50 Things You Need To Know To Optimize Your Company's Approach to Data Privacy and Cybersecurity Experts give their advice on how to best protect your company's data and sensitive information from cyber attacks.
Opinions expressed by Entrepreneur contributors are their own.
We live in a world where data breaches and ransomware have crippled even large multinational organizations. What does every company need to tighten up their approach to Data privacy and Cybersecurity? What are the new threats that companies should be aware of?
In a recent interview series in Authority Magazine called "5 Things You Need To Know To Optimize Your Company's Approach to Data Privacy and Cybersecurity" we interviewed close to two hundred Data Privacy and Cybersecurity Experts, as well as CTOs and CISOs who discussed these these questions. Here are some highlights from their interviews.
Angela Saverice-Rohan, EY Consulting
Understand the value of your data at risk: In order to make risk-based decisions on your cyber strategy and what privacy compliance efforts to prioritize, you must first understand not only what data you have, but how your organization is using it. This doesn't mean that the organization needs to undertake a massive effort to inventory all of its data. Instead, identify and prioritize the systems that contain high-value assets — that information that if exfiltrated, corrupted, or released publicly would have a significantly negative impact on your business operations.
Know your data defense and data offense strategies: Be able to articulate why either strategy has more emphasis during any given year. Data defense focuses on minimizing the downside of data risk and data offense is about maximizing the value of your data to drive growth and efficiencies in your business. Data defense imposes constraints and includes cyber and most of your privacy measures. Your data offense strategy could be impacted based on how you design your cyber and privacy controls. Your board should be updated on these strategies in unison, as it allows them to understand the bigger picture and make informed decisions on balancing between two equally important objectives.
Understand how cybersecurity and privacy are operationalized in your cloud environments and data lakes: I see many clients who discuss cyber and privacy at the beginning of these projects to modernize their data ecosystem, but they don't carry through the requirements into the operating environment. This means that control ownership for cyber or privacy may be unclear (vis-a-vis the cloud provider versus the company) or in the case of a data lake, there may be uncontrolled access and a lack of restrictions around data use cases.
Integrate your cybersecurity and privacy controls into your business across three lines of defense: This means that you should have security and privacy controls that apply at the right level of the process, applicable to each business unit, This establishes accountability for the control and provides the right level of risk coverage. A proper framework that provides the basis for effective internal control should demonstrate traceability to all of the laws, regulations, standards, and contractual commitments related to cybersecurity and privacy. It should also have delineated controls across the business and act as the single source of truth to support cyber and privacy programs, resourcing, and technology enablement.
Prioritize certain capabilities over others because of the gains to had: As attacks become more advanced, it will take longer for them to be detected, which compounds the risk to the organization. Don't lessen your investment in the detection domain. From a privacy standpoint, create controls that support privacy by design, in alignment with your product/service lifecycle, as well as how personal data is collected, processed, stored, shared, and disposed of. Integrate these controls into the business via the points where change management occurs. Don't assume all of your change management activities are centralized. Instead, confer with business units about how change specific to their operations is managed and drop the controls into those existing processes.
Gabe Turner, Security.org
Use VPNs: Especially if your workers are on public Wi-Fi networks, like in a coffee shop or library, have them connect to VPNs, or Virtual Private Networks, before doing any work online. This will encrypt their web activity and hide their IP addresses, making them much less susceptible to hacking. After I got sick of being on lockdown and cafes opened up, I started to work at coffee shops to escape my home, always connecting to a VPN first thing before doing any work online.
Use password managers: In order to protect employee accounts from unauthorized access, have them use a password manager for all business-related online accounts. Password managers will audit their current passwords, making sure there is a long, unique, and complicated password for each account. Then, some password managers can add advanced authentication methods, like two-factor authentication in the form of a passcode or multi-factor authentication in the form of fingerprint or face ID, which prevents unauthorized access. Before I had LastPass as my password manager, I had to constantly reset passwords, and I used a variation of the same password for each account. Now, not only are my passwords protected in an encrypted vault, but I use touch ID to sign in to accounts on my phone, which is both more secure and easier than having to remember a million different passwords.
Get business identity theft protection: Many people don't know that businesses need protection from identity theft as well as individuals. Identity theft protection services scan a number of areas for businesses' identifiable information, like their tax ID. When our business email was involved in a Poshmark data breach, we got alerts on our phones immediately and changed our password.
Use antivirus software: To protect against malware, it's important to have all work-related devices downloaded with antivirus software. Many services also include protection against phishing, ad-tracking, and even spam calls. I used to get multiple spam calls a day, which would drive me crazy, but with antivirus software, I receive less and less.
Train employees: This should be fairly obvious, but some companies seriously skimp on training employees on how to protect business and customer data. At the very least, train your employees on how to recognize phishing links and emails, as they are the most common ways that hacking can occur.
