Data privacy and cybersecurity often go hand in hand. Many of the steps we take towards protecting one also protect the other.
The “CIA triad” outlines the main elements of information security: the confidentiality, integrity and availability of data. Data privacy applies to the “confidentiality” aspect of this model. This is especially important given the obligations to companies set out by the General Data Protection Regulation (GDPR) in 2018. When it comes to data privacy, the regulation is clear that “Personal data shall be:
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” (Article 5(1)(f)).
This means businesses must not only protect their own data, but also that of their employees and customers. In this article, we’ll outline five key measures your organisation can take to safeguard the data privacy of all affected parties.
1. Have the “data privacy basics” in place at your organisation
Multi-factor authentication (MFA)
Enable MFA for VPNs and SaaS platforms to provide an additional layer of security. MFA helps protect against the use of compromised credentials. It requires that a device owned by the real user be present during the authentication.
MFA can also be used to restrict the devices that can access corporate resources (see “least privilege access” later on in this article).
Additionally, MFA tends to be easy on an organisation’s budget and relatively quick to implement. This in turn makes it an essential best practice for ensuring data privacy.
Virtual Private Network (VPN)
Because VPNs minimise risk by providing a secure network connection (even when not currently on the business network), organisations frequently implement them for remote or hybrid workers.
It is important to make sure VPN and access gateway platforms are fully patched, along with any client-side software that is used to access them.
Depending on the number of users, A VPN access solution may not be the best-long term strategy. Typically, these platforms aren’t designed to scale. There are also alternative systems available, such as single-sign on or identity access management based on zero trust access principles (more on these later).
Rethinking password tactics
Creating a strong password is key. Some experts recommend stringing together a sentence, noting that longer passwords are often better than shorter ones — even if these have special characters or a mix of upper- and lowercase letters.
Furthermore, most people wouldn’t dream of writing down their banking PIN or leaving a spare house key laying around. But with so many passwords to different systems being necessary, the physical recording of passwords hurriedly written down when signing up for a new account sometimes does still happen. Coach employees on using password managers and never sharing passwords. Data privacy at work should be taken just as seriously as at home.
Regularly patch software vulnerabilities
Vulnerabilities can be used as a back door into the organisation, particularly anything exposed to the internet. Maintain a patching schedule to limit the possibility of unwanted entry into your systems. There are plenty of resources available to help organisations define and maintain their patch management strategies.
Having these basics in place is a great start. But there are further measures your business can take to step up the strength of your data privacy.
2. Encourage employees to limit their use of work credentials
Employees should limit the use of their employee email credentials wherever possible. This is because each time they share it, the potential for spam and phishing attempts rises.
Make employees aware of sites like haveIbeenpwned, where they can see whether their previously used credentials have been compromised.
People are often not keen to use their personal email addresses when prompted to enter an address for work purposes. For these situations, the Cybersecurity and Infrastructure Security Agency (CISA) suggests creating a separate email account intended for such purposes.
Apply encryption to end-point devices throughout the business. Encrypting a device prevents the data being read or accessed if it is ever lost or stolen.
Encryption can also be applied to sensitive file data, servers and storage arrays. A good rule of thumb is not to store any sensitive or confidential data on non-encrypted removal drives.
4. Authentication and authorisation methods that enhance data privacy
While MFA (as outlined in step 1) is a solid foundation towards protecting data privacy and confidentiality, hackers can still manage to compromise the second method used for authentication. In addition, users experience MFA fatigue. This is attributed to the push notification method of second authentication, wherein a user will often authenticate just to remove the notification from their phone, even if they weren’t trying to log into any account. FIDO authentication aims to tackle this problem by integrating security measures directly into the device (and only there). Thus, passwords and the management as well as risk associated with them are eliminated.
Another measure that’s quickly gaining a foothold when it comes to additional security methods? Zero trust. With traditional security perimeters often proving no longer effective due to the deconsolidation of many companies’ employees (as a result of remote or hybrid working) and IT infrastructure (as a result of data being in the public cloud or a hybrid cloud environment), access to the corporate network is no longer enough to trust that someone has the right to be there.
With zero trust, even employees on an organisation’s corporate network always have to verify their identities before obtaining access.
Least privilege access
Here, the name says it all: Users only have permissions for what they require to do their work currently. And it’s not new — in fact, it’s a well-known component of many compliance audits.
This also means that, should it be expected that a certain user will need expanded access soon, this should wait until this event comes to pass — even if it may require some extra work.
5. Staff awareness training
Security is the responsibility of the organisation’s entire workforce. Educate them about the threats that exist and train them on the active role they can play in reducing the potential impact these threats can have on the organisation.
It’s important not to scare employees during this training. Rather, the idea is to make them feel empowered about how they can help the organisation. As an added benefit, they can apply what they learn in the course of their training to their usage of technology in their personal lives as well.
The National Cyber Security Centre provides free resources and training to get started. As the business’ security posture matures, involving a third party who can broaden staff’s understanding of security measures will help make sure that everyone in the organisation is on the same page and has the latest information.
Data privacy is just one component of protecting and securing your data. If you’d like advice on any of the information we’ve shared in this article – or want to know more about keeping your organisation’s, employees’ and customers’ data private – reach out to us.