Data privacy is now a top concern across the world. The National Cyber Security Alliance (NCSA) in the United States leads ‘Data Privacy Day’ which is a dedicated international awareness campaign. The day is aimed at empowering individuals and organization on the importance of safeguarding data and privacy of consumers.
CIPHER predicted that global data privacy will be a major focus area in our 2018 cybersecurity trends and predictions blog. We wanted to dive a bit deeper into data privacy to support the dialogue for this global awareness initiative and reveal why global data privacy will be a top concern in 2018 and how organizations are safeguarding their data.
Global data privacy regulations are popping up everywhere because of the major consequences of massive data breaches. The European Union’s General Data Protection Regulation (GDPR) sparked a wave of concern. Legislation like the GDPR is aimed solely at protecting consumer privacy and enforcing repercussions against organizations that are ill prepared to handle consumer data. Over the last few years, we’ve seen many data breaches in large enterprise organizations. In fact, it’s simply astonishing to see the number of attacks in the last few years.
Do you remember these from just 2017 alone?
Notable 2017 Security Breaches
- Jan. 8 – E-Sports Entertainment Association (ESEA)
- Feb. 1 – Xbox 360
- Feb. 1 – PSP
- Feb. 7 – InterContinental Hotels Group (IHG)
- Feb. 17 – Arby’s
- Mar. 6 – River City Media
- Mar. 7 – Verifone
- Mar. 15 – Dun & Bradstreet
- Mar. 19 – Saks Fifth Avenue
- Mar. 20 – UNC Health Care
- Mar. 21 – America’s JobLink
- Apr. 6 – IRS Data Retrieval Tool
- Apr. 25 – Chipotle
- May 2 – Sabre Hospitality Solutions
- May 3 – Gmail
- May 10 – Bronx Lebanon Hospital Center
- May 12 – Brooks Brothers
- May 17 – DocuSign
- May 31 – OneLogin
- May 31 – Kmart
- Jun. 14 – University of Oklahoma
- June 15 – Washington State University
- Jun. 20 – Deep Root Analytics
- Jun. 27 – Blue Cross Blue Shield/Anthem
- Jul. 10 – California Association of Realtors
- Jul. 13 – Verizon
- Aug. 30 – Online Spambot
- Sep. 2 – TalentPen/TigerSwan
- Sep. 7 – Equifax
- Sep. 21 – US Securities and Exchange Comm (SEC)
- Sep. 21 – SVR Tracking
- Sep. 26 – Sonic
- Sep. 28 – Whole Foods
- Oct. 6 – Disqus
- Oct. 12 – Hyatt Hotels
- Nov. 14 – Maine Foster Care
- Nov. 21 – Uber
- Nov. 24 – Imgur
- Dec. 1 – TIO Networks (acquired by PayPal)
- Dec. 10 – Ebay
- Dec. 19 – Alteryx
Across nearly every industry, data breaches occur and lead to millions of data records exposed and at risk. Global government entities are troubled by the negative impacts to the consumer. These high-profile data breaches have sparked a tumultuous effort by governments to put strict controls on companies that fail to safeguard consumer data.
Not only can organizations suffer financial impacts like penalties, but a company will likely see customer loyalty and reputation decline. But, to implement the proper security policies and controls, organizations face some serious hurdles protecting millions of data records. It only takes one successful hack attempt from a cybercriminal to obtain access to your data, yet security professionals must succeed at protecting data all the time.
How are organizations protecting data in 2018?
Any organization that is dealing with data privacy in the year ahead must focus on their policies and security technologies. Security policies are the well-planned security strategies for your organization. A security policy should define the who, what, when, and where of the security best practices developed for your organization. Pay special attention to the following in your master information security policy when it comes to data protection:
- Acceptable file sharing methods
- Internet usage guidelines
- Proper use of wireless devices
- Proper use of encrypted technologies
- Password policies
- Prohibited applications
- Prohibited services
- Backup policies
- Acceptable remote access
- How to properly dispose of data (sensitive and non-sensitive)
- Spam Policies
SANS Institute also has some terrific policy template resources which you can customize. Check them out here.
To start developing your security policies, consider completing a security assessment or benchmark on your current security operations. This will help you gauge the gaps and strengths within your current security program or framework.
After you complete the assessment or benchmark, it’s time to identify what technologies and tools you’re missing in your security strategy that might help better protect your data in the year ahead. Using a framework, such as NIST, ISO, PCI DSS, SANS, or others can help you classify your security technology stack into the phases of a security framework. To make it simple, look at the chart below and determine what areas you’re missing in your security operations.
When it comes to safeguarding your sensitive data, some of the most critical tools include encryption, monitoring, backups and endpoint solutions. Encryption is focused entirely on data, how it’s stored and protected, and transmitted. Endpoint solutions can use encryption to prevent data loss and leakage, enforce unified data protection policies across all your servers, networks, and endpoints, thereby reducing the risk of a data breach.
A monitoring tool such as IDS/IPS and SIEM can be important tools in monitoring your network for malicious activity and alerting the appropriate response team to mitigate. Lastly, a backup solution can help restore data loss from human error, during a ransomware attack, and more. A best practice is to use the 3-2-1 rule.
Consider how your organization collects and transmits personally identifiable information. Now also consider the gaps and areas for improvement in your current security posture. What areas can you improve to ensure that the organization is safeguarding sensitive customer data?