7 Privacy Mistakes That Keep Security Pros on Their Toes
When it comes to privacy, it's the little things that can lead to big mishaps.
Privacy and security are often thought of as one and the same. While they are related, privacy has become its own discipline, which means security pros need to become more familiar with the subtle types of mistakes that can lead to some dangerous privacy snafus.
With GDPR going live last spring in Europe and the California privacy law becoming effective in 2020, companies should expect privacy to become more of an issue in the years ahead. Colorado and Vermont have passed privacy laws, as has Brazil, and India is well on its way to passingone of its own.
First and foremost, companies have to think of privacy by design, says Mark Bower, general manager and chief revenue officer at Egress Software Technologies.
Privacy by design requires companies to ask the following questions: What type of data are we storing? For what business purposes? Does the data need to be encrypted? How will the data be destroyed when it becomes obsolete, and how long a period will that be? Are there compliance regulations that stipulate data destruction requirements? How will the company protect personally identifiable information for credit cards and medical information?
"Companies can't understand risk if they don't know where the data resides," says Debra Farber, senior director of privacy strategy at BigID. "Privacy should be by default. Companies want to make sure that personal data is protected."
Read on for the most common privacy mishaps.
Egress Software's Bower points out that many misdirected emails are sent because users type in the first couple of letters of a name and go with what pops up first. While training users to check the To: field twice before hitting "send" can help, new machine-learning and AI technologies can track patterns of who users typically send emails to and have them double check they are sending them to the right people. For salespeople or reporters in the media who deal with lots of new contacts, the system can flag that this is the first time they are connecting with this person and ask whether they really want to send that attachment.
Emails can get into the wrong hands when someone adds a person to a thread to keep him in the loop, but then somebody else includes confidential information that the added person shouldn't have access to, Egress Software's Bower points out. Once again, people need to be trained on how to be more sensitive to email strings and who really needs to see the information being sent. Technologies that use AI and machine learning can help, he says, and they can be used to block access if it's discovered that information has been sent to somebody who does not have proper access rights.
Companies have to rethink their BYOD policies because every time an employee syncs a mobile device, she is syncing data to her personal cloud, says Chuck Holland, director of product management at Vera Security. Similarly, and maybe worse for the employee, she could be syncing her information to the corporate network.
Companies have to do a better job offboarding when an employee leaves for another job or for performance reasons, Vera Security's Holland says. Too often, companies leave old accounts open, and sensitive information could be stored on the hard drives of their computers or in emails. Companies need to understand that hackers look for those type of accounts for information they can sell or to launch widespread attacks.
Companies should never send unencrypted data or emails over the corporate network, BigID's Farber says. Specific departments that should think extra carefully about privacy and taking care of sensitive personal and corporate information include human resources, marketing, advertising, and accounting, she adds.
While companies take privacy into account during a merger or acquisition, very often they will use it to have the other company reduce the purchase price, BigID's Farber says. However, after the merger, instead of taking money saved and investing it in privacy and security, it will just move it to the bottom line.
While companies take privacy into account during a merger or acquisition, very often they will use it to have the other company reduce the purchase price, BigID's Farber says. However, after the merger, instead of taking money saved and investing it in privacy and security, it will just move it to the bottom line.
Privacy and security are often thought of as one and the same. While they are related, privacy has become its own discipline, which means security pros need to become more familiar with the subtle types of mistakes that can lead to some dangerous privacy snafus.
With GDPR going live last spring in Europe and the California privacy law becoming effective in 2020, companies should expect privacy to become more of an issue in the years ahead. Colorado and Vermont have passed privacy laws, as has Brazil, and India is well on its way to passingone of its own.
First and foremost, companies have to think of privacy by design, says Mark Bower, general manager and chief revenue officer at Egress Software Technologies.
Privacy by design requires companies to ask the following questions: What type of data are we storing? For what business purposes? Does the data need to be encrypted? How will the data be destroyed when it becomes obsolete, and how long a period will that be? Are there compliance regulations that stipulate data destruction requirements? How will the company protect personally identifiable information for credit cards and medical information?
"Companies can't understand risk if they don't know where the data resides," says Debra Farber, senior director of privacy strategy at BigID. "Privacy should be by default. Companies want to make sure that personal data is protected."
Read on for the most common privacy mishaps.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024