Here are three tips to guide and protect your organization’s data privacy and security policies amid hybrid work arrangements and raging cyberattacks.

With all the new ways people are working, collaborating, and consuming goods and services, data privacy and security has become ever more intertwined. The terms are often used interchangeably, but the key difference is that security is focused on protecting data, while privacy is about safeguarding user identity and how data is used.

As consumers are becoming more aware of the risks of sharing their data and how information can be monetized and mishandled, companies that have a poor data protection reputation have been increasingly placed in the spotlight. For instance, public concerns around data privacy of contact tracing have increased due to reports of the data collected being used for other purposes.

In July 2020, Twitter suffered a breach that led to the compromise of numerous high-profile accounts, including those of Jeff Bezos and Elon Musk. Investigations show that threat actors targeted and successfully manipulated a small group of employees, and used their credentials to gain access to administrative tools. With access to internal systems, the attackers hijacked Twitter accounts and posted messages meant to trick social media users into donating Bitcoin payments to fraudulent causes. The attack highlights the risks of unsecured privileged access to critical applications, and how external attackers and malicious insiders can use them to access critical data assets. The incident is also a reminder of how quickly any credential or identity can become privileged under certain conditions.

Whether we are talking about protecting user data or upping the identity security game for users, failure to secure data assets can cause financial impact and erode customer confidence and brand reputation.

To help organizations safeguard their data, here are three tips to consider:

  1. Protect against rising insider threats
    Saving passwords in browsers, downloading unsanctioned apps or sharing sensitive files via collaboration tools can put data and systems at risk. With the increase in phishing and social engineering attacks, successfully deceiving just one user is sufficient to compromise a company’s entire system. By getting access to an endpoint, an attacker can establish a foothold inside the organization, escalate privileges and masquerade as a privileged insider

    While most insider threats are accidental, times of significant change can also fuel malicious insider attacks. If privileged access has not been properly managed, it is easy for a disgruntled employee or financially motivated former contractor to use unrevoked credentials to bypass security measures legitimately.
  1. Secure cloud environments
    Software-as-a-service (SaaS) solutions provide fast, streamlined ways for employees to connect and collaborate, store information and get their jobs done. Moreover, scalable SaaS tools can help IT teams since they are easy to deploy, cost-effective and eliminate infrastructure headaches. However, cloud-based solutions also serve as another attack vector as privileged credentials live across cloud resources. A robust Privileged Access Management (PAM) strategy should secure environments where privileges exist—from SaaS applications, cloud management consoles, custom-built applications and cloud infrastructure to endpoints and on-premises environments.
  1. Secure employee endpoints
    With the rise in remote-working, securing employee workstations is more important than ever. Giving remote workers local admin rights allows them to download and install programs, connect and install devices and access corporate systems and information without having to go through IT or security teams: all of which are the exact same privileges that make Bring-Your-Own-Device (BYOD) set-up risky. Organizations can enhance employee endpoint security by implementing least privilege access, credential protection solutions and app monitoring tools.

These tips are relevant all the time, but are of special significance during Privacy Awareness Week (PAW), an initiative by the Asia Pacific Privacy Authorities (APPA) held annually in different regions at different parts of the year, to promote data privacy awareness and personal data protection issues.