cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Taking the first steps toward improving data privacy in 2016

January 28 is Data Privacy Day (DPD). Observed since 2008, DPD brings awareness to the importance of data privacy and protection. According to the Verizon 2015 Data Breach Investigations Report, about 60% of cyber attackers are able to compromise an organization’s data within minutes. 2016 is going to be no different from a threats perspective, and data thefts are bound to happen. However, you can minimize the possibility of a cyberattack or data privacy incident by strengthening network security and following some simple security tips.

Centralize monitoring and control: Continuously monitor your network and get a centralized view of the hundreds of security incidents happening in real-time. This is one of the most basic requirements if your organization is required to follow industry-standard compliance regulations like HIPAA, PCI DSS, etc.


Embrace data-driven forensics: Data-driven analysis of a suspicious event will result in better root cause analysis and forensics. A suspicious event can be as trivial as an increase in Web traffic from a known host during specific non-business hours over the last seven days, or repeat connection requests to critical assets (servers, databases, etc.) from an unknown host outside the network. Considering the worst case scenario that an attack has happened, you must be able to trace it back to the source, establish an audit trail, and document the findings and the action taken.


Watch out for malicious software: A term we may see more often in 2016 is ransomware. Sensitive data is the main driver behind these types of malicious software penetrating the network, and a regular user can become an unsuspecting victim of this attack, spreading it to other computers/applications inside the network. Though anti-virus and anti-malware software can be installed to protect the systems, you should set processes in place that will alert you to suspicious application and file activities. Also, you must consider the fact that subtle file and registry changes are hard to detect without file integrity monitoring tools, and zero-day malware attacks dwell on this advantage.


Educate your users/colleagues: Patient records and credit card information are critical data. However, other data, such as social security numbers, ATM passcodes, and bank account names stored on an unprotected desktop or document creates a prime opportunity for private data leaks. Periodic mailers and knowledge sharing among peers and with users can relatively improve your organization’s security.

You can learn more about the Data Privacy Day here.

Do you think it’s time to stop, think, and formulate an effective data privacy policy for your organization? What plans do you have to improve data privacy in your organization in 2016? What roadblocks do you foresee that will stop or slow you down from implementing some right away? Write in and let me know.

6 Comments
MVP
MVP

Good points at the organization level.  But it needs to extend to the end user especially with the BYOD world that exists today.  Not many people are even thinking about this at home potentially exposing themselves to such a thing and when they bring that device into the workspace, it opens new doors to attack.

The major roadblock I see to providing an effective data privacy policy, is the lack of the sense of urgency.  There are still organizations out there that think they are immune to security breaches.  I had done a consultant stint for a Hospital a few years ago, as their Solarwinds Engineer.  I brought up some basic best security practices to the leadership.  Some of the Technical staff and Management were happy running Telnet which ended the discussion.  First things first though, everyone needs to run some sort of IT security policy, whether it is internal, NIST, SOX, or STIG.  It can even be industry best practices.  Something....  Then the organization can work from there to improve.  

Security is starting somewhere with something....

Level 14

I have to agree with CourtesyIT‌.  Everywhere I have worked, there is no sense of urgency.  Security is still treated like the red headed step child.  We go through the motions, put checks in check boxes,  and pat ourselves on the back telling each other that we are doing a good job.  After through the motions for so long, even the most ardent network defender can lose interest.

CourtesyIT‌ put the finger on the right button.  My organization needed to update our payment solution so it could be put on the network instead of staying out of band.  Once PCI inspection and the threat of penalties was scheduled to ensure the new solution would be compliant, the resources and time were suddenly made available.

Compliance should be first--before the first device was plugged in.  And compliance should remain at the top--so nothing gets added or changed that can put that compliance at risk.

We recently made a change from a CISO who was hired then sent to a SANS seminary to be our CISO to bringing in an industry leader in the field.  IT is amazing the attitude shift towards security in our organization and just how far behind we were.

MVP
MVP

The organisation where I work is actually very good in regards to data privacy. Every 6 months or so we have to privacy training.

About the Author
EDUCATION MASTER OF SCIENCE (12/2003)-University of Texas San Antonio, San Antonio, Texas: Mgt of Technology with specialized focus in Information Technology Security BACHELOR OF SCIENCE (12/1993)-Pfeiffer College, Misenheimer, North Carolina: Computer Info. Systems CERTIFICATIONS Cisco Certifications – CCNA R&S, CCDA, CCNA Security, CCNP Security IT Infrastructure Library v2 (ITIL v2) COMPTIA – Security+, Security+CE, CASP-02 Solarwinds - SCP Juniper Networks - JNCIA, JNCIS HP OpenView Certified Consultant (HPOV) – Expired 2004 Sun Certified System Administrator 9(SCSA) – Expired 2004 Author: Boson.com HP OpenView Network Node Manager 6.0 - 2002 Sun Solaris System Administrator 8 - 2002 CompTIA Network+ - 2012 CAREER SUMMARY As a Senior Network Engineer, I have designed, installed, implemented and managed multiple LANs/WANs for many Department of Defense Commands and organizations in the United States and Europe. I have been practicing the FCAPS (Fault, Configuration, Accountability, Performance, and Security) Management Model for over 20 years to provide high availability and reliability for the networks under my supervision. This type of management style requires research and development of new and existing technologies to provide the 99.999% availability that I strive to obtain for my networks. My coworkers and supervisors consider me to be an extravert and outgoing individual, which was developed early as an entrepreneur and in customer service type occupations in high school and college. This type of background has given me the chance to excel in solving problems, developing creative strategies and solutions, and working with others in varying parameters and environments. Commands Supported JFCOM – Joint Forces Command (Formerly Joint Training, Analysis, and Simulation Center) NCTAMS-Europe – Naval Computer and Telecommunications Area Master Station Europe DISA-Europe – Defense Information System Agency Europe AFIWC – Air Force Information Warfare Center SPAWAR – Space and Naval Warfare Systems Center Charleston NUWC – Naval Undersea Warfare Center EUCOM – European Command SOCEUR – Special Operations Command Europe 754th ELSC\HQ – Air Force Intranet (Formerly CITS / Block 30) ADF-East - Aerospace Data Facility – East USMS-HQ – United States Marshal Service Headquarters USN-MSC – United States Navy Military Sealift Command DISA-OKC - Defense Information Systems Agency Oklahoma City PACOM - U.S. Pacific Command U.S. Army - INSCOM - GISA Pacific