Data privacy. Take a second to think about these two important words and what they mean. More than merely a buzzword for the new millennium, data privacy impacts all our lives in a connected world, especially in the workplace.
Since the implementation of GDPR, the stakes are much higher for organisations that don’t take data protection as seriously as they should. A recent example of a company falling foul of GDPR is Google, recently fined £44m by French data regulators CNIL for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”. Although Google hasn’t experienced a data breach – the charge is related to consent.
Why data protection matters
The workplace has been transformed in the past decade. We are all more connected digitally on social media apps such as LinkedIn, Facebook and Twitter. Online services such as banking apps, Netflix and Amazon store our financial details on cloud servers. Add a massive increase in computer savvy criminals to the mix and you have the ingredients for a perfect data privacy storm. Data privacy isn’t “someone else’s problem”, it’s everyone within the company’s responsibility to protect personal and company information.
Data breaches and loss of company information has far-reaching consequences for a business. Reputational and profit damage resulting from negative press, fines and increased IT costs after the event are examples of additional expenses incurred by most businesses after an information security incident. Research also indicates that a data breach can be fatal for many smaller organisations.
Simple steps to improve data privacy
Information security is a complex beast, with a myriad of products and services on the market. As with most things, you get what you pay for and most vendors specialise in specific sectors or verticals. Let’s remove ourselves from product-specific advice for a moment and focus on strategic methods to improve organisational data privacy.
Increase user awareness
Providing user awareness training is one of the first steps organisations must take to improve information security. Although employees are the greatest strength of an organisation, they are also a target for hackers.
Make users aware of their responsibilities and teach basics such as the importance of choosing strong passwords to protect app and account logins. It is important to keep your team up to speed on the many dangers that abound in email phishing attacks. Phishing is the number one method used by criminals to extract user credentials, business-critical information and finance details from unsuspecting employees.
Encryption protects data at rest and in transit from being intercepted by scrambling the information, presenting a string of nonsensical characters when reading without a unique decryption key. Encryption is particularly useful when protecting mobile devices such as laptops, tablets and smartphones as well as external hard drives and USB drives – all of which are easily lost or stolen.
It is also worth noting that protecting mobile devices with a password or passcode should also be a priority, adding a further security step.
Use a VPN
When employees need to send data between branch sites or access information stored on the corporate network from outside the office, investing in a VPN solution is essential.
A VPN extends a private network across a public network such as the Internet, enabling users to send and receive data securely as if their devices were connected directly to the private network. Data travels through secure tunnels, and authentication methods such as security tokens are required by users to gain access to the VPN server.
Use a reputable password manager
We log in to more online services than ever before, increasing the need to maintain high levels of security. Official advice from the Government’s cybersecurity arm, NCSC advises using a different password for each unique online service you log into. The reason for this is to stop criminals compromising all your online accounts should they successfully crack the password to your Facebook account, for example.
So, how are you supposed to remember all these strong and unique passwords keeping your information secure? The simple answer is to look into a reputable password manager. There are many options on the market and by doing some research, you will find the best one to suit your specific needs. Most password managers can generate complex passwords as well as prompting you to change passwords it thinks are duplicated elsewhere or are considered weak. Most products also work on all devices and will offer a prompt to help when filling out a form on a mobile device – very useful!
Enable Multi-factor authentication
Multi-factor authentication (MFA) adds an additional security step to the login process. MFA consists of a combination of two of three things – something you know, something you have and something you are. For instance, when you withdraw cash from an ATM, you use your bank card (something you have) and you enter a PIN (something you know).
Adding an extra step at the login stage such as an authenticator app or asking the app to send a unique code via SMS, increases the protection of that particular account. MFA is easy to set up and administer and will, in most cases, protect the information held within the network or account.
Develop a robust data privacy strategy
Obviously, there are many more ways to increase information security within the organisation and the list above is by no means exhaustive. Applying a strict set of security policies and ensuring your employees are familiar with processes is a key information security strategy. If you haven’t already done so, achieving GDPR compliance and Cyber Essentials accreditation provide additional data protection credentials, which can benefit your organisation in many ways.
Thanks for taking the time to read this article on data privacy day, at Network ROI we are passionate about IT security, and the safe, secure operation of our clients’ networks is our top priority. We are Cyber Essentials Plus and IASME Gold accredited which means we help businesses improve their information security stance.
Please call us on 0131 510 3456 or email firstname.lastname@example.org to discuss your data privacy and information security strategy, we’d be delighted to help.