Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/23/2021
10:00 AM
Rajesh Ganesan
Rajesh Ganesan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Data Protection Is a Group Effort

When every employee is well-versed in customer data privacy principles, the DPO knows the enterprise's sensitive data is in good hands.

When a General Data Protection Regulation (GDPR) fine is levied on an organization, it doesn't come out of individual employees' paychecks — but perhaps there should be some incentive for all employees to take this more seriously. After all, every employee contributes to the company's ability to protect customer data. Anyone in an organization could fall victim to a social engineering attack, paving the way for a bad actor to access the corporate network. Data privacy must be a group effort, which is why we take an all-hands-on-deck approach, whereby ever

Related Content:

8 Frequently Asked Questions on Organizations' Data Protection Programs

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Contemplating the Coffee Supply Chain: A Horror Story

y single employee, consultant, contractor, and intern works together to protect corporate data.

The protection of data must never fall solely on the shoulders of one individual or team. For example, our organization has nearly 9,000 employees across the globe, and only a dozen of these folks work in the privacy and compliance department. That's roughly 0.1% of our workforce. We are not anomalous in this regard either, as the privacy department traditionally makes up a small percentage of an organization. It is illogical to solely rely on these folks to keep your organization safe — especially for large companies. Starting with the data protection officer (DPO), organizations should take a top-down approach, where every employee takes ownership of their own individual data privacy efforts.

Keep Everyone Educated
One of the most important things a DPO can do is to construct effective data privacy training modules. After every employee and contractor completes these training courses, be sure to also require quizzes to ensure that everyone actually knows their stuff. Based on the results of these quizzes, every team can then be awarded a data privacy score. Much like law school, these teams' respective scores can then be shared in an open forum for all to see. This is not to shame those who aren't up to date on privacy principles; it's an effort to empower every individual to take ownership of his or her own data privacy initiatives. It's definitely important to keep employees up to date on data privacy legislation, such as GDPR, Brazil's Lei Geral de Proteção de Dados, and the California Privacy Rights Act; however, it's far more important to emphasize privacy principles as opposed to laws.

Stress Privacy Principles
Although everyone needs to be familiar with privacy legislation, it is far more important to be well-versed in the principles of data privacy. For example, it's vital to emphasize the principle of data minimization: No employee should collect any customer information other than data that he or she absolutely needs. Moreover, this data should be retained for the shortest amount of time possible. For those who work in research and development, the principle of privacy by design is imperative. From any given product's inception, developers and designers must be cognizant of all privacy repercussions that are likely to arise down the line. As DPOs often point out, new privacy laws are always coming down the pike; however, if everyone has been keeping privacy principles top of mind, the organization will be well on its way toward compliance with any law.

Write Processes Down
Formally record your organization's data privacy processes and be sure to document the collection and deletion of customer data. Documented data privacy processes and policies as well as respective teams' data privacy scores certainly come in handy if and when auditors come knocking. Also, any employees who directly handle customer information should always keep their data inventories on hand — not just for auditors, but also for subject access requests as well.

When every employee is well-versed in customer data privacy principles, the DPO can rest assured that the enterprise's sensitive data is in good hands. Perhaps most importantly, by placing a premium on education, documentation, and awareness of privacy principles, the individual employees feel empowered. As all good DPOs make clear, this is truly an all-hands-on-deck endeavor. For better or worse, we're all in this together.

Rajesh Ganesan is Vice President at ManageEngine, the IT management division of Zoho Corporation. Rajesh has been with Zoho Corp. for over 20 years developing software products in various verticals including telecommunications, network management, and IT security. He has ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...
CVE-2021-2299
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful atta...