Survey after survey shows it: Both consumers and employees question privacy on enterprise networks. For example, TRUSTe, a global data privacy management company, found that consumer trust has hit a three-year low. A GFI Software survey found that employees worry about identity theft within their company.
However, while the concerns themselves aren’t new, the survey results are showing a new trend, said Barry Shteiman, director of Security Strategy at Imperva:
This new awareness is because many breaches in the past two years have resulted in the leakage of private information, and for that reason it became top-of-mind. However, this is a problem that has existed since the birth of data systems decades ago. That being said, the concern is real – breaches that risk business and private user information, such as their Social Security numbers, credit card information and other details create the risk of identity theft, and financial loss.
It isn’t just breaches that are the problem, Renee Bradshaw, senior solutions manager at NetIQ, added:
With the hyper-focus on the NSA spying scandal, the Target breach, and most recently, the Heartbleed bug, it’s no wonder that many Americans are very concerned about data privacy. The prospect of having your most private information bared for all to see, or of having your personal wealth plundered by the “bad guys,” has become a real possibility – a part of public consciousness. Understandably, there is fear, and not without merit.
Now that consumers and employees are both growing more vocal about the risks involved, it is time for enterprise to start understanding how data leaks occur and addressing privacy concerns.
Click through to gain a better understanding of the issues surrounding privacy, as well as steps organizations can take to mitigate the risks and impacts associated with these concerns.
How information leaks
According to Shteiman, data privacy leaks happen due to either malicious intent or accidental errors that are almost always the result of the biggest security risk in the world: mankind. He said:
The concept is simple, data can be exposed either in a malicious way via a hacking technique, a physical theft of a device (like a laptop or a paper folder), or exposure can be threatened as a means of extortion. It can also happen by accident (remember the famous story about the FBI agent losing his laptop in a taxi?).
Another “use case” for privacy leaks is the employee that keeps copies of “his work” on a flash drive, a Dropbox or any other storage format, and then that employee keeps this data even after he/she leaves their current job. They may take company IP or sometimes – perhaps inadvertently or perhaps not — private information on customers with them to that new job.
Bottom line is that more than 43 percent of individuals in North America have been targets of Web-based threats launched at users’ computers while browsing the Internet. Phishing, spear phishing, water holing, ransomware, and unpatched application vulnerabilities all present very real threats to today’s users, said Mark Bermingham, director, regional B2B product marketing with Kaspersky Lab.
Who is responsible for leaking data?
While hackers and some malicious employees are certainly responsible for leaks, unsuspecting end users can also cause data leaks, said Bermingham:
Even the most robust security posture must be augmented with employee training to ensure they are made aware of the threat landscape and what they can do to ensure effective security.
Even with better education, it is getting more difficult to outsmart the bad guys, who are becoming more and more sophisticated. Clouds and corporate networks are also under siege by cyber criminals and hackers because of the valuable information that they contain, said Gerry Grealish, CMO at Perspecsys, adding that multi-tenant clouds, in particular, are a prized target, because they “aggregate” data from a variety of sources and business and are quite valuable as a result.
Cyber attacks of today are constantly morphing and shift-changing, coming at your organization from angles – and people – you weren’t expecting, Bradshaw explained. You no longer know with any certainty whether any given activity or event within your IT infrastructure is harmless and appropriate, or the precursor of a damaging cyber attack. Perhaps even more disconcerting is not knowing the intent of the person or persons behind that activity or event.
Controlling privacy is all about controlling access. As Mike Lloyd, CTO at RedSeal Networks, pointed out:
It’s a tempting business shortcut to just pile up data and worry about security or access controls down the road. This lazy approach is what gets a company to be front page news – after they are breached. The examples are plentiful. Businesses all need to realize (as many do) that customer data is a privilege and a responsibility – and it must be segmented off, and not treated the same as, for example, routine business email. Segmentation and control is difficult, especially in a complex and changing IT environment, but it’s essential to keeping the trust of your customers, patients or citizens.
Access control tools include identity and access management (IAM) products that should be deployed within the company, encryption for data at rest, and regular audits to ensure access control is working.
Effective strategies to control privacy
Integrating security in the product from the start, rather than trying to bolt it on after the fact, is most effective in ensuring privacy, according to Jean Taggart, senior security researcher at Malwarebytes. This means ensuring the developers are implementing proper, secure coding practices from the start.
