When it comes to data breaches, organizations are generally informed about the risks and procedures for mitigating them. They can (typically) respond with minimal collateral damage. But the impact a data breach can have on individuals can be devasting; getting back to something that vaguely resembles normality is very challenging. In my work helping these people, I’ve been asked multiple times whether it would help to get a new phone number or even move to a new city.
Helping people vs. companies
There are obviously huge differences between individuals and organizations regarding security. For individuals, there is often a general lack of security awareness and understanding of things like multifactor authentication, security products, and what a big leak can mean for them at a personal level. They can also get complacent about the security of their personal data.
But in the end, even if a person has their tinfoil hat on very tightly, there’s not much they can do unless organizations are taking the right steps to protect their data.
What steps can organizations take to protect personal data?
At the most basic level, communication is key to everything: making it clear to the victims what has been leaked, how they might be affected, and the necessary mitigation actions.
There are several steps that an organization can take to avoid data breaches:
Have effective asset management – You can’t protect what you don’t know you have. For organizations and companies, asset management can be a total nightmare. But it’s important to find servers and services that have not been maintained and regularly updated (since no one knew what they were and who was responsible for them). And what about non-security-related personnel? What accounts do they have and how are they protected? Has the password been reused? Has multifactor authentication been enabled? Small safeguards like these can make a world of difference.
Have an open, up-to-date security culture – It’s crucial to keep employees informed and trained on the latest security issues and how to act appropriately. They are the ones on the front line of defense, after all. In addition, if you notice your organization is targeted by a social engineering campaign, inform your personnel, and monitor the situation. It is also important to keep the culture positive towards information security and encourage employees to come forward if they made a mistake that can affect the security of the organization and its data (we are humans, after all).
Closely monitor (and limit) system access – Keep in mind the principle of least privilege and need-to-know basis! Those can hinder the attacker’s efforts. Don’t grant unnecessary access to those who don’t need it. For example, administrator access is not required for employees who are just answering work emails.
Use strong authentication – Your data is more at risk if passwords are “generic” and easy to guess. Employees must protect their accounts and devices with a strong password and, if possible, additional authentication factors. (But don’t rely solely on biometric authentication when using computers.)
Be cautious while working remotely – Make sure employees back up devices and update operating systems before traveling and working remotely. It’s also a good idea to use a VPN when traveling.
Finally, organizations should have a strategy for helping if access to critical business processes or functions is lost. If a data breach occurs, they need to have open crisis communications with victims, assist with investigations, and hope they don’t get taken to the cleaners!
Thankfully, in many countries, volunteers such those involved with KyberVPK in Finland, have rolled up their sleeves and formed “volunteer cyber fire brigades” to help organizations such as hospitals and schools with cyber-related issues in case of attack. National cybersecurity centers also a good source of information and for people who want to be more secure and aware of information security risks. Victim Support Europe helps people bring victim support to their communities, and the CyberPeace Institute works in collaboration with relevant partners to reduce the harms from cyberattacks on people’s lives worldwide.