Each year, this date is invited again, January 28 marks Data Privacy Day, the Day of the Protection of Personal Data. This date provides all of us with an opportunity to consider what we can do in our professional lives to encourage privacy, data protection and trust-based interactions.
Here are, in our experience, the three main opportunities for improvement in this area
Number one: Share passwords and devices in the office and at home
Many of us have many passwords for accessing work devices, platforms, shared files, etc., but we have found that 25% of French people have shared their professional passwords with a colleague or a member of their family. This increases the risk of passwords falling into the wrong hands, opening access to sensitive corporate data. Once a hacker has recovered at least one password, he can have the sesame that allows him to enter the personal life of his victim as well as that of his employer.
During the year 2020, many companies have made an effort to put their employees in telework, adopt new tools and implement new working methods. But this approach left out many cyber security risks.. It has prevented IT teams from having full visibility into who has access to what, compromising their ability to help employees minimize the risk of being hacked due to bad habits such as password sharing.
Providing employees with simple tools such as security training sessions, password managers, and a way to automatically reset their credentials without calling on IT, can be extremely effective in eradicating these bad behaviors.
Number two: ignore differences in compliance
The Brexit deal is signed, but many businesses remain uncertain about how the new UK-EU relationship will affect their processes and compliance requirements.
Brexit has also prompted some multinational companies to rethink their human resources strategy globally and to set up teams spread across different geographic entities with their own compliance requirements. These movements lead to an inherent security risk, with access having to be added, removed or reconfigured, employees being redeployed with new functions to different sites. Without a strong security strategy and the right tools in place to control how access is granted within an organization, increased complexity can arise and the exponential growth of access points can quickly overwhelm a security team.
The answer to preventing these compliance loopholes from widening is to ensure better visibility into all accesses in an organization. This involves using automation whenever possible to support routine tasks and access control.
Number three: Do not take into account that identity is a main vector of attack
For many types of cyber attacks, from phishing to major intrusions, identity is the “gateway”. In recent years, many organizations have shifted from the traditional firewall-based approach to a zero trust approach, which applies to all users, whether inside or outside. from a company. Zero trust has enabled many organizations to better manage access to their applications and files. This has reduced the risk of accidentally allowing access to a compromised account or an incognito hacker.
The next step is to understand how identity can play a role in defending against a threat coming from within – whether malicious or accidental. Within an organization there are often special cases of users whose quantity, quality or variety of access is greater than that of an average employee. VSeci can sometimes be the result of a particular function involving several departments, revealing a group of users who pose a greater risk of being targeted by cyber criminals and could benefit from a higher level of control and support from security. On the other hand, this group could contain employees who have accumulated more access rights than necessary while moving from one function to another. Companies can prevent this kind of risk through a rigorous and regular review of access rights within their organizations.