5 Best Practices for Companies Serious About Data Privacy

If you caught this month’s earlier blog, you’ll know that Yubico is partnering with the National Cybersecurity Alliance to support Data Privacy Day, which takes place on January 28. Protecting privacy is one of the main end goals of a security program. It’s incredibly important to us at Yubico to empower and educate individuals and businesses on the best ways to stay safe online.

Our first Data Privacy Day blog focused on the individual user. It outlined some of the most common ways internet credentials are stolen, and an easy solution to protect against them. In the second blog of our two-part Data Privacy Day series, we take a closer look at how a security program supports your company’s data privacy initiatives.

Companies who take data privacy seriously have five things in common. If you are advocating for better data privacy in your organization, you want to start with a security program that supports these efforts. Such a program has a few common characteristics.

Leadership buy-in

Prioritizing the protection of data and systems starts at the top. The entire executive team, including the CEO and the Board, must know that security is a key priority for your organization. Otherwise, when it comes to allocating finances and resources, security will take a back seat.

This can seem daunting, but it’s actually becoming less difficult to receive this sort of leadership buy-in. For those who ever need a good selling point, just look at the volume and tone of press coverage after some of the most recent data breaches.

A person responsible for security and privacy

Explicitly identify and designate one individual who is responsible for overall security and privacy at the company. This means building out a C-level position to own all aspects of security and privacy, as well as legal and compliance risks. Not only will this ensure that there is a holistic, comprehensive approach to the security and privacy strategy, but it will also help further leadership buy-in by giving security a seat at the executive table and decision-making process. By having security and privacy at the company leadership level, the group can better work with the business by planning for organizational initiatives rather than being surprised by them.

A culture of security and privacy

It’s no surprise that a lot of security and privacy incidents within an enterprise are related to human errors. With tight deadlines and busy schedules, it can be attractive for ambitious, well-intentioned employees to cut corners, and security is usually one of the first areas to take a hit. Reusing passwords, using easily-guessed passwords, sharing credentials, leaving work devices unattended or unlocked, and mistakenly clicking on malicious links are just a few common employee practices that result in breaches. Employees have a job to do, and if security hinders them rather than helps them, they will work around controls they don’t understand.

Companies that take security and privacy seriously run programs that are designed to ensure every employee knows, understands, and follows company security and privacy protocols. These programs also have clear expectations and consequences for failure to abide by the policies. To be clear, this doesn’t—and shouldn’t—mean leading with fear. It means taking the time to educate different groups of people about the negative impact a data breach could have on revenue, safety, and overall company health and reputation. The best security and privacy teams focus on enabling employees to do their best work by enabling them to do security right.

Clear processes and policies

Having a good governance framework won’t matter if users aren’t familiar with the processes and policies involved. After all, it’s important to ensure that the plan can actually be implemented.

It’s also critical to know how to measure the success of the program. The ability to demonstrate the return on investment (ROI) for security products and services is invaluable to CEOs and the Board. Return on mitigation (ROM) is another valuable metric. This shifts the conversation from the potential losses of risk as business gains by calculating how much would not be lost through effective mitigation.

An incident response plan

While no company wants to deal with a data breach, companies that prepare for doing so before it happens weather the storm better. After you get compromised is a terrible time to draft the notification to the board and your customers, and is just as bad for figuring out how to determine what happened and stop it.  A clear, and tested, response plan helps all parties involved know what to do, what their role is, and how to communicate internally and externally.

At Yubico, we are experts at authentication—trusted by millions all around the globe to guide them through securing access to devices, networks, and web applications. That’s because we drive innovation and have modernized strong authentication, making strong two factor authentication (2FA) easy to use, all while reducing IT costs.

Don’t forget, Data Privacy Day is happening on January 28, and we welcome you to join in the movement! Start now by helping to educate and empower individuals and businesses on becoming #PrivacyAware. For additional tips on how to improve online safety, read more here.

Talk to our teamTalk to our team

Share this article:


  • Digital security’s unique role in protecting our environmentAs sustainability expands to include social, economic, and technological challenges, cybersecurity has emerged as a top global threat – with cybercrime projected to cost $12 trillion this year. Stolen credentials and phishing account for 80% of breaches. At Yubico, making the world more secure is just part of how we care for the world around […]Read moreCSREarth DaySecure It ForwardSustainability
  • Breaking down Australia’s plan to combat AI-driven phishing scamsAcross Australia, cybercrime continues to be a major challenge impacting businesses, critical infrastructure and consumers alike. The use of AI by bad actors across the spectrum of cybercrime is on the rise, and as a result, credential phishing scams are becoming increasingly sophisticated. AI is effectively helping to lower the cost of phishing and increase […]Read moreAIAPACAustraliaphishing
  • 5 fast cybersecurity tips to clean up your digital lifeWith today being Identity Management Day, now is the perfect time to take stock of your online presence, update security settings, and ensure that your personal data remains protected from cyber threats like phishing. We’re also seeing increasing concerns of DeepSeek and other AI tools around data privacy making these kinds of attacks more successful […]Read morebest practices
  • surface blog crownMicrosofts Surface Pro 10 möjliggör NFC-baserad lösenordsfri inloggning med YubiKeys, för företagDra fördel av det långvariga samarbetet mellan Microsoft och Yubico genom att distribuera YubiKeys tillsammans med den nya Surface Pro 10 enheten för ditt företag. Read morenfcpasswordless