The growth in both consumer concern and laws seeking to protect consumer data means organizations need to take specific measures to ensure the safeguarding of customer data.
Cybercriminals today are looking to make money the easiest way possible. One sure way to generate revenue is to sell off customer data. While as little as pennies per record, massive data breaches like last year’s Marriott breach involving nearly 500 million records can add up to be a tidy sum.
It’s not just the bad guys that know this; consumers themselves are worried about the potential harm that can come to them by you housing information about them. It’s the very reason we’re seeing more U.S. states creating laws to protect consumers. The most notable is the California Consumer Privacy Act, which feels a bit like a miniature version of GDPR. Additionally, New York, Colorado, and Illinois have similar laws on the books.
With penalties looming – both from law breaches and the resulting allowed civil suits – it’s time for organizations to take seriously the need to protect consumer data.
So, what does an appropriate security plan look like?
In short, it’s made up of a few strategies:
- Data is Identified – Most laws talk about having an ability to provide access to, modify, and even delete consumer data on demand by the owner. This implies an understanding of exactly where consumer data resides anywhere within the organization.
- Roles are Defined – Many laws have roles establish as data processors, reviewers, auditors, etc. In addition to these, simply having least privilege-minded permissions in place to facilitate access only by those deemed necessary would be appropriate here.
- Security is Enforced – Some verbiage in the various laws discuss maintaining security. That means having an ability to detect changes to permissions, and an equal ability to rollback permissions to a known-compliant state is critical.
- Environment is Protected – Cybercriminals work to enter networks via unpatched systems, or through use of social engineering, phishing, and malware. Putting solutions in place such as patching, email and web scanning, antivirus, endpoint protection, Security Awareness Training, and data loss prevention will help to secure the environment from attack.
- Auditing is in Place – Monitoring access to consumer data is necessary to both prove compliance and detect when a potential breach may have occurred.
The above strategies are, by no means, comprehensive. But, they do point out the high-level goals your organization’s security strategy around consumer data should include.
The issue of consumer data privacy is only going to become of more concern over the next few years. Now is the time to put protective measures in place so you’re ready for when new laws impact you – if they haven’t already.
The world's largest library of security awareness training content is now just a click away!
In your fight to protect your data you can now deploy the best-in-class phishing platform combined with the world's largest library of security awareness training content; including 800+ interactive modules, videos, games, posters and newsletters.
You can now get access to our new ModStore Preview Portal to see our full library of security awareness content; you can browse, search by title, category, language or content topics.
The ModStore Preview Includes:
Interactive training modules
Posters and Artwork
Newsletters and more!
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: