BENCHMARK ON DATA PROTECTION

Australia’s leading agency on national cyber security, the Australian Cyber Security Centre (AC
SC), says credentials (usernames and passwords) are typically stolen when:

 a user is tricked into entering their credentials into a page that mimics the legitimate site
 a brute-force (automated trial and error ) attack on username and password combinations is
performed against a service, if it doesn’t prevent such activity
 a service is compromised, and credentials are stolen and used to access the system or tested ag
ainst other sites such as social media and email
 a user’s system is compromised by malware designed to steal credentials.

Tips to prevent and mitigate data spills or breaches

Improving staff awareness of cyber security issues and threats, including the cyber risk environm
ent in which an organization operates, needs to be a priority for all businesses.

Cybercriminals use common tricks to get employees to reveal their organizational credentials, en
abling the exploitation of sensitive data protected under the Data Protection Act, 2019.

These include:
 phishing, where confidential information is stolen by sending fraudulent messages to victims
 spear phishing, a dangerous class of phishing where criminals use social engineering to target
companies and individuals using very realistic bait or messages, based on company informatio
n sourced from publicly available information such as annual reports, shareholder updates and
media releases.

The ACSC recommends prevention techniques such as clearly documenting and training employ
ees in cyber security systems and plans, and designing and implementing cyber security awarene
ss programs for all employees.

Passwords

To mitigate data spills and breaches and other cyber security incidents, the ACSC advises the foll
owing:

 require all users to periodically reset passwords to reduce the ongoing risk of credential compr
omises
 consider increasing password length and complexity requirements to mitigate the risk of brute-
force attacks being successful
 implement a lockout for multiple failed login attempts
 if credentials have been compromised, reset passwords as soon as possible
 discourage users from reusing the same password across critical services such as banking and
social media sites, or sharing passwords for a critical service with a non-critical service
 recommend the use of passphrases that are not based on simple dictionary words or a combina
tion of personal information: this reduces the risk of password guessing and simple brute-
forcing
 Advice users to ensure new passwords do not follow a recognisable pattern: this reduces the ri
sk of intelligent brute-forcing based on previously stolen credentials.

Software systems

To mitigate data spills and breaches and other cyber security incidents, the ACSC advises the foll
owing:

 use multi-factor authentication for all remote access to business systems and for all users when
they perform a privileged action or access an important (sensitive/high-availability) data repos
itory
 look out for unusual account activity or suspicious logins: this may help detect when a service
such as email has been compromised and needs a password reset
 encourage users to think carefully before entering credentials e.g;
o ask if this is normal
o don’t enter credentials into a form loaded from a link sent in email, chat ,
or other means open to receiving communications from an unknown party
o even if the page looks like the service being reset, think twice
o do not click the link; instead, browse to the website and reset the password from there
o be aware that friends or other contacts’ accounts could be compromised and controlled by a
third party to also send a link
 keep operating systems, browsers and plugins up-to-date with patches and fixes
 Enable anti-virus protections to help guard against malware that steals credentials.

In line with the above here are some of the ways to actively protect the association.

Proactive Ways to Protect Their Organization

Here are seven strategies to prevent a security breach:

1) Taking an Inventory of Their Risks

Conducting a complete audit of the systems, including on-premises, cloud, and third-party IT
assets that could have contact with the organization’s network.
Keeping active checks on endpoint security as well if you frequently have guests or clients
accessing their network. Once you’ve taken stock of their infrastructure, prioritize and address
any issues you find from most pressing to preventative.

2) Control User Access

Whenever possible, employees should only have access to the data they need for their positions,
and sensitive data should only be accessible to authorized users. By limiting access to sensitive
data, you’ll be able to limit the traffic within that area of their data and spot unusual activity with
greater ease.

3) Keep Software Updated

We get it – updates can feel never ending and less than convenient. However, with hackers’
abilities to exploit weaknesses or find backdoors into systems, they’re a necessary evil to
maintain security of not only their organization, but all users of the applications and software.
Scheduling updates for after-hours is an easy way to remedy midday disruptions and maintain
data protection.

4) Enforce Bring Their Own Device (BYOD) Policies

Organizations thrive thanks to the use of smart devices like laptops, tablets, and smartphones.
And while it’s tempting to let them use their own devices, it creates a wide variety of data and
network security complications. If not simply to ensure employees don’t leave their organization
with data you wouldn’t want walking out with them, you want to make sure all devices have
proper encryption and endpoint security measures in place to prevent hackers from finding a
backdoor past their otherwise sound security systems.

5) Strengthen Credentials
More than a handful of us will add the dreaded exclamation point to the end of a password to
make it “unique” upon prompting to change it. However, this is a costly mistake that countless
organizations have paid the price for. Unique passwords that are changed at frequent intervals
are best practice and with encrypted password managers and data protection software available,
it’s far more secure and feasible to enforce these policies with minimal pushback from
employees.

