We live in a world where data breaches and ransomware have crippled even large multinational organizations. What does every company need to tighten up their approach to Data privacy and Cybersecurity? What are the new threats that companies should be aware of?
In a recent interview series in Authority Magazine called “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity” we interviewed close to two hundred Data Privacy and Cybersecurity Experts, as well as CTOs and CISO who discussed these these questions. Here are twenty highlights of their interviews.
Angela Saverice-Rohan, EY Consulting
- Understand the value of your data at risk. In order to make risk-based decisions on your cyber strategy and what privacy compliance efforts to prioritize, you must first understand not only what data you have, but how your organization is using it. This doesn’t mean that the organization needs to undertake a massive effort to inventory all of their data. Instead, identify and prioritize the systems that contain high value assets — that information that if exfiltrated, corrupted or released publicly would have a significantly negative impact on your business operations.
- Know your data defense and data offense strategies and be able to articulate why either strategy has more emphasis during any given year. Data defense focuses on minimizing the downside of data risk and data offense is about maximizing the value of your data to drive growth and efficiencies in your business. Data defense imposes constraints and includes cyber and most of your privacy measures. Your data offense strategy could be impacted based on how you design your cyber and privacy controls. Your Board should be updated on these strategies in unison, as it allows them to understand the bigger picture and make informed decisions on balancing between 2 equally important objectives.
- Understand how cybersecurity and privacy are operationalized in your cloud environments and data lakes. I see many clients who discuss cyber and privacy at the beginning of these projects to modernize their data ecosystem, but they don’t carry thru the requirements into the operating environment. This means that control ownership for cyber or privacy may be unclear (vis a vis the cloud provider versus the company) or in the case of a data lake, there may be uncontrolled access and a lack of restrictions around data use cases.
- Integrate your cybersecurity and privacy controls into the business and across the three lines of defense. This means that you should have security and privacy controls that apply at the right level of process, applicable to each business unit, This establishes accountability for the control and provides the right level of risk coverage. A proper framework that provides the basis for effective internal control should demonstrate traceability to all of the laws, regulations, standards and contractual commitments related to cybersecurity and privacy. It should also have delineated controls across the business and act as the single source of truth to support cyber and privacy programs, resourcing and technology enablement.
- Prioritize certain capabilities over others because of the gains to had. As attacks become more advanced, it will take longer for them to be detected, which compounds the risk to the organization. Don’t lessen your investment in the detection domain. From a privacy standpoint, create controls that support Privacy by Design, in alignment with your product/service lifecycle, as well as how personal data is collected, processed, stored, shared and disposed. Integrate these controls into the business via the points where change management occurs. Don’t assume all of your change management activities are centralized. Instead, confer with business units how change specific to their operations is managed and drop the controls into those existing processes.
Gabe Turner, Security.org
- Use VPNs: Especially if your workers are on public Wi-Fi networks, like in a coffee shop or library, have them connect to VPNs, or Virtual Private Networks, before doing any work online. This will encrypt their web activity and hide their IP addresses, making them much less susceptible to hacking. After I got sick of being on lockdown and cafes opened up, I started to work at coffee shops to escape my home, always connecting to a VPN first thing before doing any work online.
- Use password managers: In order to protect employee accounts from unauthorized access, have them use a password manager for all business-related online accounts. Password managers will audit their current passwords, making sure there is a long, unique and complicated password for each account. Then, some password managers can add advanced authentication methods, like two-factor authentication in the form of a passcode or multi-factor authentication in the form of fingerprint or face ID, which prevents unauthorized access. Before I had LastPass as my password manager, I had to constantly reset passwords, and I used a variation of the same password for each account. Now, not only are my passwords protected in an encrypted vault, but I use Touch ID to sign in to accounts on my phone, which is both more secure and easier than having to remember a million different passwords.
- Get business identity theft protection: Many people don’t know that businesses need protection from identity theft as well as individuals. Identity theft protection services scan a number of areas for businesses’ identifiable information, like their tax ID. When our business email was involved in a Poshmark data breach, we got alerts on our phones immediately and changed our password.
- Use antivirus software: To protect against malware, it’s important to have all work-related devices downloaded with antivirus software. Many services also include protection against phishing, ad-tracking, and even spam calls. I used to get multiple spam calls a day, which would drive me crazy, but with antivirus software, I receive less and less.
- Train employees: This should be fairly obvious, but some companies seriously skimp on training employees on how to protect business and customer data. At the very least, train your employees on how to recognize phishing links and emails, as they are the most common ways that hacking can occur.
