In case you are a CEO there is a set of preventive measures you can take to ensure company’s security and employee trust. 

1. Create a culture of information management. The employer needs to explain to the staff that the equipment, software, and information are the property of the company. As practice shows, employees often don't understand it, so the attitude to the safety of these resources is extremely negligent. The company must make clear that information is a serious issue, the growth of employee awareness will convert them into becoming more attentive ones, which reduces the number of incidents due to carelessness. 

2. Regular training. According to statistics, advanced users open 30% of phishing emails, and 12% of these targeted users click on the malicious link or attachment. 

That is, even those who are aware of phishing attacks fell prey to the threat. The reason is not only users being inattentive. Hackers are constantly mastering their attacks, for example, phishing emails and sites are increasingly difficult to distinguish from real ones. It is useful to conduct regular cyber training events that will keep employees updated and show the employer the real state of affairs of the company's vulnerability.

3. The control of information security. There are too many channels through which information can leak from the company. Along with external attacks become more complex. The company needs to gradually increase the arsenal of protective equipment. At the first stage, it is often enough to use antivirus programs, Windows administration tools, and employee productivity monitoring programs. Then companies start to feel the necessity to use Firewall, Proxy, IDS/IPS, DLP, and SIEM systems. 

As regards employee monitoring, specialists access the reports automatically created by the system only in case of an incident or abnormal behavior – the irregularity or deviance is regulated in accordance with the needs of a company, i.e. can be tweaked in the security policy settings of a monitoring system.

The system isn’t focused on identifying a person and creating a register where all the user deeds are being logged – the solution’s concern is to identify a computer from which personal data or confidential information is being leaked or sensitive data is being poorly stored and to bring a specialist’s attention to an issue.

And if earlier professional info-security tools were a necessity only for large enterprises, now they are in demand for the SME segment.

4. The introduction of the responsibility. Signing the responsibility papers is a very important step towards improving the company's information management culture. At the same time, people should be aware of the consequences of non-compliance with internal regulations. For example, the Criminal Code of the Russian Federation, Article 183, presupposes a fine of 1.5 million rubles or 7 years of imprisonment for data theft, which discourages employees from stealing company's secrets.

5. Use monitoring systems to control suspicious activity within the corporate perimeter, scan and classify all the stored information in order to know what data is located on the company’s servers, whether it is sorted. File auditing systems help control and manage access rights so that you could be aware of who can and can’t process particular data, facilitate keeping track of user operations with documents tagged as a trade secret, personal data, etc., making it much easier to comply with such regulations as GDPR.