Each year on January 28, the United States, Canada, Israel and 47 European countries observe Data Privacy Day. The purpose of Data Privacy Day is to inspire dialogue on the importance of online privacy. These discussions also seek to inspire individuals and businesses to take action in an effort to respect privacy, safeguard data and enable trust.
In observance of Data Privacy Day this year, here are five recommendations through which organizations can bolster their data security efforts.
Train Your Workforce
Organizations can use a security awareness training program to educate their employees about the importance of data security. Curricula CEO Nick Santora recommends that organizations begin by creating a team to create a strategic plan for the security awareness training program. Buy-in from the top is critical to this type of program, so the team should include executive management as well as initiative leaders.
At that point, the team can begin developing programs to educate the organization’s workforce, including the C-Suite. This training should consist of digital security best practices and phishing testing. Digital security writer Anastasios Arampatzis also recommends that the program address drivers of malicious behavior to mitigate the risk of insider threats.
Embrace a Data-Centric Security Strategy
Mobile, the Internet of Things (IoT) and the cloud have dissolved the traditional boundaries of the network. As such, organizations need to now approach network security from a more holistic and strategic viewpoint. Information security expert Jeff Man urges organizations to specifically embrace a data-centric approach through which they develop a strategic understanding of what data they have and how valuable that data is to their business operations.
Once they have an idea of what data they have, organizations should protect their data by doing encryption the right way. They should also look to the Center for Internet Security’s Control 10 – Data Recovery Capabilities. As part of their implementation of this Control, organizations should develop a robust data backup strategy and test that strategy and their backups often.
Implement Multi-Factor Authentication (MFA)
Many of us are quick to change our login credentials following the public disclosure of a data breach. But by then, it could be too late. As Tripwire Principal Security Researcher Travis Smith noted in another blog post for The State of Security, many victimized businesses don’t detect a data breach (if at all) until hundreds of days later. That gives attackers plenty of time to compromise those exposed accounts before anyone knows what happened.
Acknowledging that threat, organizations should take additional steps to shore up their users’ business accounts against compromise. They can do so by following the requirements of the Center for Internet Security’s Control 4 – Controlled Use of Administrative Privileges and using multi-factor authentication (MFA) for all administrative account access. They should also encourage users to implement MFA across their personal web accounts.
Set Strict Permissions for the Cloud
As they increasingly migrate their workloads to the cloud, organizations need to lock down their cloud-based data. Human error has already been responsible for the exposure of numerous AWS S3 buckets. In many of those incidents, a misconfiguration was responsible for exposing the personal information of millions of customers.
To prevent another AWS S3 breach, organizations should strategically use ACLs to grant read/write permissions to certain AWS accounts and/or predefined S3 groups. Security personnel should subsequently audit those accounts and their levels of access to ensure the principle of least privilege. They should not necessarily apply default permissions to their cloud-based data; in fact, they could choose to grant read-only access to a few system manager-specific s3 buckets
Exercise Vigilance for Patch Management
Finally, organizations can strengthen the security of their data by patching vulnerabilities through which malicious actors could gain access to their network assets. They can do this by formulating a patch management program through which they test patches before they deploy them on their production systems. No test can cover every possible system configuration, so organizations should follow Tripwire VERT Senior Security Researcher Lane Thames’ guidance and conduct their patch testing on a best-effort basis.
Organizations’ engagement with a security fix doesn’t end after they’ve implemented it. Indeed, they need to follow up a patch’s deployment by scanning their system to confirm that the vulnerability is no longer present. This step will reveal if the patch has addressed the vulnerable components and if organizations need to take additional measures to remediate the vulnerability.
Just the Beginning of Data Security
Security awareness training, a data-centric security strategy, MFA, strict cloud permissions and a robust patch management strategy are all efforts by which organizations can advance their data security. Even so, organizations can implement additional measures to prepare their systems in time for Data Privacy Day and beyond. They can learn more about these security controls here.