#RebootYourPrivacy this Privacy Awareness Week

Privacy Awareness Week runs from May 4-10 and presents individuals and businesses with an opportunity to review their data security.

Data theft remains the leading motive for cybercrime and more than half of the world’s population are more concerned about their digital privacy than they were 12 months ago.

Data theft remains the leading motive for cybercrime and more than half of the world’s population are more concerned about their digital privacy than they were 12 months ago.

And they are right to be concerned, with data breaches becoming more and more commonplace.

Risk Based Security research revealed in the 2019 MidYear QuickView Data Breach Report showed that there were 3800 publicly disclosed breaches in the first half of 2019 alone.

That meant that around 4.1 billion records were compromised and exposed – and these were just from the breaches that were reported.

The really scary fact is that most data breaches remain unreported, even as countries like Australia roll out mandatory data breach notification legislation.

With data breaches soaring and the cybercriminals getting smarter, this also means that security measures that worked yesterday may not be as effective today or tomorrow.

That is why the theme of this year’s Privacy Awareness Week is #RebootYourPrivacy, encouraging individuals and businesses to take another look at their data security.

Here are some of the ways you can #RebootYourPrivacy and protect against data theft in 2020 and beyond:

Review your onboarding protocols

Compliance begins at the very beginning and the first touchpoint we have with staff, clients and visitors to our business in the digital setting is onboarding.

This is a critical first step where personal data is collected and compliance is essential to keep this information safe.

The first thing to be mindful of is how much personal data you actually farm during this process. While it may seem pragmatic to collect and store as much personal information as possible (as this data can be used to increase sales and targeting), in many cases you do not have a lawful reason to be collecting this data.

That means if there is a breach, data you have no legal right to hold has been surrendered to a malicious third party which spells trouble for all involved.

A review of your onboarding process (best performed annually) allows you to navigate this by assessing what data is critical for your business functions.

That way you can assess which personal information is absolutely essential for onboarding and redundant questions can be removed.

It is also essential to constantly check with the Office of the Australian Information Commissioner for any legislative changes to the collection and storage of personal information, as this is dynamic and ever-changing.

Implement multi-factor authentication if you haven’t already

In the modern world, passwords are actually a very flimsy form of protection. There are many, simple methods the cybercriminals use to steal your passwords including

This is only a small sample of the methods being used which highlights how passwords can be ineffectual, even if you are changing them regularly.

You want to embrace two-factor authentication at the very minimum, where workers will need to input a password and also authenticate through a secondary method (usually an email or through their phone).

Review your privacy settings and controls and update as required

Ever since digital operations started to take hold in places of work in the 1990s, we have been able to run risk assessments, put in security measures and set-and-forget for a year or two.

Unfortunately, that is no longer the case. Technology and innovation are unfolding at an exponential rate and our privacy controls, settings and measures need to be constantly re-evaluated to ensure they are still viable.

You need to be routinely analysing your business operations, how your privacy controls are working and the latest changes to the Privacy Act to get a clear picture on what is working and what needs to be updated.

Conduct privacy impact assessments (PIAs) on a regular basis

Continuing on from re-assessing and re-evaluating your privacy controls and settings, you also need to investigate how new systems and software are going to impact your data security.

Privacy impact assessments (PIAs) are the process of assessing the impact these new systems will have on your digital work environment and whether they will negatively or positively impact your privacy compliance.

This is not a mandatory practice, but it is required to achieve Australian Privacy Principle (APP) compliance. 

Delete and destroy all data on obsolete devices and redundant paperwork

How many old computers, phones, hard drives and other electronic devices does your business have sitting in cupboards, drawers or in storage?

While some businesses have robust methods in place to ensure old devices are properly disposed of immediately, the reality is that we have all been guilty of keeping an errant laptop or smartphone left lying around.

Data theft isn’t exclusively conducted on the internet, these old devices can hold essential data that can lead to serious privacy breaches if they fall into the wrong hands.

At the bare minimum, ensure all decommissioned or obsolete devices are thoroughly formatted and wiped before being put into storage.

This applies to paper records as well. Any documentation that you do not have to keep in your records for legal reasons should be immediately destroyed.

Secure personal information and think twice before giving it out

Securing the personal information on staff, customers and any other party that has a touchpoint with our businesses operations are essential.

The last thing you want is for this information to be stolen, misused, interfered with, lost, modified or falling into the possession of unauthorised parties.

A clear privacy policy is required that outlines how this information is stored and this must be made available to all customers and on any website where personal information is collected.

Digital data should be encrypted and stored with reasonable security measures put in place to prevent outside intrusion.

And it is important to also remember to secure personal information in physical forms so it cannot be stolen the old-fashioned way.

Any personal data that is no longer required should be destroyed and physical documents, drives, portable devices etc should be properly encrypted and secured.

Document and data retention policies and practices should also be reviewed annually at the very least.

Review social media practices 

Social media platforms are an essential function of most modern businesses and it is vital that these platforms are included in all reviews and privacy policies.

Customer personal information should never, ever be given out through social media even if you are sure that the person messaging you is the owner of that data.

Social media use changes every year and new platforms are being adopted all the time. Ensure these platforms receive due diligence in relation to privacy before they are used in your business operations.

More Resources