Reinforcing Data Privacy Regulations

– Data security tips for working from home every company and employee should follow.

Data Privacy is a global educational initiative focused on raising awareness about the importance of protecting the privacy of personal information online, it is a collective effort by international organizations, individuals and business to respect privacy, safeguard data and enable trust.

A brief history of data protection

Data Protection Day commemorates Jan. 28, 1981, with the signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Data Privacy Day is celebrated annually on January 28^th and is designed to “inspire dialogue and empower individuals and companies to take action” on the way personal information is collected, stored and used. (Staysafeonline)

What is Data Security?

Data security is one of the most difficult tasks for IT and infosec professionals and refers to the processes and practices that protect data from unauthorized access.
Similar to other approaches like perimeter security, file security or user behavioural security, data security is one method of evaluating and reducing the risk that comes with storing any kind of data.
Each year, companies of all sizes spend a sizable portion of their IT security budgets protecting their organizations from hackers intent on gaining access to data through brute force, exploiting vulnerabilities or social engineering.

The main elements of Data Security

The core elements of data security, also known as the CIA triad, are confidentiality, integrity, and availability. This is a security model and a guide for organizations to keep their sensitive data protected from unauthorized access and data exfiltration.

• Confidentiality ensures that data is accessed only by authorized individuals;
• Integrity ensures that information is reliable as well as accurate; and
• Availability ensures that data is both available and accessible to satisfy business needs.

Why data security is important?

According to a report by the Ponemon Institute and IBM Security, the average cost of a data breach in 2019 was calculated at $3.92 million and in 2020 at $3.86 million. Having a remote workforce was found to increase the average total cost of a data breach of $3.86 million by nearly $137,000, for an adjusted average total cost of $4 million.
While the average cost of a data breach in 2020 for big businesses was more than $150 million. (BigCommerce).
High-profile companies such as Capital One, Evite and Zynga experienced data breaches that exposed more than 100 million customer accounts each (Techtarget). The average security incident in 2019 involved 25,575 accounts, according to the report. This is information that must be disclosed to customers, and organizations could potentially wind up as cautionary tales. In 2019, data breaches cost companies a total of 2 trillion dollars. (Juniper).
Ransomware and phishing also are on the rise and considered major threats and are becoming more creative every day.
That is why companies must secure data so that it cannot leak out via malware or social engineering. Breaches are often costly events that end in multimillion-dollar class-action lawsuits and victim settlement funds. Cybercrime is estimated to cost the world $6 trillion annually by 2021 (Cybersecurity Ventures).
Sherri Davidoff, author of Data Breaches: Crisis and Opportunity, listed five factors that increase the risk (Techtarget) of a data breach: access; the amount of time data is retained; the number of existing copies of the data; how easy it is to transfer the data from one location to another – and to process it; and the perceived value of the data by criminals.

Understanding COVID-19’s Impact on data security

With the adoption and enforcement of the GDPR in 2018 and the possible “ePrivacy Regulation,” companies and institutions have increased their data awareness.
But COVID-19 has reshuffled the procedures for handling and processing of personal data and has posted new systemic cyber risks in the working from home environment. Increased system stress and gaps in collaborative tools have led to increased vulnerability, as witnessed in numerous reports of higher levels of cyberattacks, including malware-laced email phishing, scammers posing as corporate help desks, and malware in COVID-19 information sites.
Many people are now using unsecured devices and internet communications with lower protection levels than those maintained in corporate or institutional networks. With workplaces closed and employees working from home, the IT departments of public and private institutions, SMBs, SMEs, and Large Enterprises have had to set up remote operations rapidly, have faced completely new challenges, struggling with rapid and unplanned scaling-up of infrastructure and less time to conduct risk assessments.
To ensure business operations, employers must provide security guidelines, restrict the use of private devices, recommend particular software applications, supply adequate password protection, as well as formulate instructions for protecting hardware and hard copies of documents. Employees need to be informed of the special technical features enabling secure remote operations and trained as needed in their use. The importance of security in working remotely needs to be stressed, and the VPN made mandatory.

At Avangarde Software we had to maintain the security of our systems, software, and data outside the centralized, well-controlled corporate network, while also meeting GDPR requirements.
We are providing our employees with laptops, mobile phones, and other necessary equipment to secure virtual-private-network (VPN) connections so that they may work remotely. We also provided employees with an array of other technical features to secure their networks. This includes patch and configuration management for relevant systems, multifactor identification and secure-access management, on-premise application security for remote access, device virtualization, capacity and security monitoring, and contingency resources (to limit the effects of failures and breakdowns).

How working from home affects data security

Whenever an organization creates a new way of accessing its data, it puts that data at greater risk. By necessity, many remote workers will have to move data (or devices that can access that data) into public spaces. And for hackers, stealing data off of home or public computers is a low-risk, high-reward operation.

Research shows that these are the main causes that affect data security:

• Human error
  According to a study by IBM, human error is the main cause of 95% of cyber-security breaches. (Security Magazine) Human error means unintentional actions – or lack of action – by employees and users that cause, spread or allow a security breach to take place. 
• Less secure environment
  When working remotely, you move away from a secure network environment with data protection measures in place. Most workplaces have installed firewalls that prevent or reduce the risk of third-party access to confidential data.
• Sharing devices with family members
  Sharing work devices with anyone poses another risk to your data security. Even though family members do not intentionally compromise your work information, it could happen through the sites they visit, for example.

