Teaching Non-Security Coworkers About Data Privacy Day

Teaching Non-Security Coworkers About Data Privacy Day

Data Privacy Day FIFrom everything I’ve read, it appears that 2019 will be an exciting year for digital attackers. I recently predicted that the economic losses resulting from digital crime will be worse in 2019 than they’ve ever been before, for instance. I also recently read how McAfee anticipates that the digital underground will consolidate and create fewer but stronger malware-as-a-service (MaaS) families. These samples will, in turn, work together in new synergistic attacks to drive more modularity in the capacity of attacks and greater exploitation of vulnerabilities.

Given these expectations, I think that Data Privacy Day has arrived just in time this year.

Data Privacy Day

What is Data Privacy Day, you ask? According to the Stay Safe Online website, the United States and Canada first celebrated Data Privacy Day in January 2008 as an extension of Data Protection Day, a celebration that recognizes January 28, 1981, as the date when Convention 108 became the first legally binding international treaty concerning privacy and data protection. Today, Data Privacy Day serves as a signature event within the many public awareness campaigns sponsored by the National Cyber Security Alliance (NCSA).

Bringing Data Privacy Day to the Workplace

Most everyone knows by now that data security is an important issue on a personal level when it comes to protecting sensitive information. Not everyone, however, knows exactly how to protect their information. That’s why I think it is so important to recognize Data Privacy Day in the workplace. Security professionals have an obligation to educate employees about how to protect themselves during Data Privacy Day (and throughout the rest of the year, for that matter), all while fulfilling the responsibility of protecting sensitive personal information and corporate data.

I encourage security professionals to take the following steps to ensure their co-workers get the most out of Data Privacy Day.

Make Digital Security Accessible to Everyone

The best way for security professionals to help Data Privacy Day relevant in the workplace is to make digital security a subject everyone can discuss. Security personnel can play a big part in facilitating these discussions, thereby helping to make Data Privacy Day’s lessons last well after January 28. They can do so passively and actively:

  • Passively: Security professionals can post simple and actionable online safety tips around the office. For instance, they can put up posters in the break room that remind employees to create strong passwords for their accounts and to not write them down on post-it notes. Employees can then internalize these posters’ recommendations and follow up with whatever questions they might have, such as “What makes a password strong?” or “How can I safely store my passwords?”
  • Actively: Not all employees want to initiate a conversation about digital security. That’s why security professionals need to step in and get the ball rolling. In this case, infosec personnel can hold a brown bag lunch for employees to discuss their company’s IT security and acceptable use policies. This preliminary meeting can help lay the groundwork for employees to learn more about digital security in the future.

Teach the Security Basics

Which brings me to my second point about how security professionals can help their co-workers benefit from Data Privacy Day: ongoing training. To be sure, infosec personnel should work with HR to make sure that security principles are incorporated into an organization’s training modules for new employees when they join the organization. Even so, employees need refreshers and workshops to help them stay on top of the latest digital threats and best practices for security.

My advice for security professionals is to lead regular security awareness training sessions with their fellow employees. To make this training a success, representatives from IT and security need to create a formal plan that receives the support from digital security advocates in every department. It’s important to gain these representatives’ buy-in, as these individuals can help encourage attendance and keep employees in every part of the organization trained and motivated.

Next up, security personnel must teach the basics. They can do so by using phishing simulations to instruct employees on how to be on the lookout for suspicious emails. They also can emphasize the importance of implementing software patches on a timely basis, and take time out to discuss topical digital attacks and malware outbreaks to illustrate the risk.

Last but not least, infosec personnel can reward employees who take digital security seriously. For instance, they could offer incentives for users to find and report malicious emails and other potential security threats, then publicize these stories about users who’ve helped thwart issues, highlighting the strength of a cohesive digital security culture in the workplace.

Implement Strong Security Controls and Solutions

For all the value that it has to offer, security awareness training can only go so far. Each employee receives and sends out tens if not hundreds of emails a day, after all. A single phishing attack could easily slip past an employee. For Example, if an employee is taking a day off and forgets to verify the sender’s email address. That’s all it takes sometimes for an organization to ultimately suffer a security incident like a data breach.

Acknowledging our fallibility as humans, it’s important that security professionals do something to back their employees up. In this case, robust security solutions are the way to go. Platforms that offer vulnerability management, SOAR, and network traffic analysis capabilities can help organizations stay on top of the latest digital threats. Seeing as digital criminals have a never-ending capability to morph any or all aspects in their campaigns, these solutions ideally would use machine learning to help organizations sort through the high volume of alerts and remain current with bad actors’ evolving tactics.

Accepting Responsibility for Data Privacy Day

We all come to digital security along different paths and with different backgrounds, but deep down, we as security professionals all share the same commitment to keeping data safe and protecting ordinary users. This is what Data Privacy Day is all about. The sooner we recognize this, the sooner we can help ensure that Data Privacy Day will leave a lasting impression on our colleagues. Organizations can then leverage their security-aware workforce to better defend themselves and their sensitive data against digital threats. Such is the value of cultivating security awareness in one’s workforce.

Want more information on how to promote Data Privacy Day? To learn more about Data Privacy Day — be sure to visit Stay Safe Online.

Andy Norton

Andy Norton

Andy has been involved in cyber security best practice for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye. In that time, he has presented threat and intelligence briefings for both Bush and Obama administrations, The Cabinet office, the Foreign and Commonwealth office, SWIFT, Swiss National Bank, Prudential Regulation Authority, the Bank of England, The Hong Kong Monetary Authority and NASA. Returning to Europe from Asia in 2011, he has spent the past 5 years helping many of the FTSE 250 companies measure, manage and respond to cyber incidents.
Andy Norton