Bindu Sundaresan, AT&T Cybersecurity
- Create an offensive strategy with a security-first mindset: Assume you are already hacked. At all times. If a company builds its operations and defense with this premise in mind, the chances of helping to detect these types of attacks and preventing the breaches are much greater than for most organizations today.
- Formal vulnerability management doesn’t simply involve the act of patching and reconfiguring insecure settings. Vulnerability management is a disciplined practice that requires an organizational mindset within IT that new vulnerabilities are found daily requiring the need for continual discovery and remediation.
- Data governance is necessary in order to provide and protect high-quality data throughout the lifecycle of that data. This includes data integrity, data security, availability, and consistency. Data governance program policies must include:
- Delineating accountability for those responsible for data and data assets
- Assigning responsibility to appropriate levels in the organization for managing and protecting the data
- Determining who can take what actions, with what data, under what circumstances, using what methods.
- Identifying safeguards to protect data
- Providing integrity controls to provide for the quality and accuracy of data
4. An organization’s brand is a valuable asset, but it’s also a great attack surface. Threat actors exploit the public’s trust of that brand when they phish under the organization name or when they counterfeit its products. The problem gets harder when an organization engages with the world across so many digital platforms — the web, social media, mobile apps. These engagements are obviously crucial to a business. So, something else should be obvious as well: Guarding an organization’s “digital trust” — public confidence in the company’s digital security — is make-or-break for a business, not just part of a compliance checklist.
5. Building a security culture takes time and effort. What’s more, cybersecurity awareness training ought to be a regular occurrence — once a quarter at a minimum — where it’s an ongoing conversation with employees. One-and-done won’t suffice. People have short memories, so repetition is altogether appropriate when it comes to a topic that’s so strategic to the organization. This also needs to be part of a broader top-down effort starting with senior management. Awareness training should be incorporated across all organizations, not just limited to governance, threat detection, and incident response plans. The campaign should involve more than serving up rules, separate from the broader business reality. It means instilling a security-first mindset to help protect a business and deliver better business outcomes. Security belongs to every employee in the company, from the C-suite down to the seasonal intern — every employee owns a sliver of the exposed attack surface, but security programs work best when everyone understands that security makes the business stronger and their jobs easier.
Newt Higman, Sharp Electronics
- Ensure you have multi-layered protection to secure all aspects of your business. A network risk assessment can help you uncover gaps in your cybersecurity.
- Train, train, train your employees. Hackers rely on using tactics such as phishing to trick your employees into giving them access to your network — and they are only getting better at it.
- Have an incident response plan. Just like you would have an evacuation plan in the event of an emergency, you need an incident response plan that details every step your business must take in the event of a breach.
- Know that EVERYONE is a target. Large, enterprises are an obvious target due to the payout possibilities, however small and medium-sized businesses (SMBs) are uniquely susceptible to cybersecurity threats. This is because they often lack the resources of larger enterprises to invest in more sophisticated and comprehensive solutions. COVID-19 has only made it worse, leading to a spike in global cyberattacks since the start of the pandemic.
- Know that you are not on your own. If your IT department is strapped for resources, enlist a Managed Service Provider (MSP). Actually, Sharp recently conducted a survey that found 90% of small and medium sized businesses use or plan to use an MSP today. Partnering with MSP is more affordable than you may think, especially when compared to cost of cyberattack.
Anne Hardy, Talend
- Cybersecurity is about finding the right balance between protection and running the business. We can’t protect from everything. Cybersecurity is requires understanding business risks. Which risks are we willing to take? And are we preparing ourselves for these?
- Data privacy requires security. The reverse is not true. Some security practices go against data privacy laws and regulations. For example, surveillance cameras or COVID-19 temperature checks may be good for security, but they are invasion of an employee’s privacy.
- We can effectively protect data if we don’t manage it. We need to start to treat data like an asset. The good news is that most companies can reuse best practices from IT or financial asset management.
- Cybersecurity is no longer just about technology. The fundamental dimensions of a strong cyber security model include the inclusion of authentication layers, endpoint tactics, and emergency response strategies. The identification of threats and an ongoing plan to address them is vitally important for all organizations.
- One of the most important aspects of cybersecurity is security awareness and education. We need to encourage and enable our employees to do what is right. Therefore, we need to make security as simple and actionable as possible. Employees especially in today’s world need to be educated and kept abreast of security issues at all times. With entire companies working remotely, there is no better time to implement full scale employee security education programs and it is very helpful if your C-suite is involved in the process. Helping employees to recognize phishing and social engineering attacks both online and over the phone is key.
Doug Clare, FICO
- Take a risk-based approach to cyber-related challenges: Organizations need to continuously evaluate cybersecurity prevention measures they’re taking. It’s not unusual for organizations to burn through all resources being busy with day-to-day security activities, but the important part is to take a step back to evaluate the most important assets, ensuring that those have the appropriate protection. Organizations need to expand their thinking and make sure that they’re engaging in a risk-based approach to protection, which means understanding where the high-risk areas are and focusing more activity on those areas.
- Avoid a “checklist” mentality: It can be easy for organizations to fall into a “checklist” mentality. One of the key challenges that organizations have faced in cybersecurity is that they’ve allowed activity or “being busy” to be a surrogate for effectiveness. Some cyber teams are doing everything — they’re driving all the patches, they’re updating all the certificates, they’re responding to all the vulnerabilities, etc. However, they are not stepping back from these activities to find out where they really have the risk, so that they can double down on those high-risk areas.
- Changing times call for increased diligence: It comes as no surprise that COVID-19 has changed the way we think, work, and interact across many different parts of our lives. The security landscape is no different. With employees working remotely and the list of vendors and third-party partners that organizations are working with also changing based on new needs, this is the opportune time for bad actors to strike. Organizations must be even more thoughtful in monitoring for vulnerabilities during times of intense change like now because there’s an increased likelihood of new security exposures.
- Convergence is king: Risk can mean different things to different organizations, but in general there’s been a move towards convergence of key areas within an organization that can experience breaches or crime. This includes areas like cyber risk, fraud, compliance, and where applicable, financial crime. This trend is certainly something for key decisionmakers to consider as there is real benefit in cross-sharing insights within these departments that can prevent breaches and fraud.
- Know your network. Make sure you’re accounting for all you’re meant to be accountable for. This goes beyond cyber risk and network security — it can also be a problem in securing product or customer portfolios as well. We find, and we hear plenty of stories about, organizations that are frequently taken advantage of in the one area they’re not minding…the bit that was forgotten. A well-researched risk inventory can be an important asset, as the chain is only as strong as the weakest link.
Raju Vegesna, Zoho
1 . Use ad-blockers and anti-tracking plugins on web browsers. Of course, most of the websites we enjoy are free, but like I’ve mentioned earlier, most free products still come with a price, and that comes in the form of ads. As harmless as many online ads are, some pop-ups tend to overload your browser and can become extremely frustrating. Cookies and other ad trackers are notorious for being cybersecurity threats and weakening your online privacy. Ad blockers are great at protecting your privacy online. The more advanced ad blockers and anti-tracking apps let you block irritating ads, make your computer run more smoothly, and stop those annoying pop-ups.
2. Vet user agreements thoroughly and make software decisions accordingly. One thing that makes consumer privacy very tricky is that consumers are signing terms and conditions that are allowing these companies to collect massive amounts of data and sell that data. So technically, what they are doing is legal. But if consumers and companies took the time to thoroughly read these terms and conditions and user agreements, I think they would find a lot that they disagree with, and may be more cautious with what software they feel comfortable downloading. You may not think you’re vulnerable, but anything connected to your organization’s network is a potential threat to you and your company.
3. Turn off unnecessary tracking and location services on phones and computers. Apps and even services on your smartphone are constantly tracking your locations and many consumers don’t even know this. Of course, while location tracking can be convenient, it also is a huge privacy and security issue. There are many articles online on how to turn off these features and I highly recommend looking into turning these off and making sure that you’re prioritizing your privacy.
4. Opt-out of information sharing on websites whenever possible. Most websites on the internet constantly collect data and information. Some websites can even collect data from your open tabs, so if you care about being in control of who uses your data, take time to understand what information you’re giving up. You can use websites like “Simple Opt Out” that make it easier for consumers to opt out of data sharing with more than 50 companies. For instance, you may not realize that Chase Bank may share your account balances and transaction history with non affiliates to market to you. Similarly, Crate & Barrel may share your personal customer information such as transactions, email and home address with other select companies.
5. Business leaders should invest in remote software solutions that protect employee privacy and data. With 2020 forcing most businesses into remote working, the need for remote software solutions increased, exposing a new area for privacy and data misuse.. As we adapt to the “new normal” security and privacy concerns for businesses must become a priority. Malicious activities from hackers, phishing scams, and more are increasingly becoming smarter and more frequent. Businesses need to look at remote software as not only a tool to help employees stay productive, but also ensures security and safety for both the company and its employees. 2020 has revealed the flaws in software security and privacy and shown us that we can no longer ignore the importance of keeping information safe.
