if possible; ask the recipient not to read and confirm deletion.

• After: Note what happened and be alert.

2. Phishing Emails

• Before: Train staff to spot unusual requests and hover over links.

• During: Report to their manager or DPO; don’t click; use the “Report Phishing” button.

• After: Delete and remain alert for similar attempts.

3. Clicking a Malicious Link or Attachment

• Before: Reinforce strong passwords and MFA.

• During: Alert the DPO; disconnect the device; stop using it.

• After: Follow IT instructions and reset passwords when advised.

4. Lost or Stolen Devices

• Before: Encourage device locks and mandatory MFA.

• During: Alert the DPO; retrace steps; report loss immediately.

• After: Use a temporary device if provided; watch for unusual account activity.

5. Unauthorised Access (Suspicious Login/Activity)

• Before: Promote strong passwords, MFA, and logging out after use.

• During: Change password straight away; disconnect if suspicious activity continues.

• After: Stay alert for odd messages and review recent logins.

Your Role

Your job isn’t to make employees security experts. It’s to:

• Normalise safe habits — simple steps like send delays and device locks.

• Simplify the “during” actions so staff know exactly what to do.

• Reinforce reporting culture — staff must feel confident escalating incidents quickly.

Final Thought

Most breaches don’t start with a hacker, they start with a staff mistake. Preparing people to act confidently in those first moments can mean the difference between a minor issue and a full-scale reportable breach.

Turning Guidance into Practice

• Crib Sheets: Provide one-page quick-reference guides.

• Micro-training: Use short refreshers focused on “what to do right now”.

• Scenario Drills: Run tabletop exercises where employees practise “before, during, after” responses.

Final Thought

The majority of breaches start at the front line, not in the server room. Preparing staff to act confidently in those first few minutes can make the difference between a contained incident and a reportable breach.

As a DPO, building simple, human-centred playbooks for your people isn’t just compliance, it’s one of the most effective safeguards you can deploy.

Emma Kitcher, Privacy Nerd