How to Prevent Data Breaches in Organizations

On a near weekly basis, I read about breaches where much of the exfiltrated data was old data that the organization had no real reason to retain. See, e.g., https://lnkd.in/eaX53AWQ and https://lnkd.in/e4pVA6bT. According to IBM's 2023 Cost of a Data Breach Report, breaches cost organizations an average of $165 per record breached. Report at 2. That means that purging 100,000 records of unnecessary data could save you $16.5M in the event of a breach. Here are five tips: 1. PRACTICE DATA MINIMIZATION: Organizations should practice "data minimization." This means only collecting data that you have a good business reason for collecting and purging unneeded data when it is no longer needed. 2. ARCHIEVE DATA OFFLINE: In one recent example, the breached company apparently "ceased operations in December 2022 but, to comply with legal obligations, . . . maintained an archived copy of data previously stored on its computer systems." See https://lnkd.in/e4pVA6bT. To the extent you are only retaining old data is to satisfy regulatory requirements or just "in an abundance of caution," consider storing the data completely offline, so it is less likely to be breached. 3. CONDUCT A DATA MAPPING: These days it is common for data records to be duplicated in many places across an organization. Thus, consider conducting a regular "data mapping" to ensure that you know where all of your sensitive data is located, that you are adequately protecting it, and that you are purging it when appropriate. 4. IMPLEMENT A WRITTEN POLICY: Be sure to document your data retention and destruction policy in a written policy, and train your employees on the policy regularly. Remember to update the policy to reflect the changing realities in your organization. 5. OVERSEE THE DESTRUCTION OF DATA: Finally, when you destroy data, take reasonable steps to ensure that the data is actually being destroyed. One bank was recently fined $60M for failing to properly oversee a vendor responsible for purging personal data from digital devices. See https://lnkd.in/eutKzpU7.

The Federal Trade Commission recently announced a #datasecurity and #marketing consent decree with a B2B security company. Here's 4 areas to focus on for your org's security, marketing, and vendor management ⬇️ The FTC alleged the company had inadequate security practices to protect business customer data, and did email marketing that violated CAN-SPAM. It also alleged the company made false claims about security practices and compliance with HIPAA and Privacy Shield. The complaint details how it suffered multiple threat actor intrusions into its network resulting in the threat actor accessing live video feeds on its business customer sites, and exfiltrating gigabytes of customer data, including site foorplans, camera image and audio recordings, employee details, and wi-fi credentials. It also claims the threat actor was able to do #facialrecognition searches, potentially on people at customer offices and sites. The company agreed to pay a $2.95M penalty, and to 20 years of remedial obligations for its data security and marketing practices.    To help protect your organization, focus on these areas:   1️⃣ Security Program. Confirm your organization's security program uses the types of security controls at issue in this case: 🔹access management controls (unique & complex passwords, role-based access controls, & MFA); 🔹data loss protection; 🔹logging and alerting; 🔹vulnerability management protocols (product security testing, risk assessments, vulnerability scans, and pen testing); 🔹network security controls (disabling unused ports/protocols; properly configuring firewalls); 🔹encrypting customer data in transit and at rest; and 🔹appropriate information security policies and procedures that are followed and trained on enterprise-wide. 2️⃣ Email Marketing. Have working email unsubscribe functionality and required CAN-SPAM disclosures even in B2B emails. 3️⃣ Vendor Selection and Contracting. Confirm vendor selection and contracting process would catch vendors like this one and require appropriate security obligations, breach reporting, and accountability for damages. 🔹Consider whether spend amounts or assumptions the vendor wouldn't deal with customer data would skip these reviews or contract provisions. 🔹The action didn't focus on whether business customers were told their video cameras were accessed and sensitive corporate data was stolen; validate your organization's vendor contracts would require this. 4️⃣ Vendor Assurance. Would your organization's vendor risk management approach have verified this vendor actually had the security practices it touted? Consider whether criteria for validating vendor commitments need to be adjusted--such as to require and review independent audit results, or to conduct your organization's own assessment or audit. 🔹If the allegations are credible, it sounds like the vendor made false security commitments that weren't implemented, so its contractual commitments may have been illusory.

So with the Volkswagen data breach let’s dissect how GRC plays a role and what you can learn — • The breach was caused by unsecured Amazon cloud storage. This ties into the importance of learning cloud security fundamentals, such as access control policies, encryption techniques, and continuous monitoring. (Consider studying tools like AWS IAM, CloudTrail, or Config for auditing cloud environments.) • The exposed geolocation and sensitive personal information underline the need for strong encryption standards and data anonymization. Learning about data privacy frameworks (like GDPR or CCPA) is essential to ensure compliance and prevent such incidents. (You can explore certifications like CIPT or practical knowledge of encryption tools like OpenSSL.) • A delay in identifying and addressing the breach reveals gaps in incident response. Understanding the NIST Incident Response Framework or studying tools like Splunk for Security Information and Event Management (SIEM) can be invaluable. (This is where technical GRC intersects with proactive monitoring and mitigation.) • This breach also emphasizes the need for strong third-party risk management practices. So questions like “What controls are in place for vendor data?” or “How often do we conduct vendor audits?” become crucial. (Consider studying frameworks like ISO 27036 or practical tools like OneTrust for managing vendor risks.) • Volkswagen’s exposure of personal data brings regulatory scrutiny. Non-technical GRC professionals might work on ensuring policies and training programs align with global privacy laws. (Researching GDPR’s Article 5 on data minimization and confidentiality could be a starting point.) • The public and regulatory bodies must be informed quickly and effectively. This highlights the soft skills GRC professionals need: clear communication, structured reporting, and stakeholder management. (Practice drafting incident communication templates as part of your learning.) Learning opportunities: • Study cloud security basics (AWS or Azure security courses), practice with SIEM tools, and understand encryption protocols. Certifications like AWS Security or Security+ can add value. • Focus on understanding data privacy laws (GDPR, CCPA), vendor risk frameworks, and organizational change management. Consider certifications like CIPP/E for privacy or CISA for audit and compliance. • Develop skills in risk communication, stakeholder management, and building cross-functional incident response plans. These will ensure you can bridge the gap between technical teams and leadership effectively. The Volkswagen breach shows how GRC is a balance of technical and strong policy implementation. https://lnkd.in/eZn6PyUy