Jason Hicks, Kudelski Security
- Start by enabling the built-in data loss prevention features that you’re already paying for, particularly if you’re a Microsoft Office 365 or Google Suite customer. This will help to reduce the risk of inadvertent breaches by ensuring employees aren’t sending out sensitive or confidential information outside of the organization.
- Understand where your data lives and who has access to it. By mapping this out carefully, you’ll be able to ensure you put the right protocols and parameters in place to safeguard your data systems.
- Make sure you have good anti-malware and end-point detection and response (EDR) software in place, and that it’s managed centrally either on-premise or in the cloud.
- Revise your BYOD policy to accurately reflect the way in which employees are currently working, especially if your company is operating either fully or partially remote. For instance, instead of pretending that employees aren’t accessing company information on their personal devices, adjust the policy and tools in a way that they can do it securely.
- Don’t overlook the human factor in security. This is so important as a large number of breaches are due to human error. Ensure that all employees clearly understand your security policy and have the right tools, support and guidance to implement it.
Satya Nanda of Fujitsu Americas
- Don’t let perfect be the enemy of good: While the ambition to create a “perfect” comprehensive security and privacy program is honorable, I would recommend starting small, with a security baseline self-assessment to understand and address the most critical gaps in phases.
- Automate, automate, automate: With so many new tools and technologies now available — including Robotic Process Automation (RPA) — to automate basic tasks such as vulnerability management and patching, more time is freed up for engineers to focus on complex analysis and remediation work.
- Seek external help: For most businesses, having all security and privacy skills in-house is cost prohibitive. Take help from external consulting and MSS providers as necessary to fill the gaps.
- Implement a Zero Trust model: With remote working being the new normal, identity access requirements are inverted, with more users, devices, applications and data located outside of an enterprise than inside. Keep your operations and customers secure by implementing a Zero Trust model for devices.
- Focus cybersecurity education on remote workers: With changes to the way we are working during this pandemic, cyber criminals are looking to exploit remote work vulnerabilities. Organizations must ensure that employees do their part to keep the enterprise secure while working from their home office.
Robbert Emery of NEC X
At the risk of stating the obvious, it is important for companies to take a holistic approach to data privacy and cybersecurity. This means embracing the competitive advantages of both the human and computer aspects in establishing a robust, sustainable data-privacy and cybersecurity system. There are three principles I regard as part of the human aspect: 1) accountability; 2) motivation; and 3) making consequences known. The two principles I regard as part of the computer aspect are: 4) a closed system; and 5) semi-automation.
Implementing a holistic, robust solution is complex and dynamic, and its requirements continue to evolve with new federally mandated directives; including changes to existing directives and keeping up with corporate policies. Therefore, the accountability I am referring to is top-down — providing the right tools and the means to guarantee that the company’s data stewards can secure its own data, while ensuring that the tools are adaptable to the rapidly evolving data privacy and cybersecurity environment. Data breaches, leaks and misuses are all-too-common problems. When they happen, network and data security teams must be motivated to take on whatever challenges arise, and they must be aware of the consequences for delays or executing the security incident plan out of sequence. Advising the team about the consequences is important. The high costs that data misuses and leaks have on productivity, the corporate exposure to fines, and the severe damage that could be done to the credit health of a young adult entering the workforce or higher education are the main reasons for companies to ensure accountability on their security teams.
In addition to the human aspects, there are the computer aspects of the system, where semi-automation and a closed system tighten up the company’s data privacy and cybersecurity implementation. What I mean here is that the use of an AI platform and models enables companies to comply with the numerous regional directives protecting consumer and personal data. This type of appliance scans various enterprise data lakes (and other data sources) for types of data, and PII specifically, as defined in the data protection directives. It then applies remedies per the directives. Because this system is programmable, changes in policies or directives are easily adopted into the AI model’s framework. This results in the ability to retrain the system and redeploy the updated solution in a matter of days.
Tony Velleca, UST Global
- Understand the risks. The risks include regulatory penalties but they also include knowing the risk to your brand. At CyberProof, we believe the best way to assess risk involves using the MITRE ATT&CK framework, which helps organizations visualize and then quantify their level of risk.
- Know thyself. Understand exactly what tools you have and why you’re using them. Know exactly what data you collect and where each type of data is stored.
- Map out how you use the data. Perhaps you need customer data for marketing, and employee data for human resources. Document the purpose of each type of data you collect.