Bindu Sundaresan, AT&T Cybersecurity
1. Create an offensive strategy with a security-first mindset: Assume you are already hacked. At all times. If a company builds its operations and defense with this premise in mind, the chances of helping to detect these types of attacks and preventing the breaches are much greater than for most organizations today.
2. Formal vulnerability management doesn't simply involve the act of patching and reconfiguring insecure settings: Vulnerability management is a disciplined practice that requires an organizational mindset within IT that new vulnerabilities are found daily requiring the need for continual discovery and remediation
3. Data governance is necessary in order to provide and protect high-quality data throughout the lifecycle of that data: This includes data integrity, data security, availability, and consistency. Data governance program policies must include:
Delineating accountability for those responsible for data and data assets
Providing integrity controls to provide for the quality and accuracy of data
Identifying safeguards to protect data
Determining who can take what actions, with what data, under what circumstances, using what methods.
Assigning responsibility to appropriate levels in the organization for managing and protecting the data
4. An organization's brand is a valuable asset, but it's also a great attack surface. Threat actors exploit the public's trust in that brand when they phish under the organization's name or when they counterfeit its products. The problem gets harder when an organization engages with the world across so many digital platforms — the web, social media, mobile apps. These engagements are obviously crucial to a business. So, something else should be obvious as well: Guarding an organization's "digital trust" — public confidence in the company's digital security — is make-or-break for a business, not just part of a compliance checklist.
5. Building a security culture takes time and effort. What's more, cybersecurity awareness training ought to be a regular occurrence — once a quarter at a minimum — where it's an ongoing conversation with employees. One-and-done won't suffice. People have short memories, so repetition is altogether appropriate when it comes to a topic that's so strategic to the organization. This also needs to be part of a broader top-down effort starting with senior management. Awareness training should be incorporated across all organizations, not just limited to governance, threat detection, and incident response plans. The campaign should involve more than serving up rules, separate from the broader business reality. It means instilling a security-first mindset to help protect a business and deliver better business outcomes. Security belongs to every employee in the company, from the C-suite down to the seasonal intern — every employee owns a sliver of the exposed attack surface, but security programs work best when everyone understands that security makes the business stronger and their jobs easier.
Newt Higman, Sharp Electronics
Ensure you have multi-layered protection to secure all aspects of your business: A network risk assessment can help you uncover gaps in your cybersecurity.
Train, train, train your employees: Hackers rely on using tactics such as phishing to trick your employees into giving them access to your network — and they are only getting better at it.
Have an incident response plan: Just like you would have an evacuation plan in the event of an emergency, you need an incident response plan that details every step your business must take in the event of a breach.
Know that everyone is a target: Large, enterprises are an obvious target due to the payout possibilities, however, small and medium-sized businesses (SMBs) are uniquely susceptible to cybersecurity threats. This is because they often lack the resources of larger enterprises to invest in more sophisticated and comprehensive solutions.
Know that you are not on your own: If your IT department is strapped for resources, enlist a Managed Service Provider (MSP). Actually, Sharp recently conducted a survey that found 90% of small and medium-sized businesses use or plan to use an MSP today. Partnering with MSP is more affordable than you may think, especially when compared to the cost of cyber-attack.
Doug Clare, FICO
Take a risk-based approach to cyber-related challenges: Organizations need to continuously evaluate cybersecurity prevention measures they're taking. It's not unusual for organizations to burn through all resources being busy with day-to-day security activities, but the important part is to take a step back to evaluate the most important assets, ensuring that those have the appropriate protection. Organizations need to expand their thinking and make sure that they're engaging in a risk-based approach to protection, which means understanding where the high-risk areas are and focusing more activity on those areas.
Avoid a "checklist" mentality: It can be easy for organizations to fall into a "checklist" mentality. One of the key challenges that organizations have faced in cybersecurity is that they've allowed activity or "being busy" to be a surrogate for effectiveness. Some cyber teams are doing everything — they're driving all the patches, they're updating all the certificates, they're responding to all the vulnerabilities, etc. However, they are not stepping back from these activities to find out where they really have the risk, so that they can double down on those high-risk areas.
Changing times call for increased diligence: With employees working remotely and the list of vendors and third-party partners that organizations are working with also changing based on new needs, this is the opportune time for bad actors to strike. Organizations must be even more thoughtful in monitoring for vulnerabilities during times of intense change like now because there's an increased likelihood of new security exposures.
Convergence is king: Risk can mean different things to different organizations, but in general there's been a move towards convergence of key areas within an organization that can experience breaches or crime. This includes areas like cyber risk, fraud, compliance, and where applicable, financial crime. This trend is certainly something for key decision-makers to consider as there is a real benefit in cross-sharing insights within these departments that can prevent breaches and fraud.
