This week, January 24 through 28, is Data Privacy Week. For the first time, the National Cybersecurity Alliance has extended Data Privacy Day to a full Data Privacy Week in order to emphasize the vital role data privacy plays in our business and personal lives.
But don’t feel like you’ve missed out. It’s not too late to become a data privacy champion and receive your free toolkit full of useful materials to help promote privacy within your organization all year long.
You’ll be in great company with fellow champions who represent organizations of all sizes and types, hospitals and healthcare providers, schools and school districts, colleges and universities, nonprofit organizations, and government entities.
Individuals can also become data privacy champions because we each play a role in protecting our own personally identifiable information (PII).
Nearly 80% of adults are concerned about how companies actually use their personal information, according to a recent study by the Pew Research Center. And it’s no wonder.
The Identity Theft Research Center reports that 2021 saw a 17% increase in the number of recorded data breaches over the previous year, which had logged 3,923 breaches according to the 2020 year-end report by Risk Based Security. And the average cost of a data breach has now topped $4 million, says IBM.
No single threat is to blame for these disturbing numbers. In fact, seven different threats contributed to the rise in data breaches in 2021, with data stolen or lost as a result of employee negligence topping the list. Ransomware exploits rose to second place, with phishing scams in fifth place. Tried-and-true password guessing techniques, keystroke logging, malware and virus installations, and distributed denial of service attacks rounded out the list of the most common threats to data privacy.
Employee negligence is usually a matter of lack of training, poor privacy awareness, or just plain laziness (rather than the deliberate theft of data by disgruntled employees—although this does happen).
With ransomware becoming bigger and bolder and delivering increasingly dire consequences, it’s not surprising that it ranks second among the most common privacy threats in 2021, after employee negligence. Researchers have recently identified the perfect ransomware target, based on data compiled from ransomware attacks, and the results will either reassure you or ratchet up your concern.
To help reduce the frequency and effects of employee negligence, ransomware, phishing, and other common data privacy threats, the National Cybersecurity Alliance suggests three key actions you can take to reassure customers, patients, and other stakeholders that your organization is properly safeguarding their personal information. We’ve explored each action briefly below and provided links for you to learn more.
Training your employees is a fundamental step for all data privacy champions. Let Data Privacy Week serve as a driver for creating, or renewing, a culture of privacy in your organization, and let employee training serve as the platform.
All employees should be trained in your privacy policy and procedures, including management and IT staff. New employees should be introduced to your organization’s privacy culture during onboarding, and privacy and cybersecurity awareness training should be refreshed and delivered repeatedly to all employees.
Work to create an environment in which each employee feels they have a significant role to play in keeping data private—because they do.
And because we all learn differently, take a multimedia approach to training. Offering a mix of online training, classroom training, interactive webinars, and other training formats provides something for everyone and helps the training remain top of mind.
Be sure to address ransomware and phishing schemes, and other social engineering exploits, as part of your training. Contact us for a presentation on ransomware and other training resources.
The National Cybersecurity Alliance and countless security and data privacy champions all over the world recommend that every organization conduct a data privacy assessment periodically. This risk assessment should include reviews of all procedures for the collection, processing, use, storage, transfer, and destruction of sensitive data.
Every organization should know exactly which privacy laws and regulations apply to them, and what actions they must take in order to comply with data privacy and security requirements.
Do you engage third-party vendors, partners, or others to provide services to your organization? Do you engage them to provide services to your customers on your behalf? If so, you are responsible for how those third parties handle your data. Therefore, your data privacy assessment must encompass their data procedures and systems as well as your own.
Like security risk assessments, data privacy assessments require a baseline assessment to start, followed by periodic reassessments to ensure that your data privacy remains effective and comprehensive.
If this fundamental activity poses a challenge for your organization, whether due to lack of qualified in-house staff or lack of available time, consider engaging the services of a Virtual CISO to complete your data privacy assessment.
Implementing an established data privacy framework is fundamental to becoming a data privacy champion. There are several privacy frameworks available to suit your organization and industry.
One option is the NIST Privacy Framework, developed by the National Institute of Standards and Technology (NIST). It follows the structure of the widely-used NIST Cybersecurity Framework to enable organizations to easily incorporate both frameworks.
Another popular choice, ISO/IEC 27701, is the data privacy extension of the globally recognized ISO 27001 security framework. ISO/IEC 27701 provides a framework for managing data privacy and the many risks associated with Personally Identifiable Information (PII). ISO 27701 also aids organizations in complying with the European Union’s General Data Protection Regulation (GDPR) and other data privacy requirements.
Numerous other frameworks are available and should be reviewed before you decide which is most appropriate for your organization. Need help deciding which is best? Contact us for expert guidance.
It’s easy to become a Data Privacy Champion, and no financial investment is required. Becoming a Champion gives you access to tools and materials that will help you promote data privacy throughout your organization and among your third-party vendors.
Join 24By7Security and hundreds of other organizations today in advocating for better data privacy. And, more importantly, make a commitment to become an active and engaged data privacy champion all year long.