Up until now, you might not have heard of Data Privacy Day, which occurs annually on Jan. 28. Since its inception in 2007, the goal of this annual event is to raise awareness among businesses and individuals on the importance of protecting personal data.
While the highly publicized theft in 2017 of 145 million records from Equifax, an Atlanta-based credit reporting agency, triggered outrage, it's unfortunately just one of many. According to Identity Theft Resource Center (ITRC), as of Nov. 7, 2017, there have been 1,202 breaches in the public and private sector in 2017, resulting in the exposure of nearly 172 million records.
Given the number and severity of these data breaches, now may be the time to add this date to your calendar and use the occasion to help improve how your organization protects its data.
Making it More Difficult for Cybercriminals
While many data breaches involve sophisticated attackers with the ability to overcome multilayered security programs, oftentimes, cybercriminals are simply taking advantage of a glaring weakness in how businesses protect their networks. With that in mind, here are five things your HR team can do to help thwart potential attacks before they happen.
1. Reevaluate your cybersecurity training program
Make sure that new and existing employees participate in cybersecurity training on an annual basis — and preferably more often than even that. Additionally, if you've not refreshed the training for several years, consider doing so. The threat landscape changes extremely quickly and training that discusses yesterday's threats wastes valuable time. You should also strive to make the training relevant to your employees by including examples that use your organization's products and services and terminology.
2. Evaluate the effectiveness of data policies and procedures
Your employee handbook should include a section dedicated to data privacy and protection. Review that section to confirm that it encapsulates your organization's approach and expectations of employees. Errors and omissions may cause employees to disregard a policy or procedure. Confirm that the policies and procedures match reality. For example, if the policy requires employees to change their password every 90 days, make sure that reflects reality.
3. Revisit the employee separation process
Cybercriminals often take advantage of seemingly minor mistakes such as the failure to delete a previous employee's access credentials to gain access to an organization's data. In partnership with your IT security department, confirm that the login credentials for severed employees no longer exist. Further, make sure that a process exists to delete system access credentials for employees that leave the organization in the future.
4. Reverse engineer data breaches at other organizations
When a breach happens at another business, take the time to understand how it happened. Then, determine whether your organization could succumb to the same type of attack. For example, if cybercriminals took advantage of a security weakness in a software package your organization uses, make sure your IT department has deployed the latest security patch.
5. Test your defenses
Despite your best efforts to fend off a cyberattack, sometimes, the best way to determine the effectiveness of your defenses is to simulate an attack. Penetration testing involves a security consultant mounting a simulated cyberattack to test an organization's defenses. At the conclusion of the exercise, the consultant provides its assessment of your organization's security program, including the controls that worked well and those that failed.
Since Jan. 1, 2005 through Nov. 7, 2017, ITRC identified 8,099 breaches resulting in the exposure of more than 1 billion records. Staying off of ITRC's list requires a willingness to continually evaluate and evolve your defenses in response to changes in the tools and tricks that cybercriminals use to steal data.
Stay up-to-date on the latest workforce trends and insights for HR leaders: subscribe to our monthly e-newsletter.
SIGN UP FOR THE SPARK NEWSLETTER