Yesterday was Data Privacy Day, and as a Data Privacy Champion, we advocate for committing resources towards protecting the information that is a valuable asset to your business. We believe that traditional technical controls are only one part of security, and that’s why at Secure Halo we examine vulnerabilities across six critical domains.
Here are three reasons per domain why data privacy should be a priority of every organization in 2018, plus links to a multitude of statistics and reports on these issues.
Insider Threat:
1. Employees can be your first line of defense…or your weakest link. Limit user access and remove it entirely after an employee leaves the company.
- “St. Louis, Missouri-based SSM Health recently reported that it experienced a potential data breach after an employee accessed patient records without authorization.” (HealthIT Security)
2. Phishing attacks are growing, no industry is safe, and they are successful. Train employees not to click without thinking first.
- “Phishing attempts have grown 65% in the last year” (PhishMe’s Enterprise Phishing Resiliency and Defense Report)
- “Phishing rates have increased across most industries and organization sizes — no company or vertical is immune” (Symantec)
- “95% of all attacks on enterprise networks are the result of successful spear phishing” (SANS Institute)
3. Don’t rely only on technical security procedures to protect assets.
- Malicious or not, employees pose a huge risk when it comes to protecting data. (“USB stick found in West London contained Heathrow security data”)
Data Security:
1. Despite frequent releases of updates and patches, companies are failing to keep their IT assets up to date against known vulnerabilities, leaving numerous back doors to their networks exposed and easily exploited.
- Equifax failed to perform an update that would have removed a vulnerability that ultimately led to the exposure of 145.5 million people. (WIRED)
2. Data protection assessments will be a requirement under the General Data Protection Regulation (GDPR), which takes effect on May 25, 2018.
- “Article 35, impact assessments: Companies must conduct data protection impact assessments to identify risks to EU citizens. Those assessments also must describe how the company is addressing those risks.” (CSO Online)
3. The growth of IoT has created more endpoints than ever.
Installing anti-virus software is no longer sufficient. This security measure only detects known threats and does not protect you from new ones, which puts your crown jewels at risk of exposure.
Physical Security:
1. Get back to the basics – with sophisticated attacks making headlines, don’t overlook controls that aren’t highly technical, like asset inventory.
- Ensuring that a detailed inventory and status of your assets containing sensitive information (from USB drives to laptops, mobile devices and servers slated for destruction or reuse) is kept and periodically audited will reduce the likelihood of loss of confidential data. By maintaining the inventory and audit processes, you can significantly reduce any window of uncertainty surrounded lost or compromised assets containing confidential data.
2. Enact a clean desk policy to prevent confidential data from being seen by unauthorized individuals. Additionally, ensuring sensitive data is removed from a printer or fax machine tray can reduce inadvertent disclosure or worse yet, a crime of opportunity by a potential insider threat acting deliberately.
- Don’t write passwords on sticky notes! (Hawaii emergency management password was on sticky note)
3. Control visitor access.
- Within your organization, restrict what visitors are allowed where, especially if a badge is not required to enter the building. While stealing intellectual property can be done remotely, it still does happen in person. (CSO Online)
Internal Business Operations:
1. Failure to have proper processes and policies in place, as well as governance to ensure that they’re being implemented, can have devastating results.
- “According to the Poneman Institute, the average cost of cleaning up a small business after it has been hacked stands at $690,000. Given this high price, it is not surprising that six in 10 small businesses fail within six months of experiencing a cyberattack.” (Westfair Business Publications)
2. Ensure customer retention with an incident response plan.
- A proper incident response plan allows for immediate action to be taken if an incident does occur, which will help maintain customer trust and retention. Failure to do so can be devastating. Just look to Uber for proof.
3. When all else fails, encryption of data at rest and in transit can serve as a last line of defense against breaches.
- A laptop of a Coplin Health Systems employee was stolen and the unencrypted data of 43,000 patients was exposed, despite the computer having security tools and password protections. (HealthCare IT News)
Mobility:
1. Mobile Device Management is now a necessity. Implement a plan ASAP if you haven’t already.
- “A recent industry survey has revealed that about 65 percent of organizations are now allowing personal devices to connect to corporate networks, with 95 percent of CIOs stating concern over emails being stored on personal devices, and 94 percent being worried about enterprise information stored in mobile applications.” (Tech Observer)
2. Phishing attacks are rapidly spreading to mobile devices.
- It’s no longer just using email as the attack vector. WhatsApp, Facebook, and Google Play have all been recent targets of malicious actors, who attempt to steal information through phishing scams. “81% of phishing attacks that occur on a mobile taking place outside of email.” (IT Pro Portal)
3. Mobile devices are targeted items when traveling. Create a security plan in the event that a mobile device is stolen.
- “Laptops and other devices are high-value items. They attract theft. So make sure whatever is on them is not irreplaceable.” (John Southall, a data librarian at the University of Oxford, UK)
External Business Operations:
1. Hackers are using third-party relationships to gain access to data. Even if your own security standards are robust, ensure that those connected to your systems and networks are as well.
- “According to a recent study by Google, third-party data breaches have exposed 3.3 billion credentials.” (Security Boulevard)
2. A skills shortage is leading to increased outsourcing of security, which creates more vulnerabilities – through connected systems – for hackers to exploit.
- “Cybersecurity represents the biggest area where their organizations have a problematic shortage of cybersecurity skills,” according to respondents of an ESG survey. (CSO Online)
3. Overreliance on a single vendor can be disastrous, so have a business continuity plan in place ahead of time.
- “One hour of downtime can cost small companies as much as $8,000, midsize companies up to $74,000, and large enterprises up to $700,000, according to a 2015 report from the IT Disaster Recovery Preparedness (DRP) Council.” (Network World)
Ensuring that your most valuable assets are protected should be a priority of any organization, and not just on Data Privacy Day. Deploying only technical controls to secure your data will leave you vulnerable to other threat vectors, which is why we advocate a strategy that assesses security across the enterprise.