Normalising data leaks is a dangerous step in the wrong direction, says Andrea Babbs, pictured, UK General Manager, VIPRE SafeSend.
It was only recently, in early April, when it came to light that the personal data from over 500 million Facebook profiles had been compromised by a data leak in 2019. And since then, an internal Facebook email has been exposed, which was accidentally sent to a Belgian journalist, revealing the social media giant’s intended strategy for dealing with the leaking of account details from millions of users. Worryingly, Facebook believes the best approach is to ‘normalise the fact that this activity happens regularly,’ and to frame such data leaks as a ‘broad industry issue’.
The statement from Facebook is a very worrying strategy to come from a business which holds the personal and business data of millions across its platforms. Particularly in the wake of increasingly stringent regulations appearing globally, it is startling for such a large organisation to casually dismiss data leaks. To give businesses an excuse to no longer invest time, money and effort in data security is a dangerous step in the wrong direction.
Personal data is a valuable currency for cyber hackers, and individuals want to ensure it is protected. Leaking this confidential data, such as medical information, credit card numbers or personally identifiable information (PII) can have far-reaching consequences for both individuals and businesses. Keeping this data safe should be businesses’ number one priority. However, data is only as safe as the strength of an organisation’s IT security infrastructure and its users’ attention to detail.
If you do not have the right technology in place to keep your data safe, then you will face problems – but the same goes for having the right tools and training available to your users. Data security is a difficult and never-ending task, one which requires ongoing investments on multiple fronts by every organisation in the world.
Particularly in the wake of COVID-19, businesses have had to transition to remote working and accelerate their processes to the cloud. Moving to cloud based security which moves with your users is key. And investment in user training will become more normalised because an uneducated workforce is a big risk to an organisation’s data security efforts.
To combat such threats, deploying a layered security approach is necessary for both small and large businesses. In today’s modern threat landscape, a data protection plan needs to include cover for both people and technology at its core. There are innovative tools available, such as VIPRE’s SafeSend, which supports busy, distracted users to double check their attachments or recipient list before sending an email to help them make more informed decisions around the security of their data. Additionally, companies need to invest in thorough and more frequent security awareness training programmes, which include phishing simulations as a key component.
We will also see a bigger move towards Zero Trust Network Access (ZTNA) tools – which only allow people to access the data they need, not the entire network. There will be an evolution in this area, and protection for a workforce ‘on the go’ will become the standard, but with the same foundational principles of investing in the right technology, and the users themselves.
Reputation and responsibility
No matter where users are or what they are doing, keeping security front of mind will be one way to ensure good IT security hygiene for businesses. Those who have already made significant progress in this area will reap the rewards in terms of safe data and reassured customers, clients and prospects.
Businesses that get out in front of all areas of data loss, not just attacks from bad actors, are the ones that will do well in the long term. The ability to reassure customers and prospects of the safety of their data will become the new marketing message in the coming years, which is why attempting to normalise data loss could be so damaging to Facebook’s reputation.
Cyber threats are only going to increase in sophistication and become more personalised to the individual by using social engineering attacks or fileless based attacks. Attackers are going to continue to take advantage of current events, such as COVID-19, to trick users into clicking a link, downloading an attachment or signing into a phishing website etc.
Businesses of all sizes have a responsibility to keep data secure – and users must be a part of the solution, rather than the problem. In order to do this, businesses need to place cybersecurity as a priority throughout their processes and invest in the right tools and training to make this more of a business-critical solution, and less of an ‘emerging necessity’ as it is now.