6) Educate Employees
Ninety-five percent of cybersecurity breaches are due to human error, according to IBM. That’s
why it’s vital to train their employees on the action plan surrounding identification of and
reporting signs of a data leak or breach. When their employees fully understand and support
initiatives such as email best practices, BYOD, password policies, and disaster recovery plans,
their security will be stronger across the board.

7) Back Up Files
Regardless of how secure their data is, Mother Nature or ordinary accidents that damage
hardware can pose a huge risk to their organization if you are not regularly backing up their data
in separate locations, as well as in the cloud. But don’t just trust that they’ll be ready for you.
You’ll want a specific, prioritized plan for rebuilding their infrastructure. Practice a specific plan
to re-implement their system so you can dry run any errors or missing components you need to
be aware of prior to the real deal.
Data protection—sometimes referred to as information privacy or data security—is the process
of protecting the privacy, integrity, and data availability of important information. Any
organization that handles sensitive data must implement a data protection strategy to prevent the
theft, corruption, or loss of their data and mitigate against the damage in the case of a security
breach or disaster.

Recovery from a data breach or data loss is time-sensitive, and any delay can affect business
continuity. There are also legal requirements for many industries, which apply to organizations
that handle or store personal information such as names, addresses, passwords, credit card
details, and medical records.

What Is GDPR?

The General Data Protection Regulation (GDPR) was adopted on April 2016 and came into
effect on May 2018 with the goal of providing a unified standard for data protection across the
European Union (EU) and European Economic Area (EAA). It stipulates that any organization,
public or private, that processes personal data must commit to maintaining a high level of data
security.

The GDPR emphasizes the rights of EU residents relating to personal data, including the right to
access, modify, transfer, or erase their data. Personal data as defined in the GDPR refers to any
information that relates to an individual. This encompasses Personally Identifying Information
(PII), such as names; addresses; physical traits, including weight, height, and ethnic or racial
characteristics; biometric data such as DNA and fingerprints; and health data.

The GDPR stipulates that organizations must provide transparency regarding their use of
personal data, requiring them to disclose any data processing activity, demonstrate the lawful
basis for using this data, and report any data breach within 72 hours.

Data protection is an essential part of GDPR, and almost all online businesses must comply with
these or similar standards. GDPR compliance requires the implementation of a data privacy
policy that ensures that only the necessary data is collected; that individuals have a say about
which data can be collected and how it can be used; and that all sensitive data is deleted as soon
as it has served its purpose. The penalty for non-compliance is a fine of up to €20,000,000 or
four percent of the global revenues of an organization.

To help organizations meet the compliance requirements, the GDPR outlines responsibilities for
roles such as Data Protection Officers (DPOs) and data controllers. Data controller
responsibilities include implementing measures to ensure that personal data cannot be misused
and that it remains confidential. The GDPR grants the data controller flexibility to implement
additional data protection measures but requires the data controller to evaluate the risk and cost
associated with them.

Data Protection Technologies and Practices

There are a number of data management and storage solutions that can help you protect their
data. There are several types of data security measures intended to restrict access to data, monitor
activity in the network, and deploy a response to a suspected or confirmed breach. Some
common technologies and preventative security measures include:

Data Backup - storing regularly updated duplicates of their data. This often involves
“mirroring” their data in its entirety so you can access it from more than one place. You can
utilize an on-premises disk-based storage system for a secure, local backup with quick access,
tape as either local or remote backup, or cloud backup.

Data Loss Prevention (DLP) - a solution that utilizes several tools to help mitigate against data
loss.

Firewalls - help you monitor network traffic so you can detect and block malware.

Authentication and authorization - confirming the identity of a user and validating the access
privileges of the user. A combination of credentials (i.e. passwords), access tokens, and
authentication keys help provide an added layer of security. This can be part of a larger Identity
and Access Management (IAM) solution, along with measures like Role-Based Access Control
(RBAC).

Encryption - converts the data into a non-readable format so that only an encryption key can
convert it back to simple text. Data security solutions typically offer encryption as an important
component of their data protection strategy.

Endpoint protection - software that monitors activity on their endpoints, alerting you if
someone transfers data in or out of their network.

Data erasure - deleting sensitive data once it has been processed to reduce the risk of exposure.
This is an important requirement of regulations like the GDPR.

Disaster Recovery Plan (DRP) - enables you to restore their data after an event that has
damaged the data center. Organizations should always have a plan in place so they can recover
lost data quickly and easily.

On- Prem vs. Public Cloud for Data Protection

If on premise data centers break or become obsolete, the cost and time to move data can be a
burden.

