This year Data Protection Day is warning businesses to do more to protect personal data.
Data Protection Day is an international holiday that occurs every January 28. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. It is currently observed in the United States, Canada, and 47 European countries.
Global businesses are re-evaluating their data privacy programmes this year as new privacy regulations targeted at businesses start to gather.
The European General Data Protection Regulation (GDPR), which is expected to come into force in 2018, provides for fines of up to 4% of annual global revenue or €20 million- whichever is greater for failing to safeguard data of EU citizens and residents.
However, despite the introduction of this legislation, many enterprises are still not doing enough to protect consumer data, according to security and privacy industry experts.
“Data privacy day is a great opportunity for organisations to re-evaluate their privacy programme,” said Tim Erlin, director of IT risk and security strategy for security firm Tripwire. “Privacy is often treated as part of larger security initiatives. While this approach addresses some key privacy issues, others may not get the attention they deserve.”
According to Erlin, the top five data privacy mistakes businesses make are:
- Failure to keep only essential consumer data
- Failure to encrypt customer data
- Failure to secure access to data at all times
- Failure to patch known vulnerabilities
- Failure to monitor and control simple misconfigurations
Many organisations keep a lot of customer data in case they need it, he said, but it can easily become a major target for cyber attackers, and may not receive the same level of protection as business critical data.
The EU’s data protection rules will impact every entity that holds or uses European personal data both inside and outside of Europe.
More than two thirds of global companies expect EU data protection laws to dramatically increase costs of doing business in Europe.
Erlin said companies need to establish internal processes to keep data encrypted. “Leaving customer data unencrypted makes it much easier for attackers to grab.”
And while encrypting customer data is important, it must be decrypted for use in an application at some point, with attackers trying to compromise those applications so they can get to that data, Erlin warned.
Successful attacks are more likely to exploit vulnerabilities that are several years old if that gets them access to high value data. Patching systems isn’t glamorous but it’s essential to protecting data.
More than one of the security breaches that have been in the headlines recently has been the result of a misconfigured database or server, said Erlin. “If you’re not monitoring server configurations for change, you have a blind spot in your security that attackers can exploit.”
The UK’s Information Commissioner’s Office (ICO) has also highlighted the potentially devastating effect of reputational damage as a result of a personal data breach.
And it is not only the new privacy legislation in Europe and the US that is a factor. Lawrence Munro, European director at security firm Trustwave for Europe and Asia-Pacific, said the mounting number of breaches involving consumers’ financial and private data means that people are increasingly aware that their information is at risk, and much less willing to forgive businesses that betray their trust.
Munro said security professionals see “Password1” as the most common password year after year. “Such abysmal security presents an open door to hackers. Likewise, phishing scams over email and phone continue to trick droves of workers,” he said.
According to Munro, security in many organisations continues to be seen as a “box to be ticked” as cheaply as possible rather than an essential operation necessary for survival.
“Practices such as regular intensive network testing using real experts rather than occasional automated scans are crucial if businesses are to avoid the reputational and financial fallout of a breach this year,” he said.