Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:15 PM
Connect Directly

5 Tips For Making Data Privacy Part Of The Company’s Culture

Common sense steps organizations can take to protect corporate data.

By now, the news has been well reported in the press. The Federal Deposit Insurance Corporation (FDIC) admitted in May that it has experienced at least five major data breaches since last Oct. 30.

While all five apparently took place when employees left the agency with thumb drives that contained sensitive data, two of the cases have been identified as extremely problematic. In one case, PII on 44,000 FDIC customers was compromised and in another case, 10,000 Social Security numbers were compromised.

Dana Simberkoff, chief compliance and risk officer for software firm AvePoint, says that these kinds of breaches are avoidable if organizations had more defined data protection policies and coordinated those efforts with every department in the organization.

“Data protection has to be everyone’s job,” Simberkoff says. “Too often, the line-of-business people just think they are there to do their jobs and make money. IT wants to service the business, the security team is focused on hackers and privacy advocates focus on compliance. They are all off doing their own functions.”

Simberkoff offers five best practices organizations can use to make data protection more of a priority:

1. Get the HR department more involved. A lot of organizations will just form a committee of top people from all the departments and let the issue slowly die. Start by getting the human resources department more involved. After all, they are the ones who will have to explain the company’s data policies to employees when they enter and exit the organization. They are also responsible for explaining any changes to the company’s data policies and will help coordinate any awareness and educational efforts.  

2. Develop a clear employee exit strategy. Organizations need a plan for when employees leave voluntarily and for when the employees are asked to leave. While it’s up to the organization how much they want to supervise a fired employee, in both cases they have to have set expectations up front when the employee enters the organization so there are no misunderstandings. Think in terms of low, medium and high for access. Once an employee gives notice, it makes sense to ratchet down his or her access to classified information and give them only the information they need to do their job until they leave.  

3. Create a plan for protecting corporate data. Part of the problem in the FDIC case was that the employees commingled personal and agency data. It’s getting more and more difficult for IT organizations to separate personal data from company data. However, IT departments can protect corporate data by properly doing discovery, tagging, classifying, protecting, and then auditing the data regularly. By doing this, the organization can also prepare for the EU’s General Data Protection Regulations, which go into full effect May 25, 2018. Any entity that has a European operation, even if it’s only online, must abide by these new regulations. Stiff penalties of up to 4 percent of a company’s annual revenues are at risk in a data breach.

4. Keep close tabs on the organization’s data access policies. As a general rule, employees should only have access to the data they need to do their jobs. Think of data access as low, medium and high. If the employee has been assigned to a special project where they need a higher level of access, let them have it for the duration of the project, but have a program in place that supervises and tracks their move back to the normal level of data access. Companies need a system that assigns access levels and constantly reviews the organization’s data requirements.

5. Try to limit shadow IT. Line-of-business managers resort to shadow IT when privacy and security practices by corporate IT stymies them, driving them to use SaaS services that they can easily provision, often at a lower cost. Rather than fighting the trend, corporate IT must embrace the cloud and work more closely with the line-of-business people to understand their requirements and get them the applications they need to get work done. In many cases, cloud computing offers greater security and there’s much less chance of a serious breach if IT knows what’s going on and can put the proper security controls in place during the negotiations with the cloud provider.   

Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.