Know your network: Make sure you're accounting for all you're meant to be accountable for. This goes beyond cyber risk and network security — it can also be a problem in securing product or customer portfolios as well. We find, and we hear plenty of stories about, organizations that are frequently taken advantage of in the one area they're not minding…the bit that was forgotten. A well-researched risk inventory can be an important asset, as the chain is only as strong as the weakest link.
Raju Vegesna, Zoho
Use ad-blockers and anti-tracking plugins on web browsers: Of course, most of the websites we enjoy are free, but most free products still come with a price, and that comes in the form of ads. As harmless as many online ads are, some pop-ups tend to overload your browser and can become extremely frustrating. Cookies and other ad trackers are notorious for being cybersecurity threats and weakening your online privacy. Ad blockers are great at protecting your privacy online. The more advanced ad blockers and anti-tracking apps let you block irritating ads, make your computer run more smoothly, and stop those annoying pop-ups.
Vet user agreements thoroughly and make software decisions accordingly: One thing that makes consumer privacy very tricky is that consumers are signing terms and conditions that are allowing these companies to collect massive amounts of data and sell that data. So technically, what they are doing is legal. But if consumers and companies took the time to thoroughly read these terms and conditions and user agreements, I think they would find a lot that they disagree with, and maybe more cautious with what software they feel comfortable downloading. You may not think you're vulnerable, but anything connected to your organization's network is a potential threat to you and your company.
Turn off unnecessary tracking and location services on phones and computers: Apps and even services on your smartphone are constantly tracking your locations and many consumers don't even know this. Of course, while location tracking can be convenient, it also is a huge privacy and security issue. There are many articles online on how to turn off these features and I highly recommend looking into turning these off and making sure that you're prioritizing your privacy.
Opt-out of information sharing on websites whenever possible: Most websites on the internet constantly collect data and information. Some websites can even collect data from your open tabs, so if you care about being in control of who uses your data, take time to understand what information you're giving up. You can use websites like "Simple Opt Out" that make it easier for consumers to opt-out of data sharing with more than 50 companies. For instance, you may not realize that Chase Bank may share your account balances and transaction history with non-affiliates to market to you. Similarly, Crate & Barrel may share your personal customer information such as transactions, email, and home address with other select companies.
Business leaders should invest in remote software solutions that protect employee privacy and data: With 2020 forcing most businesses into remote working, the need for remote software solutions increased, exposing a new area for privacy and data misuse. As we adapt to the "new normal" security and privacy concerns for businesses must become a priority. Malicious activities from hackers, phishing scams, and more are increasingly becoming smarter and more frequent. Businesses need to look at remote software as not only a tool to help employees stay productive, but also ensures security and safety for both the company and its employees. 2020 has revealed the flaws in software security and privacy and shown us that we can no longer ignore the importance of keeping information safe.
Michael Zachman, Zebra Technologies
Know your environment: It's extremely difficult to protect what you do not know you have. This seems very basic, but it is a common issue for companies. Keeping a current list of systems, applications, and devices is a surprisingly difficult task. Knowing which systems are the most important is even harder but having a prioritized inventory of digital assets is the foundation for designing and executing a security program. Imagine it's your job to keep a group of school kids safe on a field trip, but you don't have a list of who is going on the trip. That list is probably the first thing you'd ask for before leaving the school.
Know your defenses: Based upon your inventory, you need to make sure you have taken appropriate steps to protect your assets. "Appropriate" is an important word because not all assets should be protected the same. To use a common example, a company's "Coca-Cola recipe" should be highly protected, while its cafeteria menu should not. Constantly look for gaps in your defenses. After all, that's what cybercriminals are doing. If you lock 99 out of 100 windows, cybercriminals will find that one unlocked window. Always be on the lookout for your weakest link so you can strengthen it.
Make sure you manage your alerts: The best defenses will occasionally fail. A good cybersecurity program is equipped with many alerts to indicate potential failures. The key is to manage these alerts to the proper sensitivity. A common mistake is to have alerts that are too sensitive, creating many false positives. Not only are false positives expensive to track, but they typically lead to a propensity to ignore or miss alerts tied to real failures. Many post-breach analyses have shown that one or more alerts were triggered very early in the breach, but they were missed or ignored at the time.
Practice your response: Companies will have a security incident/breach. It is simply a matter of time, so any good cybersecurity program includes effective incident response. As I mentioned earlier, one of the most critical parts of incident response is the pre-planning efforts that happen in anticipation of a future breach. It is in these pre-planning activities that companies have the best chance of ensuring a rapid and effective response to a security incident/breach. Think about fire drills; the time to figure out evacuation routes is not during a real fire. It's not enough to have planned those routes; we are required to practice them via fire drills.
