Today is Data Privacy Day – a day set aside to help encourage organizations and individuals to appreciate the critical importance of privacy and data protection practices. Observed in almost 50 countries around the world, the event began in 2007 in the European Union, and was recognized by the United States Congress in 2009.
As recent high profile breaches like the FireEye/SolarWinds Orion compromise and the discovery of massive database of U.S. voter information for sale on criminal forums have shown, our data is increasingly at risk. For organizations of all kinds, keeping data safe will be ever more vital, not only from a risk and compliance point of view, but also through the paradigm of enhancing business success. As consumers become more concerned with how their data is being handled, they will also vote with their wallets and become more loyal to companies with strong data protection policies and track records of handling data safely.
The 2020 Trustwave Data Security Index report depicts how technology trends, compromise risks and regulations are shaping how organizations’ data is stored and protected. The report is based on a recent survey of 966 full-time IT professionals who are cybersecurity decision makers or security influencers within their organizations. Over 75% of respondents work in organizations with over 500 employees in key geographic regions including the United States, United Kingdom, Australia and Singapore.
Given the stakes, what should organizations do to help keep data private and risks properly mitigated? Listed below are a few best practices, with links to resources that can help you learn more about this vital subject matter. In addition, the National Cybersecurity Alliance offers a wealth of information on this important subject, and Trustwave has services and solutions that can help your organization with data privacy needs.
Emphasize employee education. Protecting data starts with empowering your employees, so that they know how to practice good security hygiene and how to protect themselves (and your business) from the most common cyber-attacks, like phishing, business email compromise and other exploits that specifically target the human element. It’s also important to note that Security Awareness Education training and policies are mandatory for most organizations for compliance reasons. Dive deeper into this subject with this blog post on CISO data solutions, this infographic on essential cybersecurity tips, and this data sheet on cybersecurity education.
Map out your data storage. Modern organizations, especially enterprise level organizations, are dealing with ever growing data sprawl. As the 2020 Trustwave Data Security Index showed, most organizations are moving their data into a hybrid cloud/on-premises storage model, with multiple cloud providers. A special concern exists for organizations that either have or will go through a merger or acquisition, as legacy data concerns frequently occur. Learn more about data risk mitigation, the risks of hosting data in the cloud, and check out this infographic which shows the 5 ways attackers will try to get to your data.
Recognize the hidden weaknesses. Most organizations don’t realize that partners and vendors typically have no responsibility for protecting your data. A common misconception is that cloud providers share liability for data protection: they do not. Even the major providers, like Google, Azure and AWS, have no responsibility in the case of a breach – and a common vulnerability that Trustwave SpiderLabs researchers often uncover is from organizations relying on default cloud server settings. Another all-too common hidden vulnerability results from sloppy or slow database patching practices. Learn more about how to recognize your data weak spots with this webinar on patching practices and this infographic on testing your data security.
Remember that less is more. Since every piece of data you collect adds to your potential risk, the simplest way to mitigate that risk is to only collect data that you absolutely need. Many organizations are also beginning to consider when it’s appropriate to actually destroy unnecessary data – which is also a consideration in certain compliance situations. Additionally, organizations should always adhere to the principle of least privilege, so employees only access the data they need to perform their jobs. Regularly reviewing user privileges is also vital. Dig deeper into this topic with this interview on the changes occurring in data security.
Of course, one of the most important strategies for protecting data is having a program in place to detect and respond to breaches – which is why so many organizations are turning to managed threat detection and response solutions. Remember, for most of us it’s not a question of if we’ll get breached but when… and how ready we’ll be to respond.