Privacy Awareness Week runs from May 4-10 and presents individuals and businesses with an opportunity to review their data security.

Data theft remains the leading motive for cybercrime and more than half of the world’s population are more concerned about their digital privacy than they were 12 months ago.

Data theft remains the leading motive for cybercrime and more than half of the world’s population are more concerned about their digital privacy than they were 12 months ago. And they are right to be concerned, with data breaches becoming more and more commonplace.

Risk Based Security research revealed in the 2019 MidYear QuickView Data Breach Report showed that there were 3800 publicly disclosed breaches in the first half of 2019 alone. That meant that around 4.1 billion records were compromised and exposed – and these were just from the breaches that were reported.

The really scary fact is that most data breaches remain unreported, even as countries like Australia roll out mandatory data breach notification legislation.

With data breaches soaring and the cybercriminals getting smarter, this also means that security measures that worked yesterday may not be as effective today or tomorrow.

That is why the theme of this year’s Privacy Awareness Week is #RebootYourPrivacy, encouraging individuals and businesses to take another look at their data security.

Here are some of the ways you can #RebootYourPrivacy and protect against data theft in 2020 and beyond: 

Review your onboarding protocols 

Compliance begins at the very beginning and the first touchpoint we have with staff, clients and visitors to our business in the digital setting is onboarding. This is a critical first step where personal data is collected and compliance is essential to keep this information safe.

The first thing to be mindful of is how much personal data you actually farm during this process. While it may seem pragmatic to collect and store as much personal information as possible (as this data can be used to increase sales and targeting), in many cases you do not have a lawful reason to be collecting this data.

That means if there is a breach, data you have no legal right to hold has been surrendered to a malicious third party which spells trouble for all involved.

A review of your onboarding process (best performed annually) allows you to navigate this by assessing what data is critical for your business functions. That way you can assess which personal information is absolutely essential for onboarding and redundant questions can be removed.

It is also essential to constantly check with the Office of the Australian Information Commissioner for any legislative changes to the collection and storage of personal information, as this is dynamic and ever-changing.

Credential stuffing

Essentially cross-checking databases of stolen passwords and log-in information against existing accounts and looking for matches.

Phishing

Tricking people into supplying their credentials using fake emails, web pages or social media landing pages that look authentic.

Malware

Malicious software that allows hackers to watch you type your passwords in real-time.

Dictionary attack

Remember being told not to use your birthday, family member names, pet names etc. as your password? That is because hackers have software that uses the most common words used in passwords, running an algorithm that will keep guessing until it gets it right.

Shoulder surfing

No technology in this one. The age-old theft method of simply looking over your shoulder as you type in your password and committing it to memory.

This is only a small sample of the methods being used which highlights how passwords can be ineffectual, even if you are changing them regularly.

You want to embrace two-factor authentication at the very minimum, where workers will need to input a password and also authenticate through a secondary method (usually an email or through their phone).

Review your privacy settings and controls and update as required

Ever since digital operations started to take hold in places of work in the 1990s, we have been able to run risk assessments, put in security measures and set-and-forget for a year or two.

Unfortunately, that is no longer the case. Technology and innovation are unfolding at an exponential rate and our privacy controls, settings and measures need to be constantly re-evaluated to ensure they are still viable.

You need to be routinely analysing your business operations, how your privacy controls are working and the latest changes to the Privacy Act to get a clear picture on what is working and what needs to be updated.

Privacy impact assessments (PIAs) are the process of assessing the impact these new systems will have on your digital work environment and whether they will negatively or positively impact your privacy compliance.

This is not a mandatory practice, but it is required to achieve Australian Privacy Principle (APP) compliance.

Review your privacy settings and controls and update as required

Ever since digital operations started to take hold in places of work in the 1990s, we have been able to run risk assessments, put in security measures and set-and-forget for a year or two.

Unfortunately, that is no longer the case. Technology and innovation are unfolding at an exponential rate and our privacy controls, settings and measures need to be constantly re-evaluated to ensure they are still viable.

You need to be routinely analysing your business operations, how your privacy controls are working and the latest changes to the Privacy Act to get a clear picture on what is working and what needs to be updated.

Delete and destroy all data on obsolete devices and redundant paperwork

Ever since digital operations started to take hold in places of work in the 1990s, we have been able to run risk assessments, put in security measures and set-and-forget for a year or two.

Unfortunately, that is no longer the case. Technology and innovation are unfolding at an exponential rate and our privacy controls, settings and measures need to be constantly re-evaluated to ensure they are still viable.

You need to be routinely analysing your business operations, how your privacy controls are working and the latest changes to the Privacy Act to get a clear picture on what is working and what needs to be updated.

Secure personal information and think twice before giving it out

Securing the personal information on staff, customers and any other party that has a touchpoint with our business’ operations are essential. The last thing you want is for this information to be stolen, misused, interfered with, lost, modified or falling into the possession of unauthorised parties.

A clear privacy policy is required that outlines how this information is stored, and this must be made available to all customers and on any website where personal information is collected.

Digital data should be encrypted and stored with reasonable security measures put in place to prevent outside intrusion. And it is important to also remember to secure personal information in physical forms so it cannot be stolen the old-fashioned way.

Any personal data that is no longer required should be destroyed and physical documents, drives, portable devices etc. should be properly encrypted and secured. Document and data retention policies and practices should also be reviewed annually at the very least.

Review social media practices 

Social media platforms are an essential function of most modern businesses and it is vital that these platforms are included in all reviews and privacy policies. Customer personal information should never, ever be given out through social media even if you are sure that the person messaging you is the owner of that data.

Social media use changes every year and new platforms are being adopted all the time. Ensure these platforms receive due diligence in relation to privacy before they are used in your business operations.