Communicate well: People equate security with secrecy, and there is some truth behind that. However, good cybersecurity programs need to also be properly transparent. For example, executives need to know and understand the cybersecurity risks facing the company. An effective program does not overstate the risks by spreading FUD (Fear, Uncertainty, and Doubt) in the hopes of getting more budget. An effective cybersecurity program also does not understate the risks to get good ratings or avoid difficult conversations. Transparency is paramount when dealing with external stakeholders. The past approaches of denials and "sugar-coating" breach disclosures to the public have often proven more harmful to the company than the breach itself. As the adage says, "it's not the crime, it's the coverup;" the same is often true with security incidents/breaches. External stakeholders are much savvier than companies may believe; they are able to understand the facts, good and bad, regarding security incidents. In some instances, companies and executives have been found concealing illegal activity from senior executives to cover up major data breaches or other obstruction of justice.
Satya Nanda, Fujitsu Americas
Don't let perfect be the enemy of good: While the ambition to create a "perfect" comprehensive security and privacy program is honorable, I would recommend starting small, with a security baseline self-assessment to understand and address the most critical gaps in phases.
Automate, automate, automate: With so many new tools and technologies now available — including Robotic Process Automation (RPA) — to automate basic tasks such as vulnerability management and patching, more time is freed up for engineers to focus on complex analysis and remediation work.
Seek external help: For most businesses, having all security and privacy skills in-house is cost-prohibitive. Take help from external consulting and MSS providers as necessary to fill the gaps.
Implement a zero trust model: With remote working being the new normal, identity access requirements are inverted, with more users, devices, applications, and data located outside of an enterprise than inside. Keep your operations and customers secure by implementing a zero trust model for devices.
Focus cybersecurity education on remote workers: With changes to the way we are working during this pandemic, cybercriminals are looking to exploit remote work vulnerabilities. Organizations must ensure that employees do their part to keep the enterprise secure while working from their home office.
Robbert Emery, NEC X
At the risk of stating the obvious, it is important for companies to take a holistic approach to data privacy and cybersecurity. This means embracing the competitive advantages of both the human and computer aspects in establishing a robust, sustainable data-privacy and cybersecurity system.
- Accountability: Implementing a holistic, robust solution is complex and dynamic, and its requirements continue to evolve with new federally mandated directives; including changes to existing directives and keeping up with corporate policies. Therefore, the accountability I am referring to is top-down — providing the right tools and the means to guarantee that the company's data stewards can secure their own data while ensuring that the tools are adaptable to the rapidly evolving data privacy and cybersecurity environment.
- Motivation: Data breaches, leaks, and misuses are all-too-common problems. When they happen, network and data security teams must be motivated to take on whatever challenges arise, and they must be aware of the consequences for delays or executing the security incident plan out of sequence. Advising the team about the consequences is important.
- Making consequences known: The high costs that data misuses and leaks have on productivity, the corporate exposure to fines, and the severe damage that could be done to the credit health of a young adult entering the workforce or higher education are the main reasons for companies to ensure accountability on their security teams.
- A closed system: In addition to the human aspects, there are the computer aspects of the system, where semi-automation and a closed system tighten up the company's data privacy and cybersecurity implementation. What I mean here is that the use of an AI platform and models enables companies to comply with the numerous regional directives protecting consumer and personal data.
- Semi-automation: This type of appliance scans various enterprise data lakes (and other data sources) for types of data, and PII specifically, as defined in the data protection directives. It then applies remedies per the directives. Because this system is programmable, changes in policies or directives are easily adopted into the AI model's framework. This results in the ability to retrain the system and redeploy the updated solution in a matter of days.
Marijus Briedis, NordVPN
Know your data flow: It is an amazingly hard task for big organizations, but you should know what data is going where and why. Knowing all the "pipes" and "flows" allows you to inspect, analyze, and detect anomalies faster.
Encrypt data in transfer: Using old and unencrypted protocols for data transfers is a straight way to a disaster, even if you use them in isolated environments. The MITM attacks can proceed undetected for a long time, and if the data is sniffed, it can be a gold mine that will allow an attacker to break into other systems. Encrypting data and using modern protocols prevents cyberattacks.
Encrypt data at rest: You should not only know where your data is stored and located physically but make sure it is encrypted. At one point in my career, I received an alert that one of the hard disks indicated an error on a RAID controller. It went back to a normal state in 10 minutes, but the serial number of the disk was different. After a long chat with the provider, they said they "had to change it." I was relieved that all the data was encrypted.
Update the software and technologies your company uses: Keeping software up to date is a no-brainer for anyone in tech, but other technologies tend to change too. Don't forget that MD5 is not the hash you should still be using to encrypt your passwords in the database — there are better and stronger alternatives.
Educate your employees on cybersecurity: Regular training is important for everyone, whether it's a non-tech accountant or a geeky developer. At the end of the day, the weakest link in cybersecurity is between the chair and the computer.