Pratum Blog

Data Security vs. Data Privacy

Security and privacy seem interchangeable to most of us. Cover one, and you’ve checked both boxes, right? Not exactly. Think of them more like the Yin Yang symbol. When you talk about data security vs. data privacy, you’re talking about two interrelated, but distinctly separate concepts.

And knowing the difference grows more important each month as nearly every organization evolves into a repository for Personally Identifiable Information (PII). That means that if you’re not thinking about your specific data privacy policy, you’re leaving your organization vulnerable to fines and lawsuits.

You're probably storing more customer data than you even realize thanks to everyday processes such as scanning business cards into your CRM, using cookies on your website, storing customer satisfaction surveys and more. And the giant data suction hose only gapes wider each month as the Internet of Things (IoT) and 5G’s rollout turn anything with power into a new surveillance node. Various experts predict the number of IoT devices in use by 2027 will reach up to 41 billion. You don’t need a tinfoil hat to see the implications.

Governments worldwide are increasingly committed to holding you legally liable for all that data you’re stewarding. You may not have a Chief Privacy Officer on the payroll yet, but it’s time for someone on the team to start thinking like one.In this article we'll help you understand the difference between data security and data privacy so you can ensure your policies pay attention both.

So What Is Data Privacy?

An IT adage says that you can have security without privacy, but you can’t have privacy without security. In other words, don’t get cocky about your privacy posture just because you’ve never had a breach.

Security ensures that no one gets unauthorized access to data. But a privacy issue arises when you knowingly give personal data to entities you shouldn’t share it with. Our friends at Facebook or Google provide a familiar example. Even if they have rock-solid security, they’re still selling details about you to advertisers, market researchers and others. That’s a privacy concern. If they DO get breached, they can have both security and privacy incidents.

Thorough privacy policies also address who within your organization has access to data and how clearly you tell customers what you’re collecting and what you’re doing with it.

How to Improve Your Data Privacy Policy

In this rapidly evolving privacy landscape, you’ll need a well-informed team to clarify your responsibilities. Along with a knowledgeable attorney, you should confer with a cybersecurity company such as Pratum on:

  • How evolving privacy laws apply to you.
  • Developing policies that adequately cover both security and privacy. With multiple standards emerging nationwide, it typically takes an experienced professional to write an across-the-board privacy policy you can count on.
  • Understanding what data you’re collecting and how long you retain it, both of which can impact your liability.
  • Training employees throughout your organization on their responsibilities. Your marketing department, for example, plays a key role in your privacy position. And your HR processes should address privacy from an employee’s first day through steps such as granting role-based access, which limits employees to only the data they need to do their job.

The Cost of a Privacy Violation

Every leader should get familiar with the legal concept of a “data fiduciary.” The New York Privacy Act currently working its way through that state’s legislature includes the phrase, and it’s likely to show up in a lot of laws. It requires companies to think about customers’ data the way a lawyer or physician does. Clients divulge their private affairs to you for just one reason: so you can serve them better. Leveraging that data for your own benefit, or even acting recklessly with it, violates your responsibility.

New York’s proposed law is the latest in a string of major new regulations that determine how entities handle information. This presents two key takeaways as you think about data privacy:

  • New data privacy legislation is in the works in multiple states and nations, including big economic players Brazil and India. Californians recently voted to create an agency to enforce its data privacy law. Pratum’s analysts anticipate this being a wakeup call for hundreds of companies that hold data for California customers.
  • Agencies are growing teeth when it comes to fines for data privacy violations.

During the first year of the European Union’s privacy regulations, the EU went light on fines, tempting some companies to risk paying a token penalty rather than invest in compliance.

Then the hammer fell. In 2019, the EU leveled its first big penalty with a $230 million fine of British Airways for violating the law’s requirements. Here in the U.S., Facebook absorbed one of the federal government’s largest penalties ever: $5 billion for violating consumer privacy, which is roughly 7% of Facebook’s annual revenue. You can do the math on how such a fine would impact your bottom line.

Right now, governments are mainly going after big companies. But the Federal Trade Commission’s long list of privacy enforcement actions proves they’re also pursuing plenty of firms that aren’t household names.

Note that some of the root problems that earned fines weren’t nefarious activity so much as crimes of omission regarding basic security hygiene. When the Equifax data breach earned the company a $575 million fine, its key problem was failing to patch its network in response to a known vulnerability, leading to the compromise of 147 million records.

Data Privacy Laws

Anyone in the healthcare or financial industries probably has a working knowledge of privacy regulations, thanks to standards like HIPAA and PCI. But the last two years have brought new privacy regulations to the broader market. Two big ones have set the course for many similar laws coming online:

  • What is GDPR? – The EU’s General Data Protection Regulation took effect in May 2018. You probably noticed its arrival when every website started asking you to confirm use of cookies. Under the law, EU, UK and EEA (European Economic Area) residents now have access to and can correct, delete, and export personal information. The law, designed to provide a unified standard across national borders, applies to anyone who collects data of EU citizens.
  • What is CCPA? – California led the U.S. consumer privacy charge with the California Consumer Privacy Act, which became effective on Jan. 1, 2020. Its influence stems not only from being the nation’s first such law, but from the fact that it applies to any company with customers or computers in California. That ropes in a lot of organizations. Smaller companies are exempted from the law, as it applies only to companies that have more than $25 million in annual revenue, collect data on 50,000 consumers or more or derive 50% or more of their revenue from selling personal information. (Click here for a full analysis of CCPA’s impact.)

Several states have passed their own privacy legislation, with a wide spectrum of requirements and definitions about controls, categories of covered data, etc. Several lawmakers have been working on concepts for a national framework similar to GDPR to make it easier for companies currently trying to comply with varying state standards.

If you’re ready to have a conversation about how all of this applies to you, contact a Pratum consultant.

Woman working from home on laptop

In the spring of 2020, IT teams had a matter of days to retool their environments to handle entire staffs working from home. Under normal circumstances, that shift would’ve been rolled out meticulously over years. What security lessons have we learned in the two years of this great experiment? In this recap, we check in on lessons learned about the human and cybersecurity implications of scattering data and workers to any location with a solid internet connection.

Security Upgrades Move to the Front

The work-from-home revolution work introduced a host of new data security threats overnight. Employees working remotely log in through unknown WiFi connections, including vulnerable public networks in places like coffee shops. Data moves off corporate servers and into cloud settings. Personal vigilance wanes without the peer pressure of nearby co-workers.

All this gave many IT leaders the motivation (and executive support) to step up security programs during the pandemic. A December 2021 survey from software company MalwareBytes showed that 74% of IT decision makers had implemented new security tools since the spring of 2020, and 71% had implemented new cybersecurity training. As a result, 56% of IT leaders say their environment is slightly or significantly more secure than before the shift to work-from-home. If your security posture looks basically the same as it did in January of 2020, you’re probably leaving a lot of doors open to attackers.

Threats from People You Trust

Even if your team rose to the security challenge, your larger data ecosystem could still pose a problem. Jim Pray, chief technology officer at the Iowa law firm BrownWinick, says many of the cyber attacks his office saw during Covid came in through clients’ systems.

“We saw a big influx of our clients being hit because they weren’t prepared to go to work-from-home. They were getting Office 365 phishing hits, and then the hackers were trying to phish us by using the client accounts,” Pray says.

He’s describing a type of business email compromise scam, a category of cyber crime that exploded over the last two years. In these attacks, hackers take over someone’s email account and pose as a trusted partner. Many of the schemes have fooled workers into sending hundreds of thousands of dollars to fraudulent accounts. And people working from home make easier targets. In the past, an employee may have walked down the hall to confirm a message from a colleague. If that person is working at home, they may just click the link to speed things up.

User Experience Gets Its Due

These attacks illustrate a core fact of cybersecurity: Most cyberattacks start with a social engineering fail, such as an end user opening a malicious email attachment or unknowingly giving their login credentials to a hackers’ site. That means every cybersecurity program rests on enlisting every employee as a frontline defender.

But remote work and the pandemic have heavily eroded users’ cyber wariness. Working off-site can introduce distractions that chip away at anybody’s vigilance over things like fishy-looking emails. Security experts regularly discuss how to overcome the “fear fatigue” that has maxxed out the number of things we can worry about at any given moment.

