The importance of Data Privacy

Leigh Consulting observes February as Data Privacy Month, and our goal is to promote awareness about online privacy and educate our clients on how best to manage personal data and keep it secure. The key to a really good cybersecurity practice is to concentrate on just four things to significantly lower cybersecurity risk:  

• Mitigate social engineering 

• Patch exploited software 

• Practice good password hygiene 

• Use multi-factor authentication (MFA) 

Above are some links to information on social engineering and multi-factor authentication from KnowBe4, one of Leigh Consulting’s vendors on Cybersecurity services and training.  

These four things, if concentrated on and done well, will make you and your organization significantly less likely to be susceptible to cybersecurity threats. If not done well, as is the case with most people and organizations, it will mean you are at higher risk for negative cybersecurity events. In my experience, no other defense recommendations we provide our clients (e.g., antivirus, firewalls, least-privilege, etc.) will do as much to significantly reducing cybersecurity risk than the four things mentioned above: 

Mitigate Social Engineering: 

The vast majority of hacking and malware are successful because of social engineering. Depending on the vendor and study, the percentage of cybercrime that involves social engineering is between 50% to 92%. There is no other root cause that accounts for as much cybercrime as social engineering. Handle social engineering threats well, and you get rid of at least half the risk of cybercrime. Social engineering usually tries to trick a potential victim into revealing confidential information (e.g., password, confidential information, etc.) or into downloading or executing malicious content. The single best thing any person or company can do to defeat social engineering is to get an education on how to spot and treat potential social engineering threats. Getting everyone good security awareness training and doing simulated phishing tests should be done by every organization at a regular cadence. Training and education ensure that everyone is familiar with how to recognize the various types of social engineering scams and creating a culture of healthy skepticism should be the goal. (Mitigate social engineering) 

Patch Exploited Software: 

After social engineering, unpatched software comes in a distant second for the most popular root cause of cybercrime. How much unpatched software is involved in cybercrime changes over time, but in general according to Gartner research, it is involved in 20% to 40% of cybercrime incidents. Therefore, our rule of thumb when advising our clients is that if you perfectly patch your software, you get rid of 20% to 40% of your risk. You really do not even need to patch everything with your platforms. You just need to perfectly patch the software that hackers usually exploit. Which software do hackers exploit? The U.S. Cybersecurity Infrastructure Security Agency (CISA) has a list of what software is used by hackers to break into places. It is officially known as the Known Exploited Vulnerabilities Catalog. If an exploit is on this list, get it patched ASAP. Leigh Consulting’s Cybersecurity experts always encourage our clients to subscribe to a CISA announcement list to get proactively notified. 

Practice Good Password Hygiene: 

Hackers have always loved to guess at passwords and to have their malware creations steal them. Did you know that there exist tens of billions of people’s login names and passwords on the Internet where anyone can see them and try them? Even if the passwords are not the user’s current passwords, oftentimes the former login information can reveal patterns, which can be used by hackers to guess the current passwords. The single best password defense is to make sure you use a different password on every website and service. Since the average person has over 170 websites and services they log into each year, using a password manager is the way to go. Use a password manager to create different long and complex passwords for every website and protect your information. 

Use Multi-factor Authentication: 

Where you can protect valuable data using multi-factor authentication (MFA). MFA can be hacked and bypassed by experienced hackers but using good MFA eliminates at least 20% of hacking attacks according to research by Gartner. Here is the big caveat: the whole reason you need to move to MFA is to prevent hackers from social engineering you out of your password, but 80% to 90% of MFA can be easily socially engineered around. Pick an MFA solution which cannot be easily defeated or bypassed by sending a simple phishing email. There are varieties (e.g., FIDO2-based, BeyondIdentity.com, OKTA, etc.) that are harder to social engineer around; therefore, our advice to our clients is to pick a strong MFA solution. There is no need to move to a MFA that is easily socially engineered as it defeats the purpose and like most cyberattacks, the mitigation plans are costly and can at times have irreparable damage. (Use multi-factor authentication (MFA)) 

In conclusion, the key is to make sure that you as an individual are responsible for the data privacy security of yourself as well as the organizations you work for or interact with. As part of your security awareness, always consider the following: 

For Individuals – Keep It Private 

• Understand the privacy/convenience tradeoff - Make informed decisions about whether to share your data with certain businesses by considering the amount and type of personal information that they may be requesting and weighing it against the benefits you may receive in return. 

• Manage your privacy - When using an app or setting up a new account, check the privacy and security settings and set them to your comfort level. 

• Protect your data - Keep your data secure by creating long unique passwords and storing them in a password manager. Add another layer of security by enabling multi-factor authentication, when possible, especially on accounts containing sensitive information.  

For Organizations – Respect Privacy 

Here are some actions you can take to assess your data privacy risk:  

• Conduct an assessment – Does the company follow reasonable security measures to keep your personal information safe from inappropriate and unauthorized access? Does it make sure that the personal data they collect is processed in a fair manner and for relevant, legitimate purposes? 

• Adopt a privacy framework – Has the company researched and adopted a formal privacy framework to manage risk and create a culture of data privacy by building privacy best practices into their business operations? 

• Educate employees – Does the company create a culture of data privacy by educating their employees about their obligations to protect your personal information? 

Let’s all fight the good fight against hackers and malware! 

Contact Leigh Consulting to learn more about how we can help you with Cybersecurity and put a mitigation plan in place tailored to your needs! Contact us at www.leighconsulting.com to learn more. 

Dr. Ralph B. Manyara  

Head of Leigh Consulting – Digital Platforms and Cybersecurity services