It’s National Data Privacy Week

This week is National Data Privacy Week, an initiative that began over 15 years ago as a data privacy day in the US and Canada. Last year, the National Cybersecurity Alliance (NCA) expanded it to a week-long event – a step we support as an NCA partner. It’s is a cause we champion year-round.

We spend a lot of time talking with customers about privacy (and security). Privacy is a top-of-mind concern with most customers as they recognize the growing need to protect personally identifiable information (PII) and personal health information (PHI).

Regulatory requirements are undoubtedly contributing to this increased visibility in organizations. While Europe’s General Data Protection Regulation (GDPR), the US’s HIPAA, and the California Consumer Privacy Act (CCPA) garner the headlines, they are not alone. Legislation like the CCPA has passed in Virginia, Colorado, Connecticut, and Utah. Quebec Bill 64 builds on Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

Protecting Privacy is Good Business

Protecting the privacy of customers and employees is more than just a regulatory requirement. It’s also good business. Customers and partners want to deal with organizations they can trust to protect sensitive information. Ensuring supply chain security is crucial – and vetting vendors for their security practices is increasingly common. The effects of a breach can include lost revenue from operational downtime, expansive fees for remediation, escalating cyber insurance premiums, and reputational damage that can last for years.

That’s why it needs our focus 52 weeks of the year.

What Can Organizations Do?

Protecting data from unauthorized exposure requires the right mindset: privacy and security is a posture, not a project. In addition to technology, it demands good policies, trained employees, and ongoing diligence.

Start with Clear Policies

The threat from malicious insiders is real, but every employee who handles sensitive data presents a risk. A study by Ponemon Institute found that 55 percent of all insider incidents resulted from employee negligence. This can include losing a laptop or phone, using personal cloud storage accounts, adding sensitive data to emails, or mistakenly emailing data to the wrong person.

A Technology Acceptable Use Policy is a set of guidelines and rules that outline the acceptable and unacceptable uses of an organization’s systems and resources. This policy should explain in detail to the employee how they may use company devices, passwords, and technology, including best practices such as how to store and share files.

Employees Are Your First Line of Defense

Once policies are in place, teams need to make sure that users understand how a threat might present itself. Cybersecurity awareness training covers the basics of security. It helps technical and non-technical employees understand basic principles of protecting themselves and the organization against cyberattacks.

Annual training is a good first step, but ongoing training helps even more. Remember, however, that individual lessons need to be reinforced regularly to ensure retention. Many organizations use videos and graphics to strengthen their security culture and keep employees engaged on a daily basis.

Social Engineering Training

Phishing emails are an easy, effective method for criminals to trick unsuspecting recipients into clicking links or open malicious files. The results of that simple action can be enterprise-wide data breaches, ransomware attacks, or stolen credentials.

Training busy employees to recognize phishing attacks is important. Fortifying those lessons is also critical. Phishing simulations mimic real attacks without damaging the organization. Email messages are designed and distributed to attempt to trick users into revealing sensitive information or taking actions that may compromise their security, such as clicking on a malicious link, entering credentials on a fake website, or downloading a malicious attachment.

Monitor Your Systems for Intrusions

Attacks are inevitable. A good approach is to “assume breach”. This means accepting as fact that an attacker will be able to gain a foothold in your organization. This could come from an unpatched vulnerability, a phishing attack, a malicious insider, or through the more than 26 billion stolen credentials available on the dark web.

The first step in containing an attack is early identification. While most organizations lack the resources to monitor their defenses around the clock, a managed detection and response (MDR) service offers trained security experts to monitor your systems and alert you to potential attacks.  A professional MDR services acts as an extension of your security team and to watch for malicious activity in web-facing applications, endpoints, network and perimeter devices, and cloud environments and step in to contain incidents and minimize damage.

Data Privacy is a Year-round Priority

National Data Privacy Week is a helpful reminder to organizations of their obligation to protect employee and customer information. At the same time, threats to sensitive information are present every day and new methods of data breaches, hacking techniques, and social engineering strategies appear regularly.

Organizations’ defenses need to match this reality. Continuous attention and multiple layers of protection is essential to manage and protect personal information from inadvertent or criminal exposure. A year-round focus on data that includes enforceable policies, thorough training, and continuous reinforcement helps protect data and build a better—and stronger—security culture.

Monitor Your Systems for Intrusions

Attacks are inevitable. A good approach is to “assume breach”. This means accepting as fact that an attacker will be able to gain a foothold in your organization. This could come from an unpatched vulnerability, a phishing attack, a malicious insider, or through the more than 26 billion stolen credentials available on the dark web.

The first step in containing an attack is early identification. While most organizations lack the resources to monitor their defenses around the clock, a managed detection and response (MDR) service offers trained security experts to monitor your systems and alert you to potential attacks.  A professional MDR services acts as an extension of your security team and to watch for malicious activity in web-facing applications, endpoints, network and perimeter devices, and cloud environments and step in to contain incidents and minimize damage.

Data Privacy is a Year-round Priority

National Data Privacy Week is a helpful reminder to organizations of their obligation to protect employee and customer information. At the same time, threats to sensitive information are present every day and new methods of data breaches, hacking techniques, and social engineering strategies appear regularly.

Organizations’ defenses need to match this reality. Continuous attention and multiple layers of protection is essential to manage and protect personal information from inadvertent or criminal exposure. A year-round focus on data that includes enforceable policies, thorough training, and continuous reinforcement helps protect data and build a better—and stronger—security culture.