At a glance.
- Update on the ICRC breach.
- Privacy and security as mutually reinforcing.
Update on the Red Cross breach.
As previously noted, the International Committee of the Red Cross (ICRC) suffered a third-party data breach that resulted in the theft of the data of over 515,000 “highly vulnerable” individuals. Many of the impacted individuals are connected to the ICRC’s Restoring Family Links program, which performs the noble task of reuniting family members who have been separated due to conflict, disaster, or migration. CRN Australia reports that all systems connected to the Restoring Family Links program remain shutdown as the breach investigation continues. Fortunately, there is still no indication that any of the compromised data has been published.
Privacy and security go hand-in-hand.
The results of a recent Cisco survey showed that 90% of security professionals see privacy as a critical aspect of company operations, and 90% said consumers would take their business elsewhere if they felt their privacy wasn’t being prioritized. It’s clear that privacy and security are becoming increasingly intertwined, and Dark Reading offers advice on how security teams can integrate privacy into their security strategies. Bishop Fox lead researcher Dan Petro says the first step is simply to make privacy a priority from square one. "A lot of people don’t get past step zero," he says. "They are just trying to make a widget and get it out. The extent to which a company might care about it will depend on financial considerations or the goodness of their hearts, which you don't always want to depend on." Cisco’s recent reorganization, which made the chief privacy officer role equal to the chief information security officer, serves as an excellent example of how businesses can put privacy at the heart of their operations. Another key strategy is the implementation of least privilege and zero trust policies to ensure that data is accessible only by the necessary employees. Corey O’Connor, director of products at DoControl, explains, “For organizations adopting the zero-trust security model, extending least privilege to the identity, device, and network levels has become a great way to mitigate the risk of data leakage and noncompliance. Having the right solutions, and the right processes in place will help ensure PII is never exposed to the wrong person.” Other recommendations include building data retention policies with privacy in mind, improving employee privacy training, staying abreast of state privacy regulations, documenting data transfers, and considering agentless technology that protects employee privacy.