Tim Erlin, director of IT risk and security strategy for Tripwire, highlights the daftest data privacy errors businesses make
Global businesses are reevaluating their data privacy programs this year as new privacy regulations targeted at businesses take effect.
The European General Data Protection Regulation is a new privacy regulation with fines as high as four percent of annual global revenue for companies that fail to safeguard data of EU citizens and residents.
In the US, 16 states recently introduced new, ACLU supported data privacy legislation. In spite of efforts to improve privacy protections many enterprises are not doing enough to protect consumer data.
Tim Erlin, director of IT risk and security strategy for Tripwire, said: “Data privacy day is a great opportunity for organisations to reevaluate their privacy program.
“Privacy is often treated as part of larger security initiatives. While this approach addresses some key privacy issues, others may not get the attention they deserve.”
- Keeping anything other than essential consumer data
Many companies keep a lot of customer data in case they need it ‘someday’. While this approach may seem prudent this data can easily become a major target for cyber attackers and, because it isn’t business critical, it may not receive the same protections as other, more sensitive data.
2. Failing to encrypt customer data
While there are some regulatory requirements for encrypting customer data, companies need to establish internal processes to keep data encrypted. Leaving customer data unencrypted makes it much easier for attackers to grab.
3. Not securing access paths
Encrypting customer data is important, but it must be decrypted for use in an application at some point. Attackers will aim to compromise the applications that use customer data in order to get to that data. “Don’t worry, the data is encrypted,” is a dangerous mind set.
4. Failing to patch known vulnerabilities
Security experts may be more interested in the technical analysis of the latest malware, but successful attacks are more likely to exploit the three year old web server vulnerability that gets them access to high value data. Patching systems isn’t glamorous but it’s essential to protecting data.
5. Not monitoring and controlling simple misconfigurations
More than one of the breaches that have been in the headlines recently has been the result of a misconfigured database or server. If you’re not monitoring sever configurations for change, you have a blind spot in your security that attackers can leverage.
How much do you know about data privacy? Find out with our quiz!