5 Best Practices for Companies Serious About Data Privacy

January 26, 2018 5 minute read

If you caught this month’s earlier blog, you’ll know that Yubico is partnering with the National Cybersecurity Alliance to support Data Privacy Day, which takes place on January 28. Protecting privacy is one of the main end goals of a security program. It’s incredibly important to us at Yubico to empower and educate individuals and businesses on the best ways to stay safe online.

Our first Data Privacy Day blog focused on the individual user. It outlined some of the most common ways internet credentials are stolen, and an easy solution to protect against them. In the second blog of our two-part Data Privacy Day series, we take a closer look at how a security program supports your company’s data privacy initiatives.

Companies who take data privacy seriously have five things in common. If you are advocating for better data privacy in your organization, you want to start with a security program that supports these efforts. Such a program has a few common characteristics.

Leadership buy-in

Prioritizing the protection of data and systems starts at the top. The entire executive team, including the CEO and the Board, must know that security is a key priority for your organization. Otherwise, when it comes to allocating finances and resources, security will take a back seat.

This can seem daunting, but it’s actually becoming less difficult to receive this sort of leadership buy-in. For those who ever need a good selling point, just look at the volume and tone of press coverage after some of the most recent data breaches.

A person responsible for security and privacy

Explicitly identify and designate one individual who is responsible for overall security and privacy at the company. This means building out a C-level position to own all aspects of security and privacy, as well as legal and compliance risks. Not only will this ensure that there is a holistic, comprehensive approach to the security and privacy strategy, but it will also help further leadership buy-in by giving security a seat at the executive table and decision-making process. By having security and privacy at the company leadership level, the group can better work with the business by planning for organizational initiatives rather than being surprised by them.

A culture of security and privacy

It’s no surprise that a lot of security and privacy incidents within an enterprise are related to human errors. With tight deadlines and busy schedules, it can be attractive for ambitious, well-intentioned employees to cut corners, and security is usually one of the first areas to take a hit. Reusing passwords, using easily-guessed passwords, sharing credentials, leaving work devices unattended or unlocked, and mistakenly clicking on malicious links are just a few common employee practices that result in breaches. Employees have a job to do, and if security hinders them rather than helps them, they will work around controls they don’t understand.

Companies that take security and privacy seriously run programs that are designed to ensure every employee knows, understands, and follows company security and privacy protocols. These programs also have clear expectations and consequences for failure to abide by the policies. To be clear, this doesn’t—and shouldn’t—mean leading with fear. It means taking the time to educate different groups of people about the negative impact a data breach could have on revenue, safety, and overall company health and reputation. The best security and privacy teams focus on enabling employees to do their best work by enabling them to do security right.

Clear processes and policies

Having a good governance framework won’t matter if users aren’t familiar with the processes and policies involved. After all, it’s important to ensure that the plan can actually be implemented.

It’s also critical to know how to measure the success of the program. The ability to demonstrate the return on investment (ROI) for security products and services is invaluable to CEOs and the Board. Return on mitigation (ROM) is another valuable metric. This shifts the conversation from the potential losses of risk as business gains by calculating how much would not be lost through effective mitigation.

An incident response plan

While no company wants to deal with a data breach, companies that prepare for doing so before it happens weather the storm better. After you get compromised is a terrible time to draft the notification to the board and your customers, and is just as bad for figuring out how to determine what happened and stop it.  A clear, and tested, response plan helps all parties involved know what to do, what their role is, and how to communicate internally and externally.

At Yubico, we are experts at authentication—trusted by millions all around the globe to guide them through securing access to devices, networks, and web applications. That’s because we drive innovation and have modernized strong authentication, making strong two factor authentication (2FA) easy to use, all while reducing IT costs.

Don’t forget, Data Privacy Day is happening on January 28, and we welcome you to join in the movement! Start now by helping to educate and empower individuals and businesses on becoming #PrivacyAware. For additional tips on how to improve online safety, read more here.

Share this article:

Recommended content

Thumbnail

People matter: How to solve security skills shortage challenges

The skills shortage in the security industry stretches as far back as we can remember having an industry. Everyone knows it’s a challenge with no easy short-term solutions. The root of the security skills shortage gap remains murky, and some observers say the pandemic and reallocations of security resources could be widening that gap. The ...

What is Strong Authentication

Strong Authentication Definition Strong authentication is a way of safely and reliably confirming user identity. Multi-factor authentication (MFA) is one of the best options to establish trust with users, but actual strong authentication goes beyond MFA or two-factor authentication (2FA). When implementing MFA, at a minimum, follow the National Institute for Standards and Technology (NIST) ...

Thumbnail

What SolarWinds taught us about the importance of a secure code signing system

Last year’s SolarWinds attack was caused by intruders who managed to inject Sunspot malware into the software supply chain. The hackers exploited a breach in the SolarWinds code signing system, which allowed them to fraudulently distribute malicious code as legitimate updates to installations across the world. While this attack taught the industry many lessons, one ...

Thumbnail

Yubico research reveals that cybersecurity best practices, including password protection, and employee training in the UK, France, and Germany are lackluster with the proliferation of employees working from home

We all know there have been major paradigm shifts in the workplace caused by the pandemic. With the explosion of working from home (WFH), millions of employees now call their basements and bedrooms home offices. Security professionals scrambled to put together employee onboarding and authentication protocols that met new cybersecurity requirements for remote employees. Over ...