Even in a society so heavily reliant on the internet, millions of people remain ignorant of who has access to their personal information on the web–and what can be done with that information. This year, the National Cybersecurity Alliance (NCSA) has expanded its annual Data Privacy Day into Data Privacy Week. The event runs from January 24-28 and works to raise more awareness and help people protect themselves online as well as hold businesses accountable when it comes to respecting user personal data.
“According to our 2021 report based on research conducted by the Ponemon Institute, 93% of security leaders do not directly report to the CEO, and only 37% of respondents believe their organization values and effectively leverages cybersecurity leaders’ expertise,” said Matt Sanders, director of security at LogRhythm. “This significant misalignment is leaving ample room for shortcomings in cybersecurity initiatives that can lead to data breaches… 49% of respondents’ incident response plans account for problems like ransomware, and only 25% include guidance on how to handle hackers – two common ways sensitive data can be exposed or compromised.”
Sanders believes that this issue can be resolved if security leaders reported directly to their CEO and board of directors in order to better align business practices with security priorities. “Well-equipped security programs enable the future of the business– keeping data secure while supporting the company’s overall growth and success,” he said.
For this year’s Data Privacy Week, the NCSA offered a few recommendations to better protect user personal data. First, they say it is important to understand the tradeoff between privacy and convenience. They advise users to be extremely mindful of what they are sharing versus what they are getting in return.
In its post about Data Privacy Week, the NCSA wrote, “Be thoughtful about who gets that information and wary of apps or services that require access to information that is not required or relevant for the services they are offering. Delete unused apps on your internet-connected devices and keep others secure by performing updates.”
Additionally, the NCSA said that users can help protect their personal data by proactively checking and managing the privacy settings on web services and apps to ensure that they are set to an appropriate level. With this, they also advise internet users to create unique and difficult to guess passwords and storing them in a password manager.
In the post, the NCSA also spoke about other ways that users can protect their personal information, writing, “Add another layer of security by enabling multi-factor authentication (MFA) wherever possible, especially on accounts with sensitive information. MFA has been found to block 99.9% of automated attacks when enabled and can ensure your data is protected, even in the event of a data breach.”
According to Rob Price, principal expert solution consultant at Snow Software, the way data privacy is perceived has shifted with the introduction of cloud-based technology. “A common misconception is that if your data is offsite or cloud-based it’s not your problem – but that is not true because the cloud is not a data management system,” he said.
Price went on to explain that data privacy and the protection of personal user information is the responsibility of every employee within the organization, whether or not that data is stored in the cloud. “This is especially true when it comes to data retention… Once their data retention period ends, organizations should get rid of excess data they no longer need, because it quickly becomes a liability as well an unneeded expense,” he explained.
The NCSA also emphasized the importance of organizations respecting and being mindful of the personal data they are in possession of. Their main advice for companies is to remain transparent about what you are collecting and for what reason. According to the NCSA, being open with consumers about their data will lead to enhanced trust and overall growth in the business.
Additionally, they say that when it comes to protecting personal user data, it is essential to conduct assessments and analyze what is being collected and how. “Whether you operate locally, nationally, or globally… Follow reasonable security measures to keep individuals’ personal information safe from inappropriate and unauthorized access and make sure the personal data you collect is processed in a fair manner and only collected for relevant and legitimate purposes,” their post read.
Another tip NCSA gave to businesses is to adopt a primacy framework. This works to manage risk and create a culture of privacy throughout the entire organization. They cited NIST Privacy Framework, AICPA Privacy Management Framework, and ISO/IEC 27701-International Standard for Privacy Information Management as good options to start with.
NCSA also stressed the importance of employee education around data privacy when it comes to creating and maintaining a culture of privacy. According to NCSA, this education is most effective when it is started during the hiring and onboarding process. “Engage staff by asking them to consider how privacy and data security applies to the work they do on a daily basis,” the NCSA said.