Independently of the kind on industry or country, I think that the main issues we must never disregard are the following:

– Confidentiality—ensure that transmitted and stored data cannot be read by unauthorized parties

– Integrity—detect any intentional or unintentional changes to transmitted and stored data

– Availability—ensure that users can access resources using all available channels and mobile devices whenever needed.

These are universal concepts that must be always taken into account, no matter what is the technology adopted and the cost of implementation. Today many international regulations and frameworks valid for different industries are putting emphasis in these concepts.

“Information is a key resource for all enterprises, and from the time that information is created to the moment that it is destroyed, technology plays a significant role. Information technology is increasingly advanced and has become pervasive in enterprises and in social, public and business environments.” (Cobit 5 introduction excerpt)

Individually: Awareness. There is a maxim that says that a person is a “slave of its words (written or spoken) and the owner of his silence (or thoughts)” but given the need to use electronic media/tools to communicate between ourselves, my advice is to be always cautious when we express ourselves with due respect and to be trustworthy.

At the corporate level: Training. Human resources are the most important asset of the company. We usually oversee this aspect not giving the proper training to our employees, to help them counter-attack the threats that they are being subject to. On the other hand, employees who are not trained in security best practices, and for example have weak passwords, visit unauthorized websites and/or click on links in suspicious emails or open email attachments are an open gate for receiving all kind of attacks. Regarding corporate data (also historical bulk data or Big data  stored in Data-Warehouse systems), companies must carefully evaluate, making a Risk assessment, what kind of information/reports is going to be kept on-premises and what is going to be transmitted electronically to third parties or external sites.

Data privacy is better kept, with good regulations (internal and external), internal training, and complying with those regulations. Thus, solid internal policies, revised and updated regularly are one of the key factor to counter attack those risks.

No doubt that nowadays the use of social media is a very powerful marketing, and social relationship tool for companies, and are also part of the myriad of electronic channels available. Besides the technology needed to support social media, the most important factor is to set up an internal area and arrange a team of employees having a good knowledge of the mission and vision of the company, products, corporate/reputational Risk and compliance. This training must also include writing skills, in one or more languages, to help them to answering and communicate properly. Also establishing at least one authorization level before approving and releasing answers/news to the public. Companies can outsource the technology, but must never outsource this specific area. On the other hand will never be able to transfer the risk, for anything that is improperly communicated on behalf the company through this channels. In other words, they will be always accountable.

Finally, this electronic channels, being part of the sort of electronic channels available, must keep the look and feel of the corporate image, colors, and products, as shown on other electronic or classic channels of the company.

You are right, today the more a business knows about an individual, the more can personalize all kind of services. And people love personalized services, they feel important, they want targeted offers according to their tastes and customs. The sad reality is that in the backend, they are collecting data from many online sources, analyzing and reselling this information.  Of course customers’ fears that this information is going to be lost or misused has also increased. 

In the particular case of Banks, that are highly regulated entities, they usually have very strong security systems in place and regular monitoring that can prevent external attacks. Many concerns about Banking customers data privacy, is related to customer education to help them identify the low tech threats that can pose a high risk, like phishing (counterfeit sites  linked in an email asking data to the customer that a Bank never asks online) or Social engineering. Also when adding new customers, Banks are very careful to comply with AML/BSA regulation having strong processes and watch lists along with the KYC policy.

I think that sometimes the enemy is inside, like in the case of disgruntled employees, also considered one of the main 6 Risks for companies today. Internal attacks are one of the biggest threats facing your data and systems, especially members of the IT team with knowledge of and access to networks and data centers and admin accounts, can cause serious damage. Regular review of the privileged account and credentials, “need to know basis” access rights management, logging and tracking account activities, and employee termination are policies that must be carefully followed.

Also as a standard practice, implementing DLP (Data Loss preventions) tools are good technical solutions available for controlling sensitive information leaving the company.

One of the highest risks in the BYOD is data leaking, when subscribing that policy, the boundaries between work and personal technology are dissolved. Even though the use of personal technology can considerably enhance the business, it also creates a more fragmented technological environment. Currently Mobile devices (BYOD) is one of the top 6 security Risks for companies. And data theft is one of the highest vulnerabilities of portable devices. Moreover, it turns very hard work for the IS areas at companies to apply consistent security policies and to manage those devices when we admit multiplatform (multi-brand, multi-OS) with a single team of agents.   

Some companies do not allow the BYOD policy and instead of that, they distribute their own portable devices configured with the necessary security according to the policy.  Besides the technical implications, if BYOD is accepted in a company, they must be sure to have a carefully written BYOD policy. With a good BYOD policy in place, employees are better educated on how to use devices and the companies can better monitor the documents that are being downloaded to employee-owned devices

Technology is continually evolving, and the online information systems are getting more sophisticated bringing the customer a better user experience. This is a continuous race, where the hackers are also getting more sophisticated. In this context, data security is and always will be one of the main issues.  Notwithstanding how sophisticated are the counter measures adopted by companies to protect their own information systems against any attack, the weakest link is still the human being.

Again, awareness and training are necessary ways to prepare ourselves to mitigate data insecurity. Careless or uninformed employees that are not trained in security best practices are also on the top 6 biggest risks for companies today. Training our customers and internal staff is basic, starting internally with the Human Resources, and having solid policies in place and enforce compliance.  To train employees on cyber security best practices and offer ongoing support is a need. For example some employees may not know how to protect themselves online, which can put sensitive data in danger.

Cloud Computing is also considered one of the main 6 risks for Companies nowadays. Cloud computing is going to grow in certain industry verticals, but will go much slower in others, for example the finance industry. When adopting Cloud Computing, service level and data breaches or data losses are the main concerns. We are talking about security and privacy, thus what information systems are going to be outsourced and what kind of information (sensitive or not sensitive) is going to be posted in the cloud must be carefully evaluated. Risk Assessments and BIA analyses, along with processes maturity are the best ways to make the right decision on Cloud Computing.

Regarding the decision to adopt this technology, depending on their size and complexity, some companies opt for using different architectures, such as private or hybrid clouds. Companies must keep in mind that Cloud computing poses new risks, and the must be able to manage and to mitigate some of the inherent risks of Cloud Computing. This new risk scenario, that is inherent to the cloud model, in some way forces security and risk practitioners to rethink their data security practices and solutions.

One of the best technical defense against a cloud-based threat, is to defend at the data level using strong encryption. For example AES 256-bit, recognized by experts as the crypto gold standard. Also to retain the keys exclusively to prevent any third party from accessing the data even if it resides on a public cloud is a good measure.