In today’s digital environment, the direct impact of privacy breaches on the valuation, stock price and profitability of organizations is clear. Organizations are looking to prioritize their users’ privacy notices and policies not just to protect their value and to be compliant with existing laws, but also to provide something that is the holy grail for a product: trust. Organizations must be proactive in their data privacy to gain client trust.
Organizations worldwide are adjusting their data privacy policies to be compliant. But compliance does not usually breed proactiveness; it is a means to check the boxes that keep the organization on the right side of the law until new laws are enacted. In addition, laws typically are enacted after an event has taken place and are put into place to ensure that such an event is not repeated. Imagine if organizations were proactive about users’ privacy—the cost savings would be significant.
From a cybersecurity professional’s perspective, it is akin to jumping around in a minefield. Organizations usually have measures in place for thwarting existing threats, but what about newer threats that are always lurking on the horizon? When it comes to privacy, brands have lost market value overnight due to breaches where user data were compromised. The stakes are even higher when the user data involves personally identifiable information (PII), especially if they involve financial data and can be used to breach cyber strongholds through social engineering. Hackers have also evolved into constructing social profiles for targets replete with PII not just of the target, but also of their family members. That is potentially dangerous information that can be used effectively by hackers to reach their means.
Organizations must be proactive in their data privacy to gain client trust.
A direct impact of such a breach is not just on the brand, but also on the shareholders of the organization because any negative movement of the brand’s market value impacts the value of the shareholders’ investment in the organization. Other stakeholders such as vendors and partners who might have given access to the organization for their proprietary technology also appear on the radar of hackers because all modern systems are interconnected.
When it comes to trust, every employee entrusts their employer with their PII. Those data need to be protected and only those with requisite need-based access should have access to them. Organizations must ask themselves how the data are stored, who has access to this data and do those who have access to the data actually require it. Sensitive data such as health records require a higher degree of data management.
So, what can organizations do to ensure data privacy?
Have a Robust Data Privacy Policy
Privacy breaches often lead to a breach of shareholder trust. Therefore, having a defined data privacy policy is critical and the policy should extend to customers, partners and employees as each of these groups need to be protected against breaches. It is also important to have robust data flow diagrams to understand where PII information is gathered, processed and stored.
Enforce a Mobile Data Management Policy
A largely mobile workforce coupled with remote working means that data are flowing beyond the confines of a rigid traditional firewall. If employees can access enterprise data without using virtual private networks (VPNs), then that is an issue. Adding bring your own device (BYOD) capabilities to this mix makes it even more difficult to enforce mobile data management policies. When organizations implement BYOD policies for personal devices, they should ensure that the PII information of the employees on the devices are not accessed or removed. Adequate privacy notices and awareness should be provided and consent obtained before the implementation of such policies., If these steps are not taken, it could result in breach of trust of employee trust.
Real-Time Data Monitoring
One of the key causes of data privacy breaches is social engineering attacks. Organizations might have checks to ensure that spam and phishing emails do not reach enterprise mailboxes, but what if someone clicks on a phishing link in their personal mailbox when on the enterprise network? Another risky activity is employees sending data to their personal email addresses from their enterprise mailboxes. A real-time monitoring mechanism can ensure that sensitive data are not compromised, the necessary flags are raised and incidents are communicated based on severity, in real-time.
Risk Assessment
Ongoing risk assessment that runs parallel to real-time data monitoring is essential. It is a good idea to complete an annual risk assessment of processes and networks. It may seem redundant, but it is a necessary way to remain proactive against cybersecurity threats.
Conclusion
The bottom line is that data management and protection should be less about cost and compliance and more about organizations establishing and maintaining trust. If an organization’s data are not secure, consumers, partners and employees will not trust the organization with their data, and when they stop doing trusting, there are repercussions. Organizations must think beyond compliance to remain trustworthy and successful.
Deepa Seshadri, CISA, CISM
Is a partner at Deloitte Risk Advisory Practice and she has 25 years of experience providing cybersecurity and technology controls advisory. She has specific experience working on cyberstrategy and governance, risk and compliance work for mutlinational organizations in the manufacturing and technology sectors. She contributes to women in technology leadership initiatives She has presented on this topic as part of ISACA, Women in Technology Data Security Council of India.