Segmentation and access control are also key. These can occur at several levels, starting with “zone defense” – keeping precious data in a separate network zone, limiting all traffic in and out, and monitoring that traffic at key choke points so you can detect anomalies, Lloyd said. There are higher levels – applying “least privilege” designs in applications, for example. But the most fundamental level is to delineate a zone where precious information resources are kept, and where special rules apply. This helps at the technical level, limiting the attack surface, but also helps the people involved remember that they are dealing with a special, protected resource.
Most importantly, we need to get out of the rut of using traditional methods of protecting sensitive data because they no longer work in today’s IT environment, Bradshaw added. This is because of the growth of so many endpoints, such as mobile devices, social networks and the cloud. With so many users and a myriad of access points to our networks, perimeter-based defenses such as firewalls, a traditional approach, cannot keep up with the evolving methods of attack.
The problem with Big Data
Companies have lot of information about their customers, their employees, their consultants – anyone who has had contact with a company leaves some type of electronic footprint. Often that information is personally identifiable information (PII), such as full names, birthdates, Social Security numbers or financial data. But according to an InformationWeek article, consumers, especially, aren’t always informed on how that data is being used or whether or not they can opt out of having their PII used by the company.
Big Data means big risk, said Lloyd, even when it is accumulated by the companies we want to do business with. The sheer amount of data collected and stored is often difficult to manage and, unfortunately, some companies don’t realize just how much that information is worth. Lloyd said:
These unprecedented data mountains are a very tempting target to those who want to abuse data. Once upon a time, thieves robbed banks, because that’s where the money was. In the information economy, the databases are where today’s valuables reside.
A survey by Enterprise Management Associates found that more than half of all employees lack security training that could help prevent data breaches. Regular employee training is critical to augment security capabilities, said Bermingham. This cannot be a one-time training as turnover and regular reinforcement of employees’ responsibilities are important. Helping them to recognize phishing attempts and reinforcing not opening attachments from unknown senders are baseline considerations.
Employees should understand the risks involved in a data breach. That includes understanding penalties and fines to the business and the potential impact on the company’s reputation and brand.
Steve Pate, chief architect at HyTrust, added that employees need a rigid set of controls that should be put in place so simple mistakes cannot be made. Also, it is all employees at every level that need to be held responsible for better security. Pate stated:
Auditing of administrator actions often reduces malicious actions or simple mistakes that can be catastrophic for an organization – financially or by reputation. Have a set of processes in place and have those processes adhered to. Have internal and external auditors review the processes for correctness.
Transparency key when dealing with customers
The best way to address the concerns around privacy is to achieve more transparency in such a way that the users actually understand what is being done with their data. Sorin Mustaca, IT security expert with Avira, stated:
In regards to the protection of the PII, the companies must show users that they are in control of the data and in the same time they are able to explain to the users how their data is safeguarded. Most of the users are either not able to understand or don’t want to understand how security is achieved. They just want to know that the companies that have their data are doing whatever is feasible to secure their data.
Mustaca went on to say that the biggest problems today in regards to privacy and security are related to the way these complicated concepts are brought to the average user. When a company is able to explain when a customer has questions, and the more honest the company is when a breach does occur, trust is built.
Other steps to relieving customer fears of privacy erosion
Consumer trust is a valuable commodity in the business world. It is difficult to earn, but it can be wiped out in an instant. Part of the fallout from its data breach, for example, was the loss of trust consumers had in Target. But Target also did little to gain the confidence of its customers as the retailer slowly trickled out the details of the breach, every news update sharing more devastating news. That’s why businesses need to be proactive and respond quickly when a breach does happen. Said Bradshaw:
Communication is key. For example, in the wake of the Heartbleed bug, several companies have been aggressive in putting forth statements that indicate whether or not their products could potentially be affected by the bug. This should become a standard practice when major events occur.
Also, businesses can be more transparent in the way they communicate their privacy practices, Bradshaw added. For example, stating explicitly what privacy and data protection mandates they adhere to and what has been their rate of audit success.
Finally, companies should be forthright in explaining that following compliance regulations doesn’t go hand-in-hand with privacy and security applications. Enterprise needs to take the extra step to assure consumers that their privacy is taken seriously.