Increased Data Usage = Increased RiskWith the increasing popularity of smart phones, conducting online transactions, and social media, the amount of data that gets collected and stored each day is truly astounding. It is estimated that 2.5 quintillion bytes of data are created each day as of 2018 – a number that is tough to fathom and only predicted to increase. While hackers are seizing on the opportunity to exploit this influx of data, data security is struggling to keep up. Personal data, company data, and even government and infrastructure data are all vulnerable to breaches.Cost of Insecure DataThe most recent estimate from whitehouse.gov puts the cost of malicious cyber activity on the U.S. economy between $57 billion and $109 billion in 2016. In 2017 alone, the Identity Theft Research Center reported 1,339 cases of data breaches in which consumers’ personal data was jeopardized. Some high-profile cases from the past decade include:Yahoo in the largest (reported) breach of all-time, jeopardized contact information and the answers to security questions and passwords for 3 billion users. Yahoo faced additional public scrutiny for allegedly being aware of the vulnerability for several years. This breach impacted Yahoo’s deal to be acquired by Verizon, ultimately taking $350 million off the sale price.An application vulnerability on an Equifax website compromised personal information for 148 million consumers who are potentially vulnerable to future credit and identify thefts.Due to a data breach Target jeopardized the credit card numbers of an estimated 110 million customers at an estimated cost of $162 million.In the largest data breach in healthcare history, Anthem had nearly 80 million of their customers’ personal data stolen.The Republican and Democratic National Committees and the Pentagon have all been subject to data breaches.Aside from a hit to the stock price and reputation of these entities, Wall Street has certainly taken notice. The main cybersecurity ETF (HACK) has increased by nearly 40% since its inception in 2015. The Business Insider Intelligence estimates $655 billion will be spent on cybersecurity between 2018 and 2020. With so many affected people and companies, governments are now beginning to take action on data security as well.General Data Protection Regulation (GDPR)GDPR is the European Union’s answer to data privacy regulation. Enacted in May 2018, the aim of GDPR is to protect EU citizens from data breaches. GDPR hopes to succeed by enacting the following key components:Increased Territorial Scope: Applies the same GDPR regulations to companies that handle data of EU citizens regardless of where the transaction occurred or nationality of the company.Penalties: Up to 4% annual revenue or €20 Million for non-compliant companies.Consent: Processing personal data is generally prohibited unless consent is given. The form in which consent is given must be presented in a clear and legible fashion.Breach Notification: If there is a data breach of personal data customers are required to be notified within 72 hours. It took Equifax several months.Right to be Forgotten: Gives customers the ability to have their personal data deleted if they no longer want to be known by a company.Privacy by Design: This calls for data security measures to be built in from the beginning of a system development (instead of adding on at the end) and requires the company controlling the data to hold and process only the data absolutely necessary for the completion of its duties. This one will likely have to play out in the courts but the intent is clear, make data security a priority and minimize amount of personal data when possible.If the US took data security this seriously years ago, a lot of the major hacks previously discussed (and others) could have been limited or prevented entirely. Facebook CEO Mark Zuckerberg, who has recently come under fire for data security, said, “I think the GDPR in general is going to be a very positive step for the internet.” GDPR compliance may cause some short-term headaches for CIOs and their IT departments, but it is generally viewed as a positive step forward for privacy and data security.Data Security in the U.S.The U.S. does not currently have plans to implement similar regulations. Outside of some financial and health care regulations, data security is in large part left up to individual companies. Many companies meet bare minimum security requirements and apply band-aides after the fact in the event of a security breach. Customers in the U.S. still expect their data to be protected, so companies should make data security a top priority before, during, and after the implementation of any system or procedure.Data Security Best PracticesTo prevent data breaches entirely is very difficult, but following these practices will help minimize risk and vulnerabilities:Create an adequate budget: Identify the value of the company’s data, the current state of cybersecurity and potential threats, and the total potential cost if the data is jeopardized. This will help to justify an adequate budget for data security.Create a formal organizational-wide data security policy and conduct training: Every member of a company (and subcontractors) should be trained and understand the same security practices.In the Anthem hack, all it took was one employee from a subsidiary to open a phishing email that granted hackers access to the entire data warehouse. Proper training on how to spot phishing emails could have potentially prevented this. Data access restrictions: Limit employee access to critical data whenever possible.Backup and update: Data backups are potentially useful while conducting upgrades, and they provide a failsafe in the case of ransomware attacks. Malware typically exploits older versions of software, so upgrading to new versions buys you time from potential threats.Strict authentication methods: Two factor authentication and password policies regarding length, characters, automatic resets, and never sharing via email are all recommended methods. While perhaps obvious, changing all default system passwords is important.More training: Employee error, whether caused by laziness or negligence, is the number one cause of data breaches. All new employees should be trained on the company’s security policy, and company-wide training should be re-conducted annually. The ultimate key to protecting data lies with individual employees. Employees should understand the risk involved with handling of data, and no company should tolerate shortcuts around security.Staying Dedicated is KeyThe never-ending fight to keep data safe can feel like an arms race against hackers. A new security patch is created, and then new Malware is created to exploit it. There is no easy answer to solve this battle, but implementing the procedures highlighted in this post will greatly reduce the potential for data breaches. Data security ultimately falls on the shoulders of individual employees, and it is up to all of us to be educated and proactive in the fight for privacy.