Did you know?

1. A cyberattack occurs every 39 seconds (University of Maryland).
2. On average, the cost of a data breach is $8.64 million. (IBM).
3. An average of 4,800 websites per month is compromised with form jacking code (Symantec).
4. 3 out of 4 small businesses say they don’t have the personnel to address IT security. (Fundera)
5. The cost of cyber-attacks for small businesses is between $84,000 and $148,000. (USA Today)
6. During the last three years, 93% of healthcare organizations were subjected to cyberattacks (Verizon)
7. 47% of employees pointed out distraction as the reason for falling for phishing scams while working from home. (Tessian)
8. Remote work has resulted in an increase in the average cost of a data breach by $136,974. (IBM)
9. Scams increased by 400% over March 2019. This has made the COVID-19 pandemic the largest security threat ever. (ReedSmith)
10. 500 thousand Zoom user accounts were compromised and sold on a dark web forum. (CPO Magazine)
11. Every day 1,767 high-risk Coronavirus-themed domain names are created. (Palo Alto Networks)
12. Stolen patient health records can be sold for over $60 per record. (CNBC)
13. 24% of data breaches are caused by human error (IBM).
14. Routers and connected cameras make up 90% of infected devices (Symantec).
15. 75% of cyberattacks start with an email (fintech News)

Data security tips for working from home

Looking back at 2019 and all the challenges it brought, productivity has been steady in Avangarde Software, and we want to keep the work from home policy in place for the long term, naturally transiting to a cultural mix of working remotely and coming back safely to the office (read more about this).
One of the issues that remains most important to us is data security when working from home. Maintaining good data-security practices from the home office to avoid some very real consequences.

Here are some tips about data security best practices that everyone can apply at home, to add more security to their remote work:

• Follow your company’s security protocols
  This is the best way to protect data when working remotely. The essentials for a secure setup include two-factor authentication, intrusion prevention through managed IT services, and company-designated virtual private network (VPN) licenses.
  To ensure better data safety in the long run you can also: secure your home router, install the latest security patches on your software, use strong passwords and differentiate them across accounts.
• Use work devices
  Using your work computer only for work-related activities reduces the risk of third party access to sensitive information. Usually, the work device has already had firewalls to improve data protection and since most work devices only contain necessary applications, you are less likely to be exposed to malware and other cybersecurity threats.
• Use a secured Wi-Fi connection or hotspot
  Try not to connect to public Wi-Fi or your neighbour’s open Wi-Fi, working remotely, Update the username and password of your Wi-Fi router from the default settings to a secure username and a strong, unique password. Most internet service providers can assist you in updating this.
• No transfer of sensitive information
  Do not transfer company information to a personal device, such as a phone or laptop, via e-mail, USB, Dropbox, etc. Connect your home printer to your company-approved device if you need to print some documents.
• Encryption
  Data encryption is how you convert information into other forms to prevent unauthorized access and can make a difference in keeping sensitive information safe from hackers.
  Check with your organizations to see what encryption algorithm is in place that matches your enterprise security requirements.

Final thoughts

Each year, companies of all sizes spend a sizable portion of their IT security budgets protecting their organizations from hackers intent on gaining access to data through brute force, exploiting vulnerabilities or social engineering. Throughout this article are links that will help you learn more about the challenges related to securing sensitive data and maintaining customer privacy.
While working remotely may be convenient and even necessary, it creates some entirely new security challenges. Training a remote workforce on how to properly use videoconferencing technology, VPNs, and encryption is crucial to managing those risks. This is because the home environment and the tools to streamline remote work only makes things easier for hackers.
A recent example is the 2020 Zoom attacks in which hackers stole 500,000 Zoom account passwords and sold them on the dark web. (CPO Magazine)
Cyberattacks and phishing are as common now as they have ever been, and new phishing methods arise every day.
That is why it is so important for companies to have a proactive security strategy in the workplace and to invest in security awareness training so that their employees are informed and know how to protect themselves and their organization’s assets from loss. Users working remotely must stay vigilant and follow security best practices.

References

1. https://staysafeonline.org/data-privacy-day/about-dpd/
2. https://securityboulevard.com/2021/01/data-privacy-day-understanding-covid-19s-impact/
3. https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/
4. https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
5. https://www.mckinsey.com/business-functions/risk/our-insights/covid-19-implications-for-business
6. https://www.mckinsey.com/business-functions/risk/our-insights/privacy-security-and-public-health-in-a-pandemic-year#
7. https://securityboulevard.com/2021/01/data-privacy-day-understanding-covid-19s-impact/
8. https://www.jdsupra.com/legalnews/best-privacy-and-security-practices-79716/
9. https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html
10. https://www.gosquared.com/blog/evolution-of-password-security 
11. https://blog.codinghorror.com/your-password-is-too-damn-short/
12. https://blog.codinghorror.com/welcome-to-the-internet-of-compromised-things/
13. https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
14. https://www.ryanpickren.com/webcam-hacking-overview
15. https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/
16. https://jameshfisher.com/2019/04/27/the-inception-bar-a-new-phishing-method/