It’s that time of the year again: it’s Privacy Awareness week!
This year’s event, which takes place on 2–8 May in 2022, is themed Privacy: The foundation of trust. A timely reminder too, given the rise of remote work and evolving cyber threats. According to Mimecast’s research, half of businesses have seen an increase in internal threats or data leaks in the last year. Here, we’ll explore data privacy risks and how organisations can counter them.
Why organisations must protect their data
Phishing emails, ransomware and employee carelessness over passwords can all put your data – and your customers’ and partners’ personal details – in the wrong hands. And risks are growing: the Australian Cyber Security Centre (ACSC) recorded a report every eight minutes in 2021, compared to one every ten the previous year.
Australians are bombarded with increasing volumes of alerts and information, making it increasingly easy for individuals to slip up. “Businesses need to heed the wake-up call,” says Mimecast Field Chief Technologist Garrett O’Hara. “Australian workers are distracted and remote workers are sitting ducks. 8 out of 10 organisations believe their company is at risk.”
Privacy Awareness Week aims to focus minds across ANZ
Thankfully, more and more people are becoming aware of the value of data and the threats it faces. According to the Office of the Australian Information Commissioner (OAIC), 85% of Australians believe they have a clear understanding of why we should protect our personal data, and 87% want more control and choice over the use of their personal information.
So how can organisations manage data properly, and help their employees spot threats? Privacy Awareness Week has advice for individuals and several webinars and panels for businesses. It launches with a discussion of good privacy practices, before covering topics including AI, surveillance, complaint handling and the upcoming Mandatory Notification Data Breach Scheme. New Zealand has its Privacy Week just after Australia, with a range of events lined up to equip individuals and businesses with good cyber practices.
But which data privacy laws apply to your business?
While governments across the world are keen to safeguard data, implementation can vary a lot from region to region, even state by state. In Australia, the Privacy Act regulates how government agencies and large companies store, manage and protect data; New Zealand’s privacy act covers similar ground. The EU’s GDPR is particularly significant because it imposes obligations – and levies substantial fines – on organisations anywhere that target or collect data related to people in the EU. In the US, meanwhile, data laws are a complicated mix of state and federal rules. While we are seeing a very gradual convergence on data regulations globally, compliance with local and national laws still falls on the individual or business. Your data policies need to reflect the markets you operate in, so now is a good time to review where you stand in terms of data compliance.
Organisations need a data policy for the modern age
Changing rules aren’t the only challenge organisations face. The Internet of Things, increase in remote work and the adoption of cloud services mean networks are wider, more complex and more varied than ever. Ransomware is on the rise, and scams are also getting more sophisticated.
Today, organisations must plan holistically, rather than adopting point solutions. The safeguarding of data is not just a CISO or CIO responsibility, but should run right through your organisation. Any ongoing assessment of risk, reward and legal obligations should feed into a clear, actionable data privacy plan, managed by a single internal stakeholder.
Build data protection into your organisation’s DNA
Your understanding of risk as it affects your organisation will feed into the measures you adopt. A lot of security changes are actually operational changes, but not all of them need to be drastic to be effective. Some key steps include:
Setting rules around data use that comply with privacy laws in the markets you operate in
Ensuring two-factor authentication is activated for every account
Auditing cloud services to ensure they are correctly configured
Using a patch-management program to ensure software and hardware vulnerabilities are remedied
Managing email, remote work and device use with clear, simple company-wide policies (such as limiting personal email use or attachments)
Encrypting data and enforcing VPN use to make remote work safer
Using network segmentation and zero-trust policies to limit access to those who need it
Using DMARC to protect employees and customers from scammers
Use training to encourage awareness
Data mismanagement generally comes from human error, and policies are useless if no one follows them. Training should be company-wide and come with senior buy-in. Rather than being an occasional, box-ticking chore, it should be frequent and engaging.
The best training is relevant and hands-on – consider tailoring it to individual teams, with real scenarios. A recent phishing incident or new security threat is a good opportunity to both summarise current dangers and remind staff of existing policy. You should also encourage dialogue. Staff shouldn’t feel embarrassed about reporting privacy concerns, and by listening carefully and discouraging scapegoating you can help build a proactive culture.
Be prepared for anything
No matter how good your data privacy and security policies, one day you will slip up. Backups are essential, and the more frequent they are the better. The 3-2-1 rule, in which you keep three copies of your data on two types of media, as well as a copy off-site (perhaps in the cloud), is one way of ensuring you can get up and running again quickly. The best back-ups are automated and continuous.
But data incidents aren’t just about information loss. Regulatory penalties, reputational damage and operation delays are all possible consequences. You can mitigate them with a comprehensive and up-to-date incident response plan. And you can make a breach less likely by monitoring your network and external threats – and reviewing your policies in the light of your findings.
Staying safe this Privacy Awareness Week – and beyond
This year’s Privacy Awareness Week comes at a critical point for many organisations. With data under threat from employee error and cybercriminals, companies must ensure their data privacy policies are informed by the latest regulations and backed by great tech. Privacy Awareness Week offers the subject a welcome spotlight, but your organisation needs its data policy to work for more than seven days: it’s time to take the week’s lessons and run with them towards a better, and more secure, future.