Data Privacy: Danger or Opportunity?
T-Mobile Breach Results in 37 million Customer's Data Stolen
The following article comes from our very own veteran Cybersecurity practice leader, Kevin Lee.
It’s become a common story about Data Privacy. Data is a crucial target for attackers and has become an ever-increasing challenge for companies to protect. Think about the number of technological changes in the last ten years. Things like IoT (mobile phones, cars, appliances), e-commerce, number and access to applications, the cloud, AI, and APIs, to name a few. All have increased opportunities to use our private data without our permission or to take what is ours.
Why companies should care and do?
1. Companies are not doing enough to protect their customers’ data.
Cybersecurity trends for the new year include the ongoing challenges of filling chief information security officer roles, remote work, and data proliferation and protection. Updated ISO 27001 standards and the release of Microsoft’s cybersecurity framework are among the industry events to watch.
Full Story: ISACA (1/10)
2. Consumers are becoming aware, and they care
a. KPMG’s Corporate Data Responsibility study found that 86% of consumers believe data privacy is a growing concern. For businesses, this must be a significant focus.
b. A data breach can be a business-ending event.
3. A wave of Federal, State, and International laws and regulations are coming. It’s already here.
4. If you are not seeing this as an opportunity, you’re missing the boat.
a. Do you see an opportunity in this? Data privacy and protection have become differentiators. Shoring up data privacy in your organization isn’t just a duty; it’s a way to demonstrate corporate responsibility to the customers and partners you want to trust you. It is a buying decision for many customers.
Companies are not doing enough to protect their customer’s data:
- According to a report from the Identify Theft Resource Center, a nonprofit tracking publicly reported data breaches for the past 17 years.
- The number of Americans caught up in 2022’s data breaches jumped by 42% compared with the year before.
- Last year’s data breaches impacted some 422 million people in the U.S.
- This is more than just stolen data. The unethical use of customer data by some companies is driving an ever-increasing data privacy concern.
- Companies are not doing enough.
- Many business leaders may have a false sense of security. Based on the 2021 KPMG survey, 95% of business leaders surveyed believed they had enough data protection. But what is happening in the trenches?
- Fewer than half of employees (49%) use passwords on their devices.
- Only 45% avoid opening email attachments.
- A mere 38% have installed security software.
- 44% say they fully understand the company’s data policies.
- 50% report using basic data protection methods.
- The apparent proof that more needs to be done is the sheer number of attacks happening yearly. What we’re doing is not working.
- Many business leaders may have a false sense of security. Based on the 2021 KPMG survey, 95% of business leaders surveyed believed they had enough data protection. But what is happening in the trenches?
A wave of Federal, State, and International laws and regulations are coming. It’s already here.
- Here comes the government. Five states led by California have already passed data privacy and protection laws. Many more states to follow. As you can imagine, they will all be different. This does not include what is happening overseas. Increased international laws, some with real teeth in them, like jail time. How will this add to the urgency and complexity of companies addressing this growing risk and need?
- Key Company Requirements:
- Consent by consumers to use their data
- Regulation compliance
- Basic security capabilities in place
- Event reporting and handling
Do you see an opportunity in this?
- Data privacy and protection have become a differentiator. Shoring up data privacy in your organization isn’t just a duty; it’s a way to demonstrate corporate responsibility to the customers and partners you want to trust you. It is a buying decision for many customers.
So what’s the answer? How do you achieve the needed levels of protection to mitigate the risk? Making the complex, simple!
Start with a professionally done assessment.
- Creating an effective IT security plan and program can be a scary and daunting task. It doesn’t have to be. There are some simple solutions to help mitigate this risk. It starts with the fundamentals.
- Anybody who has spent time in cybersecurity knows the three fundamental pillars of cybersecurity: people, process, and technology.
- These cybersecurity basics must be married to your business requirements. If you understand those requirements, you can use them as a roadmap to deliver quality IT service and cybersecurity protection. How this gets complicated and expensive is that organizations do not spend the time on basic business requirements for data security. Managers must ask themselves, “What are my key vulnerabilities and risks, and what are the best ways to mitigate them?”
Fundamental Solutions
On the people side: People are an organization’s biggest source of vulnerability. What are the organization’s basic needs?
- Awareness training – Teach people what to look for and avoid. For example, do your people know how to spot phishing emails? Will they avoid clicking on links in emails they receive? Are they using strong passwords and multi-function authentication tools?
- Skills required – Determine your organization’s risk culture and risk mitigation skills.
- Behavioral assessment – Get a vision of what your employees are doing for or to you. For example: Do they load up software on company devices that are not company approved?
Warning: According to the previously mentioned KPMG study, there is an internal disconnect between what managers believe about cybersecurity in their organizations and employee behavior. Most executives believe they have enough data protection. When employees are asked about their cybersecurity practices, a different picture emerges. If you think you are safe, you are probably wrong.
On the process side: Here, you are looking at the policies and rules by which your employees and organization will operate related to IT security, especially as these rules relate to data privacy and protection.
- Governance, risk, and compliance – This is key. What is the audit and reporting process you have in place to make sure your organization is compliant and correcting shortcomings?
- Policy and procedures serve as the roadmap showing your employees how to behave and comply. Policies and procedures should cover roles and responsibilities, use of personal technology, password requirements, etc.
- Threat management – How will your organization react to a threat or event?
Warning: How hard are you making it to penetrate your systems? Is your threat management plan clear to your people? How robust are your detection and prevention processes and tools? Many attackers can be in your system for months.
On the technology side: The complexity and level of technology are exploding. Cloud migration, IoT, AI, ML, APIs, and the changing world of DevOps, are just a few factors impacting your cybersecurity. What is needed to provide security for your organization? The first step is determining what is required to mitigate your company’s risk needs. You must evaluate things like:
- Network security
- Application security
- Data security – encryption, access, detection and prevention, backups, retention, etc.
Warning: Where are your most important data privacy and protection vulnerabilities? Remember the people’s comment above. Spend your time and money where you will get the most significant return. Also, do you have a way of understanding the latest attack methods? Is your organization fluid in risk identification and mitigation strategy? The world is changing very fast. Are you keeping up with it?
Current-state assessment: This is a critical first step. An assessment, especially performed by an outsourced professional, will assist the organization in what is happening, along with a gap analysis for the organization’s IT security needs. The assessment will use well-established frameworks like ones from the National Institute of Standards and Technology (NIST), the CIS (Center of Internet Security) top 18 controls, or the ISO27001 certification requirements.
Impartiality and experience are critical to clarifying needs and developing a solid plan. Most organizations do not have the skills internally to effectively assess their organization.
Despite these challenges, data security should also be approached as an opportunity to create a level of trust with your customer that will keep them coming back and give you a competitive edge. It will keep legislators happy, too.
It’s time to double down on data protection. If you need help figuring out where to start, contact TAG CXO to discuss your specific needs with seasoned professionals.
To reach Kevin, find him here: https://tagcxo.com/about/kevin-lee/
About TAG CXO:
Based in Phoenix, Arizona, TAG CXO is a privately held company, providing Interim and Fractional IT leadership executives, founded in 2019. The company maintains a bench of industry-trained, enterprise-level executives, available on-demand to mid-market CEOs. TAG CXO executives help to round-out a firm’s leadership team and close the IT talent gap with fully qualified expertise, offering a more affordable, lower-risk option than hiring full-time staff. Learn more at: https://tagcxo.com/.