Pratum vCISO Ben Hall urges open conversations about these challenges. “Encourage people to speak to managers about the issues they’re having, whether that’s having trouble accessing things remotely or just feeling like they’re being watched all the time,” Hall says.

Hall points to “shadow IT” as one big issue. Even if you don’t know the term, you know the situation: Numerous security safeguards make your company’s official technology tools a pain to use. So you just put a file on Google Docs and send the link to your co-workers. Hall says companies must face this reality and either make the official tools easier to use or embrace the shadow tools and make them more secure. “If employees are going to keep using Google Drive, consider a business subscription so you can apply some controls around what’s there and how it’s stored,” he says.

“Make it easier while maintaining security,” Hall adds. “Encourage everyone to be vocal and polite to work on the solution together."

Empowered Users Replace Punished Users

The best security cultures have learned to stop referring to employees as security vulnerabilities (a common IT attitude) and start viewing them as security assets. That’s not just a matter of semantics.

Many employees see phishing tests “as a gotcha,” BrownWinick’s Pray says. That’s understandable considering that some companies have posted lists of employees who fail the test or threatened to fire anyone who fails three tests.

That’s sending the wrong message, Pray says. “We want them to know that we don’t want them to click the tests. We want them not to click the test.” Instead of taking a punitive attitude toward those who fail the test, identify ways to improve their performance next time. “If a lot of employees fail a phishing test, I have to see that as a failure on my part, not the employees’,” Pray says. “So we’ve ramped up our training.”

Key Best Practices

If you’re looking for simple ways to gauge your IT program’s security maturity, check how you’re handling these basic policies:

  • Multifactor authentication – No security move offers a bigger payoff than implementing multifactor authentication (MFA). MFA may seem like a hassle, but it works so well that the market is essentially penalizing those who aren’t using it. For example, Pratum’s Hall says, “If you’re don’t have MFA in place and you’re looking at cyber insurance, you either won’t get it or won’t get an acceptable premium amount.”
  • Live human communication – Old-fashioned MFA should remain part of your arsenal. Hackers have proven that they can infiltrate email accounts and pose as an executive or a client asking for a payment that goes to a fraudulent account. Teach your employees that if something seems iffy, they should pick up the phone and confirm with the email’s sender that the message is legit.
  • Limited access – Many companies give too many users too much access to the environment. IT teams may be tempted, for example, to give end users administrator rights on their computers to reduce the number of service calls IT gets. But that could let employees install risky software. And if an employee has a lot of network access, a hacker who gets their credentials can go anywhere the real user can. The right approach is least-privileged access, which limits everyone’s access to no more than the files they need to do their jobs.
  • Virtual Private Networks – A VPN lets employees securely log into a company network from anywhere. The issue is that with data increasingly residing in cloud settings such as Microsoft OneDrive, employees may not log into the VPN very often. That’s a problem because critical software updates are typically pushed to end users’ machines when they log into the VPN. That means companies should consider requiring everyone to log into the VPN on a regular basis.

Pratum’s Hall encourages leaders to embrace the inevitably of a changing workforce and find ways to handle it successfully. “We have to control it without being controlling,” he says. “It seems like a hybrid model is going to be a popular one. Encourage your staff to do whatever they need to do their work.”

For help identifying your work-from-home risks and opportunities, contact Pratum to talk with one of our cybersecurity consultants.

Team members practicing incident response tabletop scenario exercises

Every effective cybersecurity program includes regular tabletop exercises where your team gets to practice dealing with a security incident. And realistic exercises start with choosing a scenario that’s appropriate to your actual security risks. In a recent blog, we shared tips for conducting the tabletop exercise itself. In this post, we share three basic scenarios to get you started on creating the right situation for your exercise.

Note that the scenarios shared here don’t come with answers to each problem. A tabletop exercise isn’t a fill-in-the-blank exam. It’s a convincing simulation that lets your team practice working through your incident response plan and a key way to identify needed changes in that plan. Use these sample scenarios to start crafting situations that will give your team the most realistic experience.