- Identify the best way of protecting data. This includes not just exploring questions related to tools and infrastructure but also of continually updating and limiting who has access privileges. Be aware of the existence of the GDPR’s “right to be forgotten” (see https://gdpr.eu/right-to-be-forgotten/) — according to which individuals can ask organizations to delete their personal data.
- Develop a plan of action in case of attack. Invest time in working with different departments within your organization to create an in-depth process specifying the response to a breach. The plan should specify which external resources you may need to work with.
Michael Zachman, Zebra Technologies
- First, know your environment. It’s extremely difficult to protect what you do not know you have. This seems very basic, but it is a common issue for companies. Keeping a current list of systems, applications, and devices is a surprisingly difficult task. Knowing which systems are the most important is even harder but having a prioritized inventory of digital assets is the foundation for designing and executing a security program. Imagine it’s your job to keep a group of school kids safe on a field trip, but you don’t have a list of who is going on the trip. That list is probably the first thing you’d ask for before leaving the school.
- Second, know your defenses. Based upon your inventory, you need to make sure you have taken appropriate steps to protect your assets. “Appropriate” is an important word, because not all assets should be protected the same. To use a common example, a company’s “Coca Cola recipe” should be highly protected, while its cafeteria menu should not. Constantly look for gaps in your defenses. After all, that’s what the cyber criminals are doing. If you lock 99 out of 100 windows, the criminals will find that one unlocked window. Always be on the lookout for your weakest link so you can strengthen it.
- Third, make sure you manage your alerts. The best defenses will occasionally fail. A good cybersecurity program is equipped with many alerts to indicate potential failures. The key is to manage these alerts to the proper sensitivity. A common mistake is to have alerts that are too sensitive, creating many false positives. Not only are false positives expensive to track, but they typically lead to a propensity to ignore or miss alerts tied to real failures. Many post-breach analyses have shown that one or more alerts were triggered very early in the breach, but they were missed or ignored at the time.
- Fourth, practice your response. Companies will have a security incident/breach. It is simply a matter of time, so any good cybersecurity program includes effective incident response. As I mentioned earlier, one of the most critical parts of an incident response is the pre-planning efforts that happen in anticipation of a future breach. It is in these pre-planning activities that companies have the best chance of ensuring a rapid and effective response to a security incident/breach. Think about fire drills; the time to figure out evacuation routes is not during a real fire. It’s not enough to have planned those routes; we are required to practice them via fire drills.
- Last, communicate well. People equate security with secrecy; and there is some truth behind that. However, good cybersecurity programs need to also be properly transparent. For example, executives need to know and understand the cybersecurity risks facing the company. An effective program does not overstate the risks by spreading FUD (Fear, Uncertainty and Doubt) in the hopes of getting more budget. An effective cybersecurity program also does not understate the risks to get good ratings or avoid difficult conversations. Transparency is paramount when dealing with external stakeholders. The past approaches of denials and “sugar coating” breach disclosures to the public have often proven more harmful to the company than the breach itself. As the adage says, “it’s not the crime, it’s the coverup;” the same is often true with security incidents/breaches. External stakeholders are much savvier than companies may believe; they are able to understand the facts, good and bad, regarding security incidents. In some instances, companies and executives have been found concealing illegal activity from senior executives to cover up major data breaches or other obstruction of justice.
Marijus Briedis, NordVPN
- Know your data flow. It is an amazingly hard task for big organizations, but you should know what data is going where and why. Knowing all the “pipes” and “flows” allows you to inspect, analyze, and detect anomalies faster.
- Encrypt data in transfer. Using old and unencrypted protocols for data transfers is a straight way to a disaster, even if you use them in isolated environments. The MITM attacks can proceed undetected for a long time, and if the data is sniffed, it can be a gold mine that will allow an attacker to break into other systems. Encrypting data and using modern protocols prevents cyberattacks.
- Encrypt data at rest. You should not only know where your data is stored and located physically, but make sure it is encrypted. At one point in my career, I received an alert that one of the hard disks indicated an error on a RAID controller. It went back to a normal state in 10 minutes, but the serial number of the disk was different. After a long chat with the provider, they said they “had to change it”. I was relieved that all the data was encrypted.
- Update the software and technologies your company uses. Keeping software up to date is a no-brainer for anyone in tech, but other technologies tend to change too. Don’t forget that MD5 is not the hash you should still be using to encrypt your passwords in the database — there are better and stronger alternatives.
- Educate your employees on cybersecurity. Regular training is important for everyone, whether it’s a non-tech accountant or a geeky developer. At the end of the day, the weakest link in cybersecurity is between the chair and the computer.
