When it comes to privacy, it's the little things that can lead to big mishaps.
Privacy and security are often thought of as one and the same. While they are related, privacy has become its own discipline, which means security experts need to become more familiar with the subtle types of mistakes that can lead to some dangerous privacy snafus.
- Privacy System
With General Data Protection Regulation (GDPR) going live last spring in Europe and the California privacy law becoming effective in 2020, companies should expect privacy to become more of an issue in the years ahead. Colorado and Vermont have passed privacy laws, as has Brazil, and India is well on its way to passing one of its own.
Mark Bower, general manager and chief revenue officer at Egress Software Technologies, says that first and foremost, companies have to think of privacy by design.
Privacy by design requires companies to ask the following questions: What type of data are we storing? For what business purposes? Does the data need to be encrypted? How will the data be destroyed when it becomes obsolete, and how long a period will that be? Are there compliance regulations that stipulate data destruction requirements? How will the company protect personally identifiable information for credit cards and medical information?
- Emails mishaps
1. The Accidental email: Egress Software's Bower told the Dark Readings website that many misdirected emails are sent because users type in the first couple of letters of a name and go with what pops up first. While training users to check the To: field twice before hitting "send" can help, new machine-learning and AI technologies can track patterns of who users typically send emails to and have them double check they are sending them to the right people. For salespeople or reporters in the media who deal with lots of new contacts, the system can flag that this is the first time they are connecting with this person and ask whether they really want to send that attachment.
2. Somebody forwards a corporate email to a friend, spouse, or personal account: companies need to rethink how they want to control corporate information they send to their staffs, Egress Software’s Bower adds. The emails could be about something seemingly innocuous, like holiday plans, or inside information about a new product. Either way, companies have to decide whether they're going to let people forward them to people outside of the company or restrict or block people from sending them.
3. A user adds a new person to an email string who shouldn't have access: emails can get into the wrong hands when someone adds a person to a thread to keep him in the loop, but then somebody else includes confidential information that the added person shouldn't have access to, Bower points out. Once again, people need to be trained on how to be more sensitive to email strings and who really needs to see the information being sent. Technologies that use AI and machine learning can help, he says, and they can be used to block access if it's discovered that information has been sent to somebody who does not have proper access rights.
- Sync and Share
4. A 'Sync and Share' causes a potential data breach: Chuck Holland, director of product management at Vera Security sees that companies have to rethink their BYOD policies because every time an employee syncs a mobile device, she is syncing data to her personal cloud. Similarly, and maybe worse for the employee, she could be syncing her information to the corporate network.
5. Companies don't practice good off-boarding routines: Holland says companies have to do a better job off-boarding when an employee leaves for another job or for performance reasons. Too often, companies leave old accounts open, and sensitive information could be stored on the hard drives of their computers or in emails. Companies need to understand that hackers look for those types of accounts for information they can sell or to launch widespread attacks.
6. Companies don't encrypt email and data transfers: companies should never send unencrypted data or emails over the corporate network, a BigID's official says. Specific departments that should think extra carefully about privacy and taking care of sensitive personal and corporate information include human resources, marketing, advertising, and accounting, she adds.
7. During M&As, companies use privacy as a bargaining chip: while companies take privacy into account during a merger or acquisition, very often they will use it to have the other company reduce the purchase price, BigID's Farber says. However, after the merger, instead of taking money saved and investing it in privacy and security, it will just move it to the bottom line.
