Data privacy, a growing strategic initiative

January 28 is Data Privacy Day, an international event to create awareness about the importance of respecting privacy, safeguarding data and facilitating trust. In our current dynamic business environment where everything seems to be connected, millions of businesses are unaware of or uninformed about how their personal and business information is being used, collected or shared.

In a study conducted by the Ponemon Institute in September 2017, there were several alarming statistics around the state of today’s businesses being able to protect their sensitive information. These issues paint a picture of the escalating threats that businesses face as many of their security programs and initiatives lag or are static at best.

• 52% of respondents reported they had experienced at least one ransomware attack, with over 79% stating that the ransomware was unleashed due to phishing or social engineering attacks.
• 54% of respondents reported that their breach involved sensitive information about customers, employees or business plans, with the average breach now involving over 9,000 records.
• Organizations continue to struggle to provide budget, technology and personnel to manage security – 36% of respondents reported they are now outsourcing their IT security operations to outside partners.
• The toll of a cyberattack is becoming costlier, the impact to the business due to damage/theft is averaging $1.2 million and the disruption caused by a cyber-incident is also averaging $1.2 million. Examples of these costs include:
  • cost to forensically recover lost or damaged sensitive information;
  • liability costs to the business from lawsuits (customers, vendors, partners etc.);
  • cost of fines due to not meeting compliance/regulation requirements or contractual requirements; and
  • cost due to the loss of business opportunities from brand damage or loss of data, facilities, etc.

As businesses face the shock of these threats to their operations, they also must be aware that consumers are now more concerned than ever about the security of their private information. Every day, people are beginning to feel the effects of the hyper-connected society we live in where their private data is requested by companies to receive services. In these transactions, consumers assume their private information is being protected. Businesses must be cognizant that consumers are now willing to change their buying behavior and shift brands if they feel a business is at fault for a data breach to their sensitive data.

To help businesses understand this convergence of data privacy and cybersecurity, there are several recommendations they can incorporate to better manage the risk exposure to their organization and the sensitive data entrusted to them.

1. How your company manages data privacy shouldn’t be a secret

Your customers need to understand why you need their information, what you will use it for and how long you will keep it. Consumers are educating themselves about privacy, your company’s policy on data privacy should be available and easy to read.

2. Data privacy is an “everyone initiative”

If your business has sensitive information on employees, consumers, partners, etc., then you should have your whole company involved in protecting this data. Incorporate a data governance program that uses training, processes, personnel and technology to manage this information when it is at rest, in transit, being processed and finally decommissioned when no longer needed. All staff, partners and vendors need to be involved and understand the importance of managing the data entrusted to the organization.

3. Data governance and the management of privacy is continuous

To effectively manage protected data, an organization’s security and risk management programs will need to leverage a blend of technologies, frameworks, processes and personnel. With all of these resources, it is still a continuous life-cycle of monitoring, remediating and improving. To not short change themselves, businesses should assign resources to manage this risk and understand the value it provides to business operations through creating a risk-aware culture.

4. Don’t forget the small things

As you train your staff, build a security and risk management program and incorporate new policies. Remember that data is like water and can easily slip out of an organization’s control. Bring in a trusted partner for a risk assessment to check on how your data is being accessed and if it is being transferred to employees’ smart phones, portable USB devices, copiers or legacy storage devices. Use a partner to review your security controls and verify that the data entrusted to your company is safe.

These recommendations are just some ideas of what businesses can implement to better manage their data privacy requirements. Data privacy is becoming more visible and is a driving international initiative with the upcoming European Union’s “Global Data Protection Regulation” (GDPR) law. It is the aggregation of new threats, laws and consumer activism that makes data privacy a strategic initiative for today’s businesses to adopt as part of their core business operations.