Global businesses are reevaluating their data privacy programs this year as new privacy regulations targeted at businesses take effect. The European General Data Protection Regulation is a new privacy regulation with fines as high as four percent of annual global revenue for companies that fail to safeguard data of EU citizens and residents. In the U.S. 16 states recently introduced new, ACLU supported data privacy legislation. In spite of efforts to improve privacy protections many enterprises are not doing enough to protect consumer data.
“Data Privacy Day is a great opportunity for organizations to reevaluate their privacy program,” said Tim Erlin, director of IT risk and security strategy for Tripwire. “Privacy is often treated as part of larger security initiatives. While this approach addresses some key privacy issues, others may not get the attention they deserve.”
According to Erlin, the top five data privacy mistakes businesses make are:
1. Failure to keep only essential consumer data: Many organizations keep a lot of customer data in case they need it “someday.” While this approach may seem prudent this data can easily become a major target for cyber attackers and, because it isn’t business critical, it may not receive the same protections as other, more sensitive data.
2. Failure to encrypt customer data: While there are some regulatory requirements for encrypting customer data, companies need to establish internal processes to keep data encrypted. Leaving customer data unencrypted makes it much easier for attackers to grab.
3. Failure to secure access paths: Encrypting customer data is important, but it must be decrypted for use in an application at some point. Attackers will aim to compromise the applications that use customer data in order to get to that data. “Don’t worry, the data is encrypted,” is a dangerous mind set.
4. Failure to patch known vulnerabilities: Security experts may be more interested in the technical analysis of the latest malware, but successful attacks are more likely to exploit the three year old web server vulnerability that gets them access to high value data. Patching systems isn’t glamorous but it’s essential to protecting data.
5. Failure to monitor and control simple misconfigurations: More than one of the breaches that have been in the headlines recently has been the result of a misconfigured database or server. If you’re not monitoring server configurations for change, you have a blind spot in your security that attackers can leverage.