Key Elements for Any Tabletop Exercise Scenario

You’ll find a few common aspects in every good scenario:

  • Custom details – In your tabletop exercise, tailor the scenario to your team by using names of actual employees, the software your team uses, real customers, etc. All this will heighten the realism and help everyone grasp the consequences of something like your top customer calling because your service isn’t working.
  • An unfolding threat – Throw a series of developments and plot twists at the participants to reflect that, in a real-life incident, you never know all the facts upfront.
  • Unavailable personnel – At some point, reveal that whoever is in charge of your team (or a staff member with necessary expertise) is unreachable. This forces everyone to work the problem on their own rather than just saying that they’ll call someone else for guidance.
  • Outside pressure – Throw questions from clients, partners, the media, etc. into the mix to raise the tension and test the communications aspects of your incident response plan.

Essential Questions to Ask in Any Scenario

With any scenario you use, structure the exercise so that participants have to answer the following questions:

  • Does this qualify as an incident?
  • What’s your first step after realizing that something odd is happening?
  • What information/evidence do you need to collect?
  • How do you know what data was compromised/exfiltrated?
  • Who else in your organization needs to be notified and what should be shared internally?
  • How long will it take to recover your data from backup?
  • Do you have talking points ready for staff members who may get calls from customers? When do you proactively notify customers of the problem?
  • What deadlines from your service level agreements (SLAs) are at risk while your system is compromised?
  • Will you pay the ransom?
  • What are your reporting requirements after the incident is over?

Tabletop Exercise Scenario #1: Ransomware

Backstory: You’re a midsize professional services firm with 100 employees, which includes a three-person IT team.

Day 1, 7:05am
After a long holiday weekend, a couple of early birds arrive at work and report to IT that they can’t access files on their workstations or the network drive.

Day 1, 7:35am
IT team members rush to the office and find that numerous files on the server and workstations appear to be encrypted.

Day 1, 7:55am
The only file anyone can open is one that has appeared in every directory. It’s called RECOVER-FILES.txt. Upon review, the team discovers that this is a ransom message and decides to notify the IT leader.

Day 1, 8:05am
The team realizes that the IT leader is on a cruise and unreachable.

Day 1, 3:50pm
Upon further investigation, 80% of your workstations and 50% of your servers and applications were encrypted. Forensic analysis found evidence of data exfiltration and indicated that the threat actors were actively in your network for months before the attack. Recovery will probably take several days or weeks. Not all data is recoverable.

Tabletop Exercise Scenario #2: Business Email Compromise

Backstory: You’re a family-owned, 60-person company that builds components for large agricultural equipment manufacturers.

Day 1, 4:05pm
The CFO receives an email from the CEO, who is traveling in China. The CEO’s message shares greetings from his wife and mentions how much they enjoyed their time in Beijing. He goes on to say that he has decided to proceed with the purchase of a large piece of equipment that the team has been discussing for weeks. He gives the CFO a bank account to use for the $400,000 payment, and the CFO makes the payment.

Day 5, 8:05am
When the CEO returns to the office, the CFO mentions the purchase to him, and the CEO responds, “I never told you to make that purchase. What are you talking about?” The C-suite calls IT in to investigate whether the CEO’s email has been compromised and where the money went.

Tabletop Exercise Scenario #3: System Compromise/Double-Extortion Ransomware

Backstory: Your company runs a cloud-based sourcing service. Customers log into your portal to order the parts they need to conduct operations each day.

Day 1, 10:02am
A customer submits a support ticket saying that they can’t get into the Admin Console for your service and can’t query data from their database for custom reporting. Your support team attempts to use the service and discovers they can’t get into it either.

Day 1, 10:10am
Your internal team sends the issue to your offshore software development team—and they can’t get into the service either.

Day 1, 3:45pm
Forensic investigation finds a ransom note and also discovers that the threat actor was able to capture cached admin credentials and pivot to other systems and resources.

Day 1, 4:59pm
You realize that the attacker successfully exfiltrated critical data and is threatening to disclose it if ransom isn’t paid. You haven’t yet determined what data they exfiltrated

Clearly, each of these scenarios can go in a lot of directions and will give your team plenty of things to discuss. If you’re just starting to use tabletop exercises, you’ll usually benefit from having an experienced third-party expert help develop the scenario and lead your team through the exercise.

Contact Pratum to talk with one of our cybersecurity consultants.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.