Security and Data Privacy aren’t the same thing but they go hand-in-hand. Security refers to the ways we protect ourselves, our property, personal and organizational information, and our customer/client records. It is the first level of defense against unwanted intruders. Privacy is our ability to control access to our personal information and the information we safeguard for our customers.
Businesses must continually review and improve their efforts to keep data safe. Here are some stats shared by the National Cybersecurity Alliance (NCSA) that show why this should be a topic for everyone in the organization — from the Board-level, to IT professionals, to all knowledge-workers crunching on data in their cubicles daily:
- 4 in 5 U.S. physicians have had cyberattacks in their practices.1
- 78% of healthcare professional survey respondents said they’d had either a malware and/or ransomware attack in the last 12 months.2
- Under the Health Insurance Portability and Accountability Act (HIPAA), it’s illegal for healthcare providers to share patients’ treatment information but 30,000+ reports regarding privacy violations are received each year.3
- 41% of data breaches with a combined 1.17 million patient records were breached by insider error or wrongdoing.4
Not only do companies feel the impact when they fail to protect their data, but customer sentiment plays a big role – customers expect the businesses they work with to take the issue seriously:
- 66% of U.S. consumers want companies to earn their trust by being more open and transparent with how their information is being used.5
- 77% would like more transparency on the ads being targeted to them based on the personal data the internet companies collect.6
In recognition of Data Privacy Day*, here are 5 ways your business can use security to maximize your ability to safeguard your data and keep the board and your customers happy.
- Use a Data Loss Prevention (DLP) solution to monitor all outgoing emails and file attachments to ensure employees are not sending confidential data such as company IP or customer data such as social security numbers, credit card data, health records or other personally identifiable information (PII). IT admins can set up monitoring rules to check for specific data types, formats, and custom words or groups of words. While disgruntled employees may purposely attempt to remove sensitive data from your network, most don’t even realize if or when they violate data privacy rules but either way, DLP helps to automate the monitoring of your employee communications and ensure data remains safe.
- Use an email encryption solution for your Microsoft Exchange or Office 365 mailbox store. Email encryption is easily set up in the background, where all emails are encrypted with minimal to no interruption or inconvenience to your end users. Email encryption helps protect sensitive content in your organization’s emails which comes in handy if emails are mishandled along the way or intercepted by hackers when your users check emails on an unsecured wireless network.
- Set up and require all remote employees to use a VPN connection when accessing network shares behind the corporate firewall as well as accessing the Internet from their web browser. VPNs help ensure the network path is secure and encrypted and can’t be intercepted by a hacker, so this minimizes the chances of malware injection or ransomware leading to a data breach.
- Implement basic computer security policies that set permissions and access levels for laptop users. IT admins should configure the connection settings policies for unsecured / unknown wireless networks through their endpoint security software to apply different levels of protection depending on the network the end user is connected to. IT admins should also implement forced password changes every 90 days. This minimizes the chances a current password would be useful to a hacker trying to gain network access, in the event the password leaked.
- Provide employee security awareness training and show them some simple tips to protecting the data they use or have access to on a regular basis. This can include hanging posters in office or breakroom areas, reminding employees about their responsibilities to keep data private. Training should also include tips to minimize prying eyes on fellow employees’ computers such as “don’t write down your passwords or leave them on a yellow sticky note under your keyboard” or “remember to lock your computer to display the screensaver when you walk away for a break.”
Data privacy is important — especially considering the General Data Privacy Regulation (GDPR) takes effect in May 2018. U.S. companies who are doing business in Europe will have new requirements to safeguard the personal data of subjects residing in the European Union or risk a non-compliance fine of up to 4% of revenue. Companies are putting plans in place but it’s safe to say that not everyone is ready yet. According to a Veritas survey of more than 2,500 senior technology decision makers, almost 40% percent of businesses are fearful of a major compliance failing and 31% are worried about reputational damage from poor data policies. A framework from Microsoft to meet GDPR suggest:
- Business needs to set policies and objectives
- IT needs to implement and manage the systems
- Security must protect the data
- Compliance must ensure the controls are in place
- Users must be trained to handle data in appropriate ways
Data Privacy Day is an international effort held annually on Jan. 28 to create awareness about the importance of respecting privacy, safeguarding data and enabling trust. For more resources and tips for managing your privacy, visit https://staysafeonline.org/data-privacy-day/.
If you need a consultation for how to best configure an email security and web security solution, contact an EdgeWave rep to review your security posture.
To find out the latest security news, sign up for Five for Fridays newsletter.