🌟 Breaking Down The Data Protection Impact Assessment (DPIA) Methodology 🚀 🔍 Understanding DPIA: A Data Protection Impact Assessment (DPIA), also known as data protection impact assessment or privacy impact assessment, is a vital assessment for mitigating risks to data processing inputs and outputs and for following privacy liability laws like GDPR and DPDP. It enables organizations to take proactive steps to mitigate privacy risks, and serves as evidence of accountability in the handling of personal data. 💡 Detect integrated with DPIA: A breakdown of the DPIA methodology. 1️⃣ GET READY TO COLLECT & MEASURE YOUR DATA: Step 1: Identify All Data Processing Activities. If your goal is to build a loyalty program based on customer data, for instance, you will need to document the varieties of data you are acquiring and from where it is obtained. 2️⃣ Identify risks & benefits of data processing: Assess the potential risk to privacy (e.g. information breaches) and balance them against the business-related advantages, such as better insights about your customers. 3️⃣ Must assess necessity, proportionality and legality of data processing: Ensure the service processes data in accordance with the law and only for the purpose indicated. Do not request unnecessary information such as marital status for a delivery service. 4️⃣ Assess technical & organizational security arrangements: Use the right protections, such as encryption, access controls and employees training to secure sensitive data such as health records or financial information. 5️⃣ Conduct the DPIA: Descriptive configuration and mitigation for data flow and risk analysis. This step ensures compliance with data subject rights and privacy for the processing activity. 6️⃣ Document your DPIA findings: Reflex all observations, risk identified, and practice mitigation. This record demonstrates your organization’s commitment to privacy compliance. 7️⃣ Enforce data protection: Establish the recommended privacy and security controls in the operations. For example, use two-factor authentication for systems that store sensitive data. 📚 Example in Action: --Think about a healthcare provider rolling out a telemedicine platform. --In preparation, they map the data from patients to physicians. --Identify risks, such as unauthorized access to medical records. --Make sure you grant permission to use your data. --Protect patient data in transit and at rest through encryption. As part of DPO Role, DPIA needs to be done, documented in the product and necessary controls are deployed so that product is compliant. #privacy #impact #assessment #DPIA #governance #PII #data #information

The 2025 Verizon Business Data Breach Investigations Report (DBIR) is here, and it delivers critical insights into the shifting cybersecurity landscape. For Enterprise and Public Sector business decision-makers, understanding these trends is crucial for protecting your organizations and the communities we serve. Here are some key findings from the report that rose to the top for me: - Exploitation of Vulnerabilities Surges: A 34% increase in vulnerability exploitation, with a focus on zero-day exploits targeting perimeter devices and VPNs, demands heightened vigilance and proactive patching strategies. - Ransomware Remains a Persistent Threat: Ransomware attacks have risen by 37%, now present in 44% of breaches. Enterprise and Public Sector entities must bolster their defenses and incident response capabilities. - Third-Party Risks Double: Breaches involving third parties have doubled, highlighting the critical importance of supply chain security and robust vendor management programs. - Espionage-Motivated Attacks Rise: We're seeing an alarming rise in espionage-motivated attacks in sectors like Manufacturing and Healthcare, as well as persistent threats in Education, Finance, and Retail. Public Sector entities are also at risk. - Credential Abuse Continues: Credential abuse remains a leading attack vector, emphasizing the need for strong authentication, multi-factor authentication, and continuous monitoring. For Enterprise and Public Sector organizations, these findings underscore the need for a multi-layered defense strategy, including: - Robust Vulnerability Management: Implement timely patching and vulnerability scanning. - Enhanced Security Awareness Training: Address the human element and reduce susceptibility to social engineering. - Strengthened Third-Party Risk Management: Thoroughly vet and monitor vendors and partners. - Advanced Threat Detection and Response: Invest in technologies and processes to detect and respond to threats quickly. The 2025 DBIR provides actionable insights to help us navigate these challenges. To dive deeper into the findings and learn how to enhance your organization's security posture, visit: https://lnkd.in/eXdHUYVM #Cybersecurity #DataBreach #EnterpriseSecurity #PublicSector #DBIR #Ransomware #ThreatIntelligence #VerizonBusiness #PublicSectorSecurity Verizon Jonathan Nikols | Daniel Lawson | Robert Le Busque | Sanjiv Gossain | Maggie Hallbach | Don Mercier | Chris Novak | Alistair Neil | Ashish Khanna | Alex Pinto | David Hylender | Suzanne Widup | Philippe Langlois | Nasrin Rezai | Iris Meijer