To anyone who is familiar with Ostra’s history as well as our team culture, it is no surprise that we are passionate about data privacy. Ostra is a proud 2022 Data Privacy Week Champion because we were founded on the belief that all businesses and individuals have a fundamental right to data privacy and security.

January 24 – 28, 2022 is Data Privacy Week—a global initiative to generate awareness about the importance of online privacy. In addition to educating citizens on how to manage and secure their personal information, Data Privacy Week encourages businesses to respect data and be more transparent about how they collect and use customer data.

What does data privacy mean?

Individuals and businesses approach data privacy in slightly different ways:

As individuals, we are usually more concerned with protecting our personal information, securing our financial or health records, keeping our families safe on social media, or reducing the risk of personal property being stolen.
For businesses, however, data privacy is more complex. It’s not just about protecting the data of their company, employees, or investors. They also need to be accountable for how they are handling data for their clients, vendors, or any other organizations that they interact with.

But in all cases, data privacy is simply about minimizing opportunities for others to exploit data for personal, professional, political, social or financial gain.

The path to action

According to a Pew Research Center study, 79% of U.S. adults report being concerned about the way their data is being used by companies.

Yet, at the same time, many of us in the information security industry hear comments like, “Who cares if Big Brother is listening to what kind of cereal I like?” People know they are being targeted, but the outrage has worn off.

When Ostra conducts cybersecurity assessments for our clients, we typically try to find out where they fit on the scale of concern for their data security and data privacy.

After spending more than 20 years in this industry, I’ve seen attitudes about data privacy that range from apathy to paranoia. Both ends of this spectrum are problematic.

How can we best position ourselves to champion data privacy? I am a big fan of awareness that leads to action. This concept is illustrated below:

On the left side, Apathy leaves people unmotivated, leading to careless inaction. On the other end, Paranoia creates a fatalistic outlook, which can be just as paralyzing. Neither of these extremes tend to move people forward. But right in the middle is Awareness, which leads to action.

Businesses can build employee awareness about data privacy by asking these questions:

Whose data do we have?
What kind of data do we have? (Financial, personal/health information, etc.)
Should we even have this data?
Who has access to this data? (And is anyone overseeing these permissions?)
How do we secure this data?

Individuals can take data privacy more seriously by thinking about:

Where is my personal data being stored?
Who has access to my personal data?

Privacy Frameworks

As companies dive further into the topic of data privacy, they should also develop an official Data Privacy Policy or framework if none exists.

What is a Data Privacy Policy? It is simply a roadmap that your company can follow to keep sensitive data secure. Your policy might outline the following:

Methods you use to manage/store private data
Standards or procedures for encrypting your data
What to do if an employee is on the receiving end of private data that they should not have access to
Procedures about who is a gatekeeper for sensitive, confidential or HIPAA-protected data
Definitions about what is considered private or confidential data
Guidelines for sharing or forwarding data to non-gatekeepers

Train your employees (and then train them again, and again…)

A policy is only as good as the people who follow it—or don’t. So once you have a framework in place, it’s time to ensure your employees are properly trained, regularly updated, and are inspired to share your commitment to data privacy.

Training topics or roundtable conversations might include:

What is protected information?
What are some scenarios where private data might be exposed, unintentionally?
What should I do if I accidentally receive something from a client or employee that I shouldn’t?
How do I report a data privacy breach or incident?
What are best practices for keeping my laptop, smartphone or network files secure?

Data privacy training doesn’t have to be formal or complicated. It could be a casual lunch-and-learn or Q&A session. The goal is to get employees thinking and talking about their role in ensuring data privacy at the company.

At a minimum, I recommend that businesses host quarterly or monthly data privacy trainings for every employee and contractor. Since Ostra believes so strongly in data privacy, our security team talks about it at least once per month—sometimes as part of our all-company town halls, or even more frequently at smaller gatherings. We know that regular, ongoing conversations about data privacy are crucial to proactively protecting ourselves, our company and our clients.

Links between personal & business data privacy

Your personal and company data might be more interconnected than you realize. Cybercriminals are constantly looking for cracks in the armor to help them gain access to a company’s client list, financial data, intellectual property, or other important information.

Whether you are the CEO or a part-time intern, it’s important to consider:

How much information are you sharing on your personal social media accounts that might make your password easier to crack? (i.e. birthdates, anniversary dates, middle names, location details, etc.)
Do you participate in online surveys or quizzes that gather your personal details? If so, could your answers be used to put your data at risk?
Do you ever check email from an unsecured network—e.g., while at home or at your local coffee shop?
Have you checked the privacy settings on the many apps have installed on your smartphone?

By collecting unsecured personal information, impersonators can build profiles of employees to gain access to sensitive data at the places where they work.

Of course, many people can’t imagine their company might be a prime target for things such as ransomware—especially those who work for SMBs. But cyber attacks are not just aimed at multi-national, Fortune 100 corporations. A 2Q 2021 Coveware report stated that more than 75% of ransomware cyberattacks occur on companies with less than 1,000 employees.

Impersonating employees by researching their personal data is a common strategy that criminals can use to initiate ransomware attacks, credit card fraud, industrial espionage and more.

About Data Privacy Week

January 24 – 28, 2022 is Data Privacy Week. In 2022, National Cybersecurity Alliance expanded its annual Data Privacy Day campaign from a single day (January 28) to a week-long initiative. Data Privacy Day began in the United States and Canada in January 2008 as an extension of Data Protection Day in Europe, which commemorates the Jan. 28, 1981 signing of the first legally binding international treaty dealing with privacy and data protection (known as Convention 108). For more info about Data Privacy week and other initiatives from the National Cybersecurity Alliance, visit staysafeonline.org.

About Ostra

As a next-generation MSSP, Ostra Cybersecurity combines best-in-class tools, proprietary technology and exceptional talent to deliver Fortune 100-level protection for businesses of all sizes. The result is a multi-layered, 360° solution that allows you to set it and forget it. For more information, visit www.ostra.net.

Michael Kennedy

Michael Kennedy is the founder of Ostra Cybersecurity, a multi-layered and fully managed Security as a Service. Recognized as a cybersecurity industry trailblazer, he is a dynamic leader, speaker, and fierce advocate for data privacy.