Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:15 PM
Connect Directly

5 Tips For Making Data Privacy Part Of The Company’s Culture

Common sense steps organizations can take to protect corporate data.

By now, the news has been well reported in the press. The Federal Deposit Insurance Corporation (FDIC) admitted in May that it has experienced at least five major data breaches since last Oct. 30.

While all five apparently took place when employees left the agency with thumb drives that contained sensitive data, two of the cases have been identified as extremely problematic. In one case, PII on 44,000 FDIC customers was compromised and in another case, 10,000 Social Security numbers were compromised.

Dana Simberkoff, chief compliance and risk officer for software firm AvePoint, says that these kinds of breaches are avoidable if organizations had more defined data protection policies and coordinated those efforts with every department in the organization.

“Data protection has to be everyone’s job,” Simberkoff says. “Too often, the line-of-business people just think they are there to do their jobs and make money. IT wants to service the business, the security team is focused on hackers and privacy advocates focus on compliance. They are all off doing their own functions.”

Simberkoff offers five best practices organizations can use to make data protection more of a priority:

1. Get the HR department more involved. A lot of organizations will just form a committee of top people from all the departments and let the issue slowly die. Start by getting the human resources department more involved. After all, they are the ones who will have to explain the company’s data policies to employees when they enter and exit the organization. They are also responsible for explaining any changes to the company’s data policies and will help coordinate any awareness and educational efforts.  

2. Develop a clear employee exit strategy. Organizations need a plan for when employees leave voluntarily and for when the employees are asked to leave. While it’s up to the organization how much they want to supervise a fired employee, in both cases they have to have set expectations up front when the employee enters the organization so there are no misunderstandings. Think in terms of low, medium and high for access. Once an employee gives notice, it makes sense to ratchet down his or her access to classified information and give them only the information they need to do their job until they leave.  

3. Create a plan for protecting corporate data. Part of the problem in the FDIC case was that the employees commingled personal and agency data. It’s getting more and more difficult for IT organizations to separate personal data from company data. However, IT departments can protect corporate data by properly doing discovery, tagging, classifying, protecting, and then auditing the data regularly. By doing this, the organization can also prepare for the EU’s General Data Protection Regulations, which go into full effect May 25, 2018. Any entity that has a European operation, even if it’s only online, must abide by these new regulations. Stiff penalties of up to 4 percent of a company’s annual revenues are at risk in a data breach.

4. Keep close tabs on the organization’s data access policies. As a general rule, employees should only have access to the data they need to do their jobs. Think of data access as low, medium and high. If the employee has been assigned to a special project where they need a higher level of access, let them have it for the duration of the project, but have a program in place that supervises and tracks their move back to the normal level of data access. Companies need a system that assigns access levels and constantly reviews the organization’s data requirements.

5. Try to limit shadow IT. Line-of-business managers resort to shadow IT when privacy and security practices by corporate IT stymies them, driving them to use SaaS services that they can easily provision, often at a lower cost. Rather than fighting the trend, corporate IT must embrace the cloud and work more closely with the line-of-business people to understand their requirements and get them the applications they need to get work done. In many cases, cloud computing offers greater security and there’s much less chance of a serious breach if IT knows what’s going on and can put the proper security controls in place during the negotiations with the cloud provider.   

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
6 Top Nontechnical Degrees for Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/21/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-22
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...