Data breach is costly, spend on security

In a widely connected world with ubiquitous data, one of the hottest topics is consumer privacy and data protection.

The need to feel confident in the privacy and confidentiality of personal information has driven a new awareness amongst the common ‘non-tech’ consumers. Any slight rumour concerning a data breach quickly catches on with consumers, resulting in catastrophic financial losses and, to some greater extent, the apps and or company in question quickly takes a nosedive into oblivion.

Any system is hackable and the threat landscape and hacking techniques are constantly evolving. In the case of the Equifax data breach in the United States, for instance, millions of customer records were stolen by hackers.

In the recent Cambridge Analytica scandal, the British firm collected more than 87 million Facebook users’ personal information and allegedly used it for targeted political advertising.

THIRD PART APP

Arguably, some may say the offensive third party app simply exploited a loophole to collect information not only from users of their app but also all others in those users’ friends network on Facebook. However, many still consider this a privacy breach, resulting in several anti-Facebook campaigns, such as the viral #DeleteFacebook hashtag on Twitter.

The financial impact of this scandal is yet to be witnessed but the firm will definitely have to invest more in its security division and make major changes in its privacy policies.

Organisations can apply various security best practices to fulfill their responsibility of protecting consumers’ data online. Every company handling consumer private data needs to set up effective endpoint, network and email security to effectively filter out suspicious traffic, malware, spam and dangerous file types. Installing end protection software and secure web gateways also helps to identify and stop exploit kits before they infect IT assets.

INTERNAL SECURITY

They also need to come up with effective internal security policies regarding their IT assets — including a data protection one that guides employees on how to handle and protect consumer data. Other security protocols that should be included in a standard security policy include password management policies, access controls and management, device policies and so on.

Online platforms should also consider employing strict privacy policies that will assist in building trust with their consumers.

They should also train employees on how to utilise the protocols in the policy. One of the weakest links in any system is the human element and no amount of high-tech security infrastructure can help thwart that threat.

With employee training, the staff learn how to detect suspicious activities such as phishing emails, how to secure their passwords, handling customer data requests and, most importantly, how to use company devices securely to prevent hacking.

CORPORATE NETWORKS

Network segregation is one of the ingenious methods used to secure large corporate networks from online hacks. Hackers always want to get as much information by penetrating deep into the corporate network and accessing databases, point-of-sale terminals and secure servers.

By breaking down the corporate network into segments, each protected by a firewall, several security layers are created. Segregation treats the separate networks as potentially hostile to one another; if one is breached, the others remain secured. 

At times, no matter the network security and intrusion detection measures in place, hackers still gain access to the servers holding consumer data.

To ensure the information remains safe even after successful network breaches, organisations are often required to set up full-disk encryption on all servers, workstations and removable devices. Even if hackers gain access to the data, it is still impossible to decipher the contents.

PROTECTING DATA

So, the question still remains, can consumer data be fully protected? The answer is No. But with the above best practices, companies can ensure they have an optimised security infrastructure that keeps them ahead of the bad guys. However, much as organisations may do a more robust job of protecting our data, we as clients are in no position to actually demand the same from them.

Like most countries, Kenya lacks a central authority, policy or regulation in support of such protection and, therefore, there is lack of liability and ability to sue organisations that poorly secure our data. The gazetted Cyber Security and Protection Bill 2016 fails to articulate consumer data privacy and protection issues and the related penalties. That is why knowledge and choice are important with regard to online privacy.

 Ms Hinga is IT support engineer, Cytonn Technologies. [email protected]