Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

6/22/2016
05:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

5 Tips For Making Data Privacy Part Of The Company’s Culture

Common sense steps organizations can take to protect corporate data.

By now, the news has been well reported in the press. The Federal Deposit Insurance Corporation (FDIC) admitted in May that it has experienced at least five major data breaches since last Oct. 30.

While all five apparently took place when employees left the agency with thumb drives that contained sensitive data, two of the cases have been identified as extremely problematic. In one case, PII on 44,000 FDIC customers was compromised and in another case, 10,000 Social Security numbers were compromised.

Dana Simberkoff, chief compliance and risk officer for software firm AvePoint, says that these kinds of breaches are avoidable if organizations had more defined data protection policies and coordinated those efforts with every department in the organization.

“Data protection has to be everyone’s job,” Simberkoff says. “Too often, the line-of-business people just think they are there to do their jobs and make money. IT wants to service the business, the security team is focused on hackers and privacy advocates focus on compliance. They are all off doing their own functions.”

Simberkoff offers five best practices organizations can use to make data protection more of a priority:

1. Get the HR department more involved. A lot of organizations will just form a committee of top people from all the departments and let the issue slowly die. Start by getting the human resources department more involved. After all, they are the ones who will have to explain the company’s data policies to employees when they enter and exit the organization. They are also responsible for explaining any changes to the company’s data policies and will help coordinate any awareness and educational efforts.  

2. Develop a clear employee exit strategy. Organizations need a plan for when employees leave voluntarily and for when the employees are asked to leave. While it’s up to the organization how much they want to supervise a fired employee, in both cases they have to have set expectations up front when the employee enters the organization so there are no misunderstandings. Think in terms of low, medium and high for access. Once an employee gives notice, it makes sense to ratchet down his or her access to classified information and give them only the information they need to do their job until they leave.  

3. Create a plan for protecting corporate data. Part of the problem in the FDIC case was that the employees commingled personal and agency data. It’s getting more and more difficult for IT organizations to separate personal data from company data. However, IT departments can protect corporate data by properly doing discovery, tagging, classifying, protecting, and then auditing the data regularly. By doing this, the organization can also prepare for the EU’s General Data Protection Regulations, which go into full effect May 25, 2018. Any entity that has a European operation, even if it’s only online, must abide by these new regulations. Stiff penalties of up to 4 percent of a company’s annual revenues are at risk in a data breach.

4. Keep close tabs on the organization’s data access policies. As a general rule, employees should only have access to the data they need to do their jobs. Think of data access as low, medium and high. If the employee has been assigned to a special project where they need a higher level of access, let them have it for the duration of the project, but have a program in place that supervises and tracks their move back to the normal level of data access. Companies need a system that assigns access levels and constantly reviews the organization’s data requirements.

5. Try to limit shadow IT. Line-of-business managers resort to shadow IT when privacy and security practices by corporate IT stymies them, driving them to use SaaS services that they can easily provision, often at a lower cost. Rather than fighting the trend, corporate IT must embrace the cloud and work more closely with the line-of-business people to understand their requirements and get them the applications they need to get work done. In many cases, cloud computing offers greater security and there’s much less chance of a serious breach if IT knows what’s going on and can put the proper security controls in place during the negotiations with the cloud provider.   

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...