As Data Privacy Day once again rolls around, we can look back at some healthy improvements when it comes to privacy that organizations made over the previous 12 months. We can also use this yearly reminder on such an important topic to look forward to the coming year to pinpoint where additional changes are needed.
Rampant Data Breaches and Attacks Have Changed How Orgs Should Approach Data Privacy
The importance of protecting data has never been higher. Security Magazine noted that by September 2021, the number of breaches was up 17% with 1,291 breaches in 2021 compared to 1,108 breaches during the same time period in 2020.
Data privacy isn't just about day-to-day data protection and compliance anymore. Organizations need to approach data privacy with an 'assume-breach' mindset. How swift and effective an organization can respond to a crisis like a data breach greatly affects short-term and long-term data privacy efficacy. Companies need to be conducting regular crisis simulations across their entire organization, not just IT and security disciplines, to ensure they can effectively respond to an incident and mitigate the impact.
We expect organizations to continue to improve their rapid response capabilities by partnering with third-party managed detection and response experts that are available 24/7.
Top MDR providers can bring critical insights and contextual knowledge about threats and vulnerabilities derived from other client environments that enable them to be more effective than hiring in-house talent. To ensure your data privacy standards stay intact, make sure you have experts that can take a truly holistic approach to security by actively interrogating endpoints, conducting threat research and hunting, performing forensic investigations, and quickly responding to incidents to mitigate their impact.
Data Privacy Day is held each year to create awareness about the importance of respecting privacy, safeguarding data and enabling trust. The day, which caps Data Privacy Week January 24-28, is held jointly by the International Association of Privacy Professionals (IAPP) and the National Security Alliance’s Stay Safe Online initiative and presents the industry with a perfect time to make privacy a top of mind topic.
The Understanding of Privacy Regulations Has Grown, But Data Visibility Still Lacks
The level of understanding regarding data privacy legislation continued to improve in 2021. Based on our client and community conversations, there is now a level of maturity in understanding what the European Union's General Data Protection Regulation (GDPR) and other laws like the California Consumer Privacy Act mean. Even though these regulations went into effect in May 2018 and January 2020, respectively, in 2021, we noticed a distinct decline in the number of requests from clients on the laws.
However, we still have work to do. While organizations may understand the regulations, many have poor awareness of their critical assets. This knowledge includes knowing what type of data is being stored, where it resides, who has access, and placing the proper controls around that access.
The good news is that obtaining a high level of visibility into your data and discovering whether or not an organization's critical data is safe can be readily accomplished.
The first step is conducting a thorough data discovery. This action will locate an organization's data, indicate who has access and upon further study determine if that access is necessary. Next, is the testing and assurance phase. Conducting penetration tests, running crisis simulations, and tabletop exercises can prepare a company to react appropriately to an incident, which can only lead to better data protection.
The next issue for those entities operating across national and state borders is ensuring they comply with privacy regulations on the books to avoid any potential fines.
Remember, the EU's data protection authorities can impose fines of up to up to €20 million (roughly $20,372,000), or 4 percent of worldwide turnover for the preceding financial year—whichever is higher.
Given these stakes, what should organizations do to help keep the data under their control private and potential risks mitigated?
The Essential Data Privacy Best Practices
Here are a few best data privacy that organizations can put into action, with links to resources that can help you learn more about this vital subject matter:
Emphasize employee education. Protecting data starts with empowering your employees to know how to practice good security hygiene and how to protect themselves (and your business) from the most common cyber-attacks, like phishing, business email compromise and other exploits that specifically target the human element. It's also important to note that Security Awareness Education training and policies are mandatory for most organizations for compliance reasons. Dive deeper into this subject with this blog post on CISO data solutions, this infographic on essential cybersecurity tips, and this data sheet on cybersecurity education.
Map out your data storage. Modern organizations, especially enterprise-level organizations, deal with ever-growing data sprawl as many organizations move their data into a hybrid cloud/on-premises storage model with multiple cloud providers. A particular concern exists for organizations that either have or will go through a merger or acquisition, as legacy data issues frequently occur during this process. Learn more about data risk mitigation, the risks of hosting data in the cloud, and check out this infographic which shows the five ways attackers will try to get to your data.
Recognize the hidden weaknesses. Most organizations don't realize that partners and vendors typically have no responsibility for protecting your data. A common misconception is that cloud providers share liability for data protection: they do not. Even the major providers, like Google, Azure and AWS, have no responsibility in the case of a breach – and a common vulnerability that Trustwave SpiderLabs researchers often uncover is from organizations relying on default cloud server settings. Another all-too-common hidden vulnerability results from sloppy or slow database patching practices. Learn more about how to recognize your data weak spots with this webinar on patching practices and this infographic on testing your data security.
Remember that less is more. Since every piece of data you collect adds to your potential risk, the simplest way to mitigate that risk is only to collect data you absolutely need. Many organizations are also beginning to consider when it's appropriate to destroy unnecessary data – which is also a consideration in certain compliance situations. Additionally, organizations should always adhere to the principle of least privilege, so employees only access the data they need to perform their jobs. Regularly reviewing user privileges is also vital. Dig deeper into this topic with this interview on the changes occurring in data security.
In addition to these tips, the National Cybersecurity Alliance, which partners with the International Association of Privacy Professionals (IAPP), offer a wealth of information on this important subject.