31 January 2023
Digital data is a gold mine for cybercriminals. As every year, small, medium and large companies are victims of blackmail following data exfiltration.
When not used to commit new cyberattacks (phishing, spear-phishing, CEO fraud), this data most often ends up being sold on the dark web without the knowledge of its owners.
To raise awareness of this matter, the European Union organizes European Data Protection Day every year and is also part of Data Privacy Week celebrated worldwide by professionals and individuals.
Year after year, the digital transformation of companies is increasing. Telework, dematerialization, zero paper policy, without knowing it, our personal data is used daily to provide us with the usual services. Unfortunately, this amount of data is a treasure chest for cybercriminals. In 2022 alone, no less than 4,100 data leaks were publicly announced, accounting for a volume of 22 billion records. A very startling figure that questions where your data resides.
To raise awareness among professionals and individuals of these serious matters, the European Union recognizes European Data Protection Day on January 28 each year. Relayed by the European Commission, this day is at the initiative of the Council of Europe and has existed since January 28, 2007. Now celebrated throughout the world, it is found under the name “Privacy Day” outside Europe. The objective of this day is to promote the protection of personal data of individuals within the European Union. Its aim is to make European citizens aware of the importance of protecting their personal data in order to preserve their privacy. It also aims to promote compliance with the laws and regulations in force with companies to protect personal data, such as the General Data Protection Regulation (GDPR).
Many member countries relay this event. Conferences and workshops are offered to raise awareness of this theme. To complete these actions, the short film "Beyond" was produced by the Council of Europe to raise awareness among the general public of the challenges of protecting personal data and offer them advice on how to better protect themselves.
Phishing and spear-phishing campaigns use victims' personal data to appear legitimate. Whether you are a company or an individual, the risks associated with a data breach are numerous and can have serious consequences:
● Loss of trust: A data breach can lead to a loss of trust on the part of customers, employees and partners of a company that are the victims of a cyberattack.
● Extortion: Stolen data can be used for fraud purposes, such as the impersonation corporate executives where the objective is to make carry out a bank transfer order by an employee without their knowledge.
● Preserve your customers' privacy: By protecting your customer data, you preserve their privacy. You also reduce the risk of fraud and phishing. If your customers' personal information falls into the wrong hands, it could be used to steal identities.
It is therefore essential to take security measures to protect your company's data because as a business leader you are responsible for the security of the data of your customers, employees and partners.
According to Hugues Foulon, CEO Orange Cyberdefense, Director of Cybersecurity Strategy and Activities for the Orange group: “Faced with increasingly numerous and visible threats, everyone needs to be aware of the risks associated with digital uses”. In fact, 75% of cyberattacks target medium-sized businesses. European Data Protection Day reminds business leaders that they play a central role in ensuring the implementation of good data protection practices. Remember that in the event of non-compliance with GDPR, your company incurs a penalty of up to 20 million euros or 4% of the company's turnover at a global level. In rare cases, the leader can also be prosecuted with a penalty of between two months and ten years' imprisonment (article 131-4 of the Criminal Code) associated or not with a fine of a minimum of 3,750 euros.
As a leader, it is difficult to have full knowledge of the subjects that can affect your business. To understand the issues of data protection, here are 4 tips to adopt:
● Stay informed of current legislation: Data protection within an organization is regulated. You should keep track of these laws to anticipate any changes that may affect your business.
● Master the language of data protection: GDPR, anonymization, encryption, authorization, access, sharing. You must understand and master the terms relating to data protection. It is also important to train yourself and your employees in this lexical field.
● Recruit or consider bringing in outside help: Data protection is a complex aspect to manage within a company. It is therefore essential to work with a qualified partner to ensure compliance with regulations. For this, you must define a data controller within your organization. Called DPO (Data Protection Officer), this person can be an employee or a subcontractor.
● Increase your level of security: Many solutions exist to collect and process data securely. You can opt for a tightening of user rights that does not allow access to all of the company's documents. Solutions such as Data Loss Prevention (DLP) that make it possible to block and be alerted when a sensitive document is about to be communicated outside the organization. Raising employee awareness also helps to reduce risks. Take advantage of this week to organize awareness-raising actions.
Each person plays an important role in building a safer digital society. To ensure confidentiality and data protection, companies must adopt responsible behavior and anticipate threats.
After the training comes the stage of securing your company's data. To help you, here are five examples of actions to implement:
● Train your employees in good security practices: By increasing the level of vigilance of your employees, you reduce the risk of potential human error. Offering cybersecurity awareness and training in best practices for using data in business is more than recommended.
● Set up an information system security policy: By using IT tools within your company, your employees must follow rules and procedures. This policy must be communicated to all employees and must be updated regularly.
● Update your company's operating systems and software: Security vulnerabilities allow cybercriminals to infiltrate your company's network. It's important to update regularly to fix potential security vulnerabilities and protect your company's data.
● Monitor and be alerted when my email address has leaked on the internet: Compromising employee user access is one of the means used by cybercriminals to access your information system. Tools like have I been pwnd? allow you to receive a notification when an email address appears in a data breach. As a result, you will be alerted if your address or one of your employees' email addresses has been detected.
Do you think you have been the victim of an intrusion into your information system? To get started, identify the source of the breach so you know if your data has been compromised. Change all of your passwords immediately to protect your accounts and data. Revoke API access and other session tokens that have access to your information system. Inform the relevant authorities if data has been exfiltrated. Keep in mind that the most important thing is to react quickly in order to contain the threat.
It is rare for a single company to be able to manage a security incident as a whole, so do not hesitate to call on a service provider specialized in incident response (CSIRT).