Showing results for 
Search instead for 
Did you mean: 
Create Post

Taking the first steps toward improving data privacy in 2016

January 28 is Data Privacy Day (DPD). Observed since 2008, DPD brings awareness to the importance of data privacy and protection. According to the Verizon 2015 Data Breach Investigations Report, about 60% of cyber attackers are able to compromise an organization’s data within minutes. 2016 is going to be no different from a threats perspective, and data thefts are bound to happen. However, you can minimize the possibility of a cyberattack or data privacy incident by strengthening network security and following some simple security tips.

Centralize monitoring and control: Continuously monitor your network and get a centralized view of the hundreds of security incidents happening in real-time. This is one of the most basic requirements if your organization is required to follow industry-standard compliance regulations like HIPAA, PCI DSS, etc.

Embrace data-driven forensics: Data-driven analysis of a suspicious event will result in better root cause analysis and forensics. A suspicious event can be as trivial as an increase in Web traffic from a known host during specific non-business hours over the last seven days, or repeat connection requests to critical assets (servers, databases, etc.) from an unknown host outside the network. Considering the worst case scenario that an attack has happened, you must be able to trace it back to the source, establish an audit trail, and document the findings and the action taken.

Watch out for malicious software: A term we may see more often in 2016 is ransomware. Sensitive data is the main driver behind these types of malicious software penetrating the network, and a regular user can become an unsuspecting victim of this attack, spreading it to other computers/applications inside the network. Though anti-virus and anti-malware software can be installed to protect the systems, you should set processes in place that will alert you to suspicious application and file activities. Also, you must consider the fact that subtle file and registry changes are hard to detect without file integrity monitoring tools, and zero-day malware attacks dwell on this advantage.

Educate your users/colleagues: Patient records and credit card information are critical data. However, other data, such as social security numbers, ATM passcodes, and bank account names stored on an unprotected desktop or document creates a prime opportunity for private data leaks. Periodic mailers and knowledge sharing among peers and with users can relatively improve your organization’s security.

You can learn more about the Data Privacy Day here.

Do you think it’s time to stop, think, and formulate an effective data privacy policy for your organization? What plans do you have to improve data privacy in your organization in 2016? What roadblocks do you foresee that will stop or slow you down from implementing some right away? Write in and let me know.


Good points at the organization level.  But it needs to extend to the end user especially with the BYOD world that exists today.  Not many people are even thinking about this at home potentially exposing themselves to such a thing and when they bring that device into the workspace, it opens new doors to attack.

The major roadblock I see to providing an effective data privacy policy, is the lack of the sense of urgency.  There are still organizations out there that think they are immune to security breaches.  I had done a consultant stint for a Hospital a few years ago, as their Solarwinds Engineer.  I brought up some basic best security practices to the leadership.  Some of the Technical staff and Management were happy running Telnet which ended the discussion.  First things first though, everyone needs to run some sort of IT security policy, whether it is internal, NIST, SOX, or STIG.  It can even be industry best practices.  Something....  Then the organization can work from there to improve.  

Security is starting somewhere with something....

Level 14

I have to agree with CourtesyIT‌.  Everywhere I have worked, there is no sense of urgency.  Security is still treated like the red headed step child.  We go through the motions, put checks in check boxes,  and pat ourselves on the back telling each other that we are doing a good job.  After through the motions for so long, even the most ardent network defender can lose interest.

CourtesyIT‌ put the finger on the right button.  My organization needed to update our payment solution so it could be put on the network instead of staying out of band.  Once PCI inspection and the threat of penalties was scheduled to ensure the new solution would be compliant, the resources and time were suddenly made available.

Compliance should be first--before the first device was plugged in.  And compliance should remain at the top--so nothing gets added or changed that can put that compliance at risk.

We recently made a change from a CISO who was hired then sent to a SANS seminary to be our CISO to bringing in an industry leader in the field.  IT is amazing the attitude shift towards security in our organization and just how far behind we were.


The organisation where I work is actually very good in regards to data privacy. Every 6 months or so we have to privacy training.