Brian Bobo, Greenway Health
- Proactively secure your systems. Part of being proactive is ensuring all software and solutions are updated and the latest patches are applied. Also plan to use strong passwords and enable multi-factor identification if you are using cloud-based solutions, such as Office 365 or Google Apps.
- Ensure teleconferencing solutions are protected. The use of virtual care solutions will not subside following the COVID-19 pandemic. And because practices handle sensitive patient data over these platforms, security needs to be top priority. Adopt a HIPAA-compliant telehealth solution that fits into your already established practice workflow for an extra layer of security and protection.
- Develop clear work from home policies and protocols. If practice staff continues to work from home, create policies that establish clear expectations and requirements for remote work security. Setting up a VPN can be one good way to provide a secure connection to practice records.
- Educate staff on how to avoid cyber threats. Education and awareness are key. Ensure staff is aware of all potential threats and how to protect themselves and patient data. Consider providing practice-wide training to be proactive in safeguarding the practice from cybercriminals and hackers.
- Work with a third-party cybersecurity expert. Cyberattacks will continue, but security consultants and trusted vendors can help evaluate your practice’s security risk and provide recommendations for improving your company’s defense.
Max Kirby, Publicis Sapient
Most companies are striking a balance between modernization-first and privacy-first, but whether you lean one way or another at any time, a few strategies make security and privacy incrementally more effective and easier to manage as you modernize. Here are five things every company can do to make managing their privacy easier:
- Educate Your Customer for Their Understanding, Not Your Compliance: Data Privacy Legislation is still on trial. When laws are in their infancy, regulation and enforcement will focus on the principles behind the law. The principle behind almost every data privacy law is consent — but to hold this principle, you have to take into account the fact that most people (61%) know almost nothing about what companies do with their data. They can only consent to your data collection if they understand what they are consenting to. We needed laws to reign in the surveillance economy because it’s probably against your company’s short term fiscal interest to expose what data you have collected. This is where you should be long-term greedy. The Publicis Sapient Data Collection & Consent Survey shows that users share more data with brands that are transparent about their data collection and usage. That means that the fear of losing data should be outweighed by the fear of missing out on data you would have never collected in the first place if you never had a policy of transparency and trust. There’s a reward out there for companies that do their best to educate their customers on the data they collect and use — more (and better) signal. Especially as more services emerge to make hiding an identity on the web easy, the companies that will win the most information in the information age will be those who give their customers no reason to hide in the first place.
- Establish a Common Data Model: Any professional will tell you the relationships between your datasets are often more important than the data itself. A top-down model agreed upon by all the departments who need to use data will help ensure that collection, translation, and activation happen with enough standardization to help you create privacy policies for each that work together. If that part is done right, it will allow for the right forms of customization by any party to exist while precluding many situations where prevention strategies might fall short. As a bonus, a common data model can also be used to identify potentially risky data silos.
- Set a Digital Identity Strategy: If data is oil, customer data is the light sweet crude. The most critical step in protecting customer privacy and digital identity is normalization rules to define the different parameters of single files representing a person. Digital Identity is something that you need to have a sense of, not just a system for. How you handle different tolerances for resolution will impact your privacy efforts down the line. For example, how will you resolve other user names? How do you decide the preferred device consumers might use to interact with your first-party systems? How will you handle normalization rules when there are contextual conflicts, missing parameters, or defects? All of these technical questions present implications for your nontechnical roles and their strategies to use data or collect it.
- Build a Poly-cloud Customer Data Platform: CDPs were recently named as one of the most important Digital Business Transformation trends by Forces, and 2021 could peak. There’s no reason why you can not have a packaged SaaS CDP in place to take advantage of well-tested functionalities, but you should always back it up with a cloud-based data warehouse. Also, state laws like CCPA and the federal laws are expected to follow and not treat different data silos in your business very kindly. Suppose you do not start busting siloes and resolving any identities present throughout your systems into a centralized system. In that case, it becomes more challenging to protect data in the first place. Distributed data can be more accessible and allow teams to pursue their strategies, but you should have one privacy strategy, not several. Do your legal team a favor and use a Customer Data Platform in tandem with a Common Data Model and a Consent Management System to satisfy the operationally necessary conditions of compliance with the new laws.
- Embrace APIs: Microservices and APIs offer several benefits to those trying to handle privacy at scale. An API management system will make it easier to manage access keys, and some of them provide the ability to make API creation a self-service workflow. Metadata is also much easier to create when API access logs are available and can save you time during audits or breachers. You do not need to use an API to understand who accessed what data, when, but it makes it considerably less labor-intensive to do. The labor saved scales up with usage.
