January 22nd through the 28th is Data Privacy Week. It’s okay if it snuck up on you because this is only the second one.
Just like Cyber Security Awareness Month in October, the purpose of Data Privacy Week is to bring attention and awareness to the importance of protecting your data online. That is, to make you and those who collect your data aware of its responsibilities and importance.
At the risk of getting too much into the nerd weeds, let me explain a few foundational tenets of cyber security. The shorthand objectives of cyber security are referred to as the “CIA Triad.”
This is not the CIA that most of us think of when we hear the term. The CIA Triad refers to “Confidentiality, Integrity, and Availability.” Let me explain just a little further, in reverse order.
Availability
Availability refers to the objective that authorized users are able to access the information when needed. For example, cyber security is meant to prevent a distributed denial-of-service (DDoS) attack against a website or the encryption of data and locking down systems in a ransomware attack.
Integrity
Integrity is the assurance that data has not been altered or corrupted. This would include an attacker modifying records for financial gain such a making fraudulent transactions to an account.
Confidentiality
Confidentiality is the assurance that unauthorized individuals are not able to gain access to information. For example, a ransomware attack steals information and then demands a ransom so the attacker will not release the information. Protections include firewalls, access control lists, encryption, and multi-factor authentication. (Notice that “passwords” is not on the list because that is a very weak control we need to remove from our comfort zone of protection.)
So, the purpose of Data Privacy Week is to focus on the importance of Confidentiality (and, to some extent, Integrity).
As with all areas of protection, it is the responsibility of the organization and the individual.
Your responsibility as the owner of your data includes being mindful of who you share your data with. Don’t post every nugget or your personal life online. Be sure to use unique passwords for every account (passphrases are better). Using a password manager makes it easier. Use multi-factor authentication (MFA) whenever possible. Keep your operating systems, software, apps, etc., updated, and use automatic updates to ensure they are made as soon as possible.
A recent study by European cellular provider Orange showed that only 20% of their users installed patches within 30 days of the release of the patch. This would be like refusing to take medication when you get sick. The solution is available. But it does no good if you do not use it.
As for organizations, they have a fiduciary responsibility to their customers, employees, and all stakeholders to protect their information. Not only is it the right thing to do, it Is also good for business. If an organization has been hacked and personally identifiable information (PII) accessed, customers will lose faith in that organization. Reputation will suffer, and it may cause a loss of business or income. It could even cause an organization to go out of business. Organizations should employ good security practices and reassure their customers that they are protecting their interests. Policies that strictly manage access control (including least privilege, MFA), conducting network scans, using endpoint detection and response, making backups, and doing pentests as well as training staff to ensure a mature cyber security environment, will help to protect data and the organization’s future existence.
The security of your data is not only a matter of privacy but also a matter of protection. Once it’s gone, it’s gone.