Today is Data Privacy Day, an annual effort hosted by the National Cybersecurity Alliance (NCSA) to raise awareness about the importance of privacy and protection of personal information. VMware Carbon Black is proud to be an official Champion, supporting the principle that all organizations share the responsibility of being conscientious stewards of personal information.
“In recent years, we’ve seen the impact of more global awareness surrounding the abuse of consumer data, thanks to sweeping privacy measures like GDPR and CPRA,” said Kelvin Coleman, Executive Director, NCSA. “And while legislative backing is key to reinforcing accountability for poor data privacy practices, one major goal of Data Privacy Day is to build awareness among businesses about the benefits of an ethical approach to data privacy measures separate from legal boundaries.”
Better Data Privacy Practices Begin with Better Cybersecurity
As high-profile data breaches continue to make headlines, there’s no doubt that the mishandling of data can lead to dire consequences. Today, cybercrime is a big business, exceeding $1.5 trillion each year according to Atlas VPN, and it shows no signs of slowing down — fueled by security vulnerabilities found in businesses and among their consumers. Continually, private, personal information is being held for ransom and sold on underground dark web forums by motivated cybercriminals looking to make profit.
In December, our research found swiped credit card information available for purchase on the dark web, selling for an average rate of $10-20 per card. PayPal account credentials were selling for $2-10/account, which serves as just a sampling of the type of information available on these underground forums.
It’s clear that better data privacy must be underpinned by strong cybersecurity postures. Here’s what a couple of The Howlers had to say:
Rick McElroy, Principal Cybersecurity Strategist, VMware Carbon Black
“As a privacy advocate, I commend governments like California for enacting the CCPA, now CPRA, as a means to strengthen data protection. Today, CISOs share responsibility for privacy enforcement, adding more pressure to the traditionally strained role. Moving forward, to allow security roles to learn more about privacy, organizations will either have to invest in automation and the proper tooling to bolster cybersecurity measures or appoint Chief Privacy Officers in a new role focused solely on data privacy. Overall, consumers will ultimately benefit from this shift, as it means their information is held to stringent protection standards and privacy is prioritized across the business.”
James Alliband, Security Strategist, VMware Carbon Black
“The merging of personal and professional life has created immense opportunity for nefarious cybercriminals. As a result, we’re seeing new phishing attacks where the adversary, understanding that individuals are constantly shifting between work and personal emails, target personal email aliases with malicious links asking for business credentials. It’s never been more important to take on a security-first mindset not just in business, but in personal life as well, for a stronger, more well-rounded security posture. Organizations can help make this possible by providing the necessary, regular training to empower employees, without feeling vulnerable. In the end, it’s all about providing people with the proper tools, assets and resources they need to do their jobs safely and empowering them with the knowledge and responsibility to do so.”
Data Privacy & Cybersecurity: 6 Best Practices
Data privacy and cybersecurity are converging, and while privacy regulations like the GDPR and CPRA have helped tighten the abuse of consumer data, better data privacy practices begin with stronger cybersecurity defenses. Organizations should consider the following six best practices to improve both data protection measures and cybersecurity, ultimately better safeguarding data and staying one step ahead of cybercriminals:
- Understand where vulnerabilities lie: Get a baseline understanding on where vulnerabilities lie. A “Red Team” or “Purple Team” (using third party plus in-house security experts) audit and/or cyber-hunt exercise can help expose where systems are vulnerable and where increased controls need to be applied. Pen tests and general audits are also recommended.
- Use multi-factor authentication: Multi-factor authentication with “just in time” administration should be deployed to Web servers, and servers holding key data. Websites that are accessible to the general public should be reviewed for accuracy continuously.
- Deploy application control: Whitelisting on critical servers can help ensure they do not touch the public Internet. Place them in high enforcement and only allow approved programs to run. Stop all unauthorized file or memory modifications.
- Create a micro-segmentation strategy: A comprehensive micro-segmentation strategy should be executed again to help protect the business network. Flat networks are much more easily hacked.
- Deploy endpoint detection and response (EDR) technology: EDR, as well as non-signature based next-generation antivirus (NGAV), uses unfiltered data to detect and remediate advanced attacks. Remember, the endpoint is the easiest attack surface for hackers.
- Educate! Stay up to date on the latest attack methodologies as well as attack vehicles. Ensure that everyone in your network, your administration and your leadership team understand the importance of cybersecurity, how not to fall for phishing attacks, and how to maintain a secure environment.