Candid Wüest, Acronis
- Increase your visibility. You don’t need to be flooded with data, but you need to know what is happening to your data. This includes both monitoring and logging so you have an audit trail. It’s best to automate as many steps as possible to make your life easier. Many data breaches could have been prevented as the attackers had been in the organizations for months, but no one had noticed them.
- Prepare for the incident. Attacks and data breaches will happen. Make a contingency plan and practice it. That way, you can go through it like a checklist and make sure you don’t miss a point under stress.
- Follow a comprehensive approach for cyber protection. This means include data protection such as backups, cyber security such as anti-malware and privacy protection. You have to cover all aspects of the data as a whole in order to stay on top of things and to be able to react optimally.
- Get the support of the people. Make sure management understands the importance of cybersecurity. If they don’t support you, you’ll have a hard time struggling uphill battles all the time. The same is true for the employees. If they don’t see you as a disruption, but as a benefit that supports them, it is much easier to implement policies.
- Review your identity and access control management. User identities are the new perimeter. Wherever possible, multi-factor authentication should be implemented. It won’t prevent all attacks, but it will make it a lot harder for the attackers.
Dr. Humayun Zafar, Kennesaw State University
- Do not ignore the insider threat. A majority of the breaches occur due to an insider who works at a company. That insider may have malicious or non-malicious intent.
- Offer the “right” kind of training. Offering security training for compliance is fine, but the best method is to offer training that is able to engage groups based on their roles and responsibilities in a company.
- Understand that cybersecurity is not a one person job. The phrase “it takes a village” comes to mind. Cybersecurity is complicated. With an array of ever-changing technical and regulatory controls, no one person can know it all. Delegate responsibilities to professionals.
- Do not underestimate the importance of good incident response and disaster recovery plans. Even the failure of having up-to-date backups can result in a situation where small-to-medium-sized businesses do not recover from a breach.
- Continue to evolve cybersecurity strategies. Since the threat landscape is constantly evolving, it is only natural that cybersecurity strategies also change. Companies should not fall into the habit of resisting change just because a breach has not occurred. The only thing constant in information technology is actually change!
Michael Wilson, Nuspire
- Get a modern end point protection (EPP) agent. Make sure you have a modern endpoint agent that does more than monitor. Even the most sophisticated endpoint technology will not help if it isn’t blocking processes from running and removing malicious files. In most ransomware incidents, the first thing organizations need to do to ‘stop the bleeding’ is deploy a modern EPP agent to stop it from spreading. It’s better and less disruptive to the business if the organization deploys EPP ahead of time when there is no emergency than to race against the clock to save your data. Once again, just ensure it is in ‘protect’ mode, otherwise your investment could be useless.
- Rely on an access management tool. Passwords were meant to be broken. A good access management tool helps solve the risks with traditional passwords. With it, an organization is able to integrate their domain, SaaS applications, and even customer applications, ensuring every entry point is secured. Leveraging multi factor authentication (MFA) will significantly increase the barrier of entry into your network. In addition, it enables users to be more productive remotely while keeping resources secure. There is no excuse to not have MFA protecting your applications.
- Remember to patch. Everyone knows they should be patching, but it’s still an overlooked step. Unpatched and old systems — especially when publicly accessible — will be breached at some point. There was a time when servers had to have 100% uptime, but that excuse is no longer valid. With the introduction of virtualization, load balancing, and a number of other options that can be used to mitigate the risk of downtime for the business, rebooting and patching should be a priority task as it helps avoid any potential threats exploiting outdated systems.
- Have a security awareness training program. Users are the weakest link of the enterprise and with so many risks associated to their activity, the importance of training employees cannot be understated. Phishing is still one of the most effective ways to infiltrate and profit from an organization. Keeping employees informed and alert will save big headaches in the long run. Even at other security companies we have seen convincing emails go to the HR teams to change bank account information.
- Purchase an incident response (IR) retainer. There is no shame in asking for help. Make sure you have an IR retainer and decide if you should augment your security team or have an MSSP help monitor your environment before an incident occurs. If you wait until a breach occurs, you will spend significantly more money.
Dan Linton, W2O
- Create and maintain a data map: Many large organizations have no clue what data they have, how it’s being used, who’s collecting it or why, and essentially there is often no data privacy governance at all. Companies need to get on top of their data immediately, and map out what data they have, where it’s coming from, where it’s stored, and how long it’s held. In my experience, I see this happening a lot at organizations that often have robust cybersecurity functions, but no privacy or data governance function at all. IT cannot protect what they don’t know about.
