Data Privacy And Security Begins With Employees

Global data privacy is a growing concern as technology continues to advance and more personal information is shared online. Organisations have a responsibility to secure personal information and prevent data breaches through the implementation of appropriate measures, and maintain the privacy of individuals' information. 

A data breach can have serious consequences for individuals, organisations, and industries, including financial loss, reputational damage, and legal liability. Although there are many factors that contribute to data breaches and  cyberattacks, a recent study by the World Economic Forum, The Global Risks Report 2022, finds that 95 per cent of cybersecurity incidents occur due to human error and employee negligence.

Data breaches due to employee negligence commonly occur because of a lack of proper security and privacy training. Many organisations fail to provide regular training to their employees on how to identify and prevent potential security threats. It is important to implement technological solutions such as multi-factor authentication, data loss prevention, and security information and event management to detect and prevent breaches caused by employee negligence.

It is more important now than ever to ensure that all employees are cognizant of privacy and security issues. With employees increasingly working remotely and using non-approved devices, establishing a Zero Trust framework is critical. According to a recent report by Okta, in 2022, 55 per cent of critical infrastructure organisations said that they have a Zero Trust initiative in place, and 42 per cent say they will implement one in the near future.

The principle of least privilege is the heart of this framework, by which users are granted access to the fewest resources for the shortest amount of time required to complete a task. IT personnel should assume that every access request has been compromised until proven otherwise. Furthermore, IT personnel should authenticate users based on their identity, location, and device health while keeping an eye out for any unusual or anomalous behaviour.

All Employees Should Embrace Zero Trust Mindset

Having a Zero Trust mindset is just as important as implementing a Zero Trust framework in an organisation. Employees should be cautious of emails and phone calls from unknown sources, and any unauthorised IT devices, software, and services should be reported to IT personnel. This applies to all employees, including those in leadership positions, as they are the ones often targeted by cybercriminals. To prevent privilege abuse, it is essential to instil a Zero Trust mindset in privileged users and consider recording privileged sessions to monitor their activities on critical systems. However, the key to overall data privacy and security is not only about monitoring employee actions but also fostering a culture of Zero Trust amongst all employees.

Assign Data Privacy Scores To Hold Employees Accountable

Companies typically hold mandatory courses on privacy and security, followed by quizzes to test employee understanding. However, training alone is not enough; it's important to hold employees accountable, and that's where data privacy scores come in. Data privacy scores are measured and assigned post evaluation based on various essential technical and behavioural parameters. These scores help in internal audits—by showing evidence for gamification and adaptability—and in pursuit of standardization. While the scoring criteria for this test would vary depending on the individual's position within the company, there are some fundamental factors every employee should be evaluated for. 

In addition, there are role-specific safeguards and competencies that will affect the team's final score. The individual and team scores can be made visible to all employees on an internal forum, which promotes accountability among teams. Additionally, it is important for organisations to place emphasis on the fundamental principles of data security, such as confidentiality, integrity, and availability, as well as train employees on how to practically comply with various laws and regulations. 

It is crucial for employees to keep the basic data protection principles in mind—such as purpose limitation, lawfulness, transparency, and data minimisation—while creating new processes and carrying out their usual activities. It's also important to establish a culture of openness in the organisation, where employees are encouraged to report any suspicious activity or potential security breaches.

Focus On Data Minimisation

Data minimisation is a crucial aspect of data privacy that involves collecting and storing only the minimum amount of data necessary for a specific purpose. By collecting less data, organisations can reduce the risk of data breaches. Along with limiting the amount of data collected, strict access controls should be implemented to control who can view and handle the data. Data deletion and retention are also crucial elements when it comes to data minimisation. Even if the data is adequately secured and is not being misused, keeping it beyond the necessary duration is considered unethical and can even be punishable by law in some countries. 

Data minimisation can be achieved by implementing role-based access controls, giving access to sensitive data for a predetermined timeframe, regularly reviewing access privileges, and revoking access when necessary. Additionally, organisations should consider implementing data encryption and anonymisation techniques to further protect the data they do collect. 

To protect sensitive information, organisations should make data minimisation a key consideration when developing data privacy policies and procedures. It is also essential for employees to have a thorough understanding of the principles that underlie data privacy laws, as new regulations are always being introduced. Another important principle is privacy by design, which encourages employees, particularly designers and developers, to proactively consider and address potential privacy and security issues in the products and services they create. By focusing on these fundamental principles, employees will be better equipped to comply with new laws and regulations as they are introduced.

Embed Contextual Hooks In Software Tools

Contextual reminders within applications can be an effective way to increase employee awareness on privacy and security issues. For example, by using a chatbot that pops up with a message when an employee shares personal information (such as names, emails, or phone numbers), employees are reminded of the importance of protecting personal information. These reminders can also be programmed to prevent data sharing, if necessary. This form of contextual learning allows employees to learn about privacy and security in real time, in a real work environment, and over time they can gain a strong understanding of these issues. It's important to note that security and privacy awareness should be ongoing, and contextual hooks within applications should frequently be updated to keep employees informed and aware.

According to a recent study by ManageEngine, 58 per cent of the business decision-makers still hold the IT and security teams responsible for protecting the organisation from cyberattacks. IT decentralisation is crucial for organisations to prevent data breaches, as it helps to distribute and compartmentalise sensitive information. By breaking up data into smaller, more manageable pieces, it becomes more difficult for cybercriminals to access and exploit large amounts of sensitive data.

Despite providing mandatory information security and privacy education, companies may still be vulnerable to cyberattacks. Simply providing education is not sufficient. To ensure the security of sensitive information, it's crucial to encourage employees to adopt a Zero Trust mindset and to hold teams accountable through data privacy scores and by placing contextual reminders within software tools. To make data privacy and security a priority, it should be a constant concern for employees, fully embedded in the company culture.

By incorporating these strategies, companies can promote the development of good security and privacy habits, and make data privacy and security a natural part of employees' work.

K S Sreedharan

Guest Author The author is Director of Compliance, ManageEngine, Zoho Corp