With public cloud storage, data is housed in a data center forever. This is especially a benefit,
because as more operations move online, having data already in a public cloud can streamline
business processes. When comparing the Total Cost of Ownership (TCO) for cloud vs on
premise servers, you should consider the time horizon, scalability, security, and performance. In
the short term, cloud servers are more cost-effective due to lower upfront and fixed costs. On the
other hand, on premise servers are more cost-effective in the long term, with lower variable and
recurring costs. Cloud servers are more scalable as they allow you to adjust their resources on
demand, while on premise servers are more rigid as they require capacity to be planned and
purchased in advance. Additionally, cloud servers are more secure as they benefit from the CSP's
expertise and infrastructure, but on-premise servers offer more privacy as they give you control
over access to their data. Lastly, cloud servers are more performant due to leveraging of the
CSP's network and redundancy, while on-premise servers provide more consistency by avoiding
potential issues of internet connectivity and shared resources. Ultimately, there is no definitive
answer to which option is best for IT infrastructure design; it depends on specific needs, goals,
and preferences. By calculating and comparing the TCO for both options, you can make an
informed decision that suits their situation.

How to Achieve Data Privacy Compliance

To help the association fulfill the requirements of data protection regulations like the DPA &
GDPR, it should build a comprehensive data protection strategy and implement it throughout the
organization. The compliance strategy should include:

Enterprise-wide understanding of obligations- everyone in their organization should know

what their responsibilities include. In addition, the association should aim at complying with the
local regulations or regulations affecting its industry. Ensure that every employee knows how to
respond to data security events, and is at least familiar with the seven key principles of the Data
Protection Act.

Identify risk areas- The association should assess the risks involved with any activity that uses
personal data. This can help identify gaps in existing security policies, so they can update their
compliance measures.

Maintain visibility and transparency- use measures such as data mapping to keep track of all
personal data that the organization processes. This should include documenting what types of
data you collect, where you store it, and why you need to process it.

Appoint a Data Protection Officer (DPO)- this is mandatory for organizations processing
personal data for high-risk activities, such as large-scale profiling of sensitive data. The DPO is
responsible for monitoring and providing advice on compliance with the DPA & GDPR. You
can also benefit from a DPO even if not legally required to employ one.

Plan for privacy- the DPA & GDPR advocates a “privacy by default and by design” approach,
which involves implementing data protection measures throughout the lifecycle of their data
processing activities. Organizations must be able to demonstrate that they have an adequate plan
in place, or else risk exposing themselves to enforcement action. For this reason, you should
incorporate Data Protection Impact Assessments (DPIAs) into their privacy protection strategy.

1. Train Their Team

With so many breaches involving a human element, it’s the logical place to start improving their
defenses. Security awareness training teaches their team members including contractors,
 partners, and anyone else with access to their applications and systems to spot malicious emails,
attachments, and websites and understand their role in cybercrime prevention. A practical,
ongoing security awareness program should include testing by sending phishing simulations to
employees to identify problem areas and knowledge gaps.

2. Establish a Layered Security Strategy

An effective approach addresses other gaps that can leave their organization open to an attack,
including:

 Security policies

Robust security policies can systematically prevent data breaches while increasing security
awareness within their organization. These policies also serve as guidelines for their employee
cybersecurity training program.

 Physical security

Data is at the heart of almost every organization. That's why hackers now often resort to breaking
into facilities to gain access. Strong premises security that monitors activity and limits access is
crucial for keeping their sensitive systems safe.

 Access control

Role-based systems access helps ensure that applications and data are always available to those
who need them while limiting privileges for specific systems to those that must have them. So, if
a hacker does gain access to one of their systems, they won’t be able to exploit their other
systems.

3. Deploy Layered Cybersecurity Tools

From a technology standpoint, layered security focuses on keeping any single security
vulnerability from compromising their entire system. That starts with assessing their current
security posture. The next step is to put prevention tools in place to close any security gaps.
These tools include:

 Network security monitoring

 Encryption tools

 Web vulnerability scanning

 Packet sniffers

 Antivirus software
 Firewall

 Public Key Encryption (PKE) services

 Managed monitoring and detection services

 Penetration testing

4. Implement an Effective Data Protection Solution

When their every effort at prevention fails it could be something as simple as someone clicking
on a malicious link without thinking a sound data backup and recovery solution is their last line
of defense. Ensuring you can recover their data and get back up and running following an attack
starts by following the 3-2-1-1 rule. Keep three copies of their data, one primary and two
backups, with two copies stored locally on two formats and one stored offsite in the cloud or
secure storage. The 3-2-1-1 rule stands for immutable makes all the difference in the world.
Immutability is when data is converted to a write-once, read-many-times format that can’t be
altered. Choosing a backup and disaster recovery solution that features immutability, ensures
their data will be there when you need it.

Malicious or criminal attacks are a leading cause of data breaches notified to the ODPC.

Strong password protection strategies, including raising staff awareness about the importance of
protecting credentials, can greatly reduce the risk of this type of data breach.