- Develop a robust privacy function or working group: Cybersecurity teams are focused on systems protection, but they may not be as versed on privacy compliance issues, nor might they know in granular detail what types of data points are flowing through a system. Legal teams may not have specialized knowledge of what specific points of data are flowing through what systems. A privacy working group should bring cybersecurity, legal, privacy and product owners together regularly to evaluate data flows with an eye towards risk reduction and ethics. Depending on an organizations size, a dedicated privacy function can help bridge the gaps between the internal groups, and manage activities like ongoing data mapping.
- Train, train, train: In larger organizations, both general awareness training for all staff, combined with specific functional training for employees that handle sensitive data are key. Some privacy regulations now require staff training, including being able to prove the training occurred. In my experience, regular training combined with other less formal reminders help drive adoption. At W2O, we hold an annual Data Privacy Day, where we combine a short training with an annual personal data audit and file cleanup for all employees, which then culminates in a party at the end of the day. Regular reminders and fun activities help drive compliance throughout the organization, and at the same time it also builds a culture of data privacy and security awareness that lasts the whole year.
- Break your data hoarding habit: Unnecessary data retention, or what I refer to as data hoarding, is the Achille’s heel of even the most robust data privacy and security programs. I often remind my teams that if we don’t have it, it can’t be lost in a breach. This goes hand-in-hand with a data mapping exercise, part of which is evaluating if there is a need to hold data — if it’s not needed and there is no clear business or legal reason to keep it, it should be permanently deleted. I’ve observed many organizations collecting and keeping huge hordes of very personal data without any clear reason to do so. Not only is this counter to some privacy legislation like GDPR, it also significantly increases the potential impact of a data breach. Practice data minimization, and if you don’t need it, trash it!
- Build privacy and security as a brand value: Ensuring privacy and security is absolutely vital to protecting a brand’s reputation, and it can also become a brand pillar and competitive differentiator. Organizations that communicate clearly about their privacy programs tend to see higher engagement and more trust from their audiences. The most notable example of this is Apple, who differentiate their phones based on privacy principles and protecting people’s data. They not only develop policies and technology to protect user data, they communicate and advertise on the basis of that protection, and it’s helped drive consistently higher levels of brand loyalty versus their competition.
Dr. Zahid Anwar, Fontbonne University
1 . It is important to outline clear use policies. It is healthy, progressive and useful to have an inclusive culture. This brings diversity of ideas, knowledge, skills and talents. Equally important is to make sure employees are on the same page regarding acceptable policy guidelines. They should be given clear understanding regarding use of social media and non-work-related applications like BitTorrent, as these bring added risk of viruses. They should be well-versed in appropriate use of computer systems, email, internet and networks.
2. Invest in employee training. Employees have a major part to play in maintaining or breaking the security posture of an organization. The attacker only needs one weak link to get in. The best defense is to have a training program regarding safe and unsafe computing behavior. Training should not only be general, but also role specific. Additionally, there should be monitoring and retraining if required.
3. Limit employee access to data. Employee access to data should depend upon their role. Require computers to automatically lock after a set period of inactivity. Employees will have to sign in again when they return to their desk, which reduces the risk of unauthorized access. Clearly state the allowable methods and locations for remotely connecting to a company network and its software. Access to an organization is a privilege that should be extended to relevant individuals only. Use of biometric technology to reduce unnecessary access to physical spaces can also be a good security measure. When offboarding or transferring roles, communicate changes quickly and modify access to account privileges.
4. Take a proactive approach to cybersecurity. Have a collaborative culture in your organization. Reward effort and recognize progression to foster teamwork and employee satisfaction. Happy workers are more dedicated and sincere, and they reduce the chances of insider threats such as the transfer of data to rival companies. Consider using systems like user and file activity monitoring and data loss prevention to monitor different channels from which data may be extracted. Having a handle on external threats is equally important. Using software like threat intelligence platforms (TIP) can provide real-time access to the bigger picture of active concerns. This software can inform you about malware campaigns targeting rival companies and provide appropriate insights to applying patches to your systems.
5. Plan ahead. When it comes to cyberattacks, it is not a matter of if, but when. There are always going to be weak links prone to unseen threats, so it is important to plan for the inevitable data breach. In case of an attack, organizations should have an incident response plan in place. This planning will allow designated individuals that are part of the incident response team to follow a series of steps to remediate and recover from an abnormal situation in a way that minimizes losses. Regularly backing up data should be a part of this planning.