When organizations collect sensitive data from their customers or users, securing that data should be a top priority. Companies of all sizes can be vulnerable to financial loss due to cyberattacks, and the trust of their customers is also at stake.
In this article, we explore privacy issues in cybersecurity, including:
- The Impact of Ransomware Attacks.
- Data Privacy Laws.
- How Organizations Protect Their Data.
The Impact of Ransomware Attacks
When hackers steal sensitive data from organizations, they can use it as ransom for large payments, sell it to nefarious third parties, or both. This is called “ransomware.” Cybercriminals typically demand a hefty sum in exchange for the recovered data, but even if an organization meets their demands, the hackers may demand additional payments.
Ransomware attacks can have large impacts. They can cause states of emergency – such as the Colonial Pipeline attack in 2021 – or they can contribute to the closing of a historic institution like Lincoln College.
This is unfortunately an issue that organizations are facing more in recent years. Consider these results from a 2022 report by cybersecurity company Sophos in which 5,600 IT professionals across 31 countries were surveyed:
- 66% of respondents reported that their organization faced a ransomware attack in the last year, representing a 78% increase compared to the previous year.
- Of the organizations that faced a ransomware attack, 46% paid the ransom to recover their stolen data.
- Of the organizations that paid the ransom, they recovered on average 61% of their stolen data.
- Of the organizations that paid the ransom, only 4% recovered all their stolen data.
Ransomware Attacks Lead to Data Breaches
Traditionally, cybercriminals would encrypt data in a ransomware attack rather than steal it, meaning that organizations would typically only need to worry about paying the ransom or relying on their backup data. Unfortunately, hackers now frequently copy the data before encrypting it, adding the threat of a data breach to the initial risk of data loss.
This new tactic has led to ransomware cases like the 2017 data breach involving the U.S. Office of Personnel Management, which included the release of personal information of more than 22 million government employees, applicants for security clearances, and their relatives. This kind of attack is growing in popularity in industries in which sensitive data is collected. For example, ransomware attacks on U.S. health care organizations resulted in an estimated $20.8 billion in damage in 2020.
Data Privacy Laws
Across the globe, national and state laws aim to hold organizations accountable for protecting private user information. The General Data Protection Regulation has been in place in the European Union since 2018, and notable data protection laws in the United States include the Children's Online Privacy Protection Act and the California Consumer Privacy Act.
These data privacy laws were created to protect consumers who share their data with organizations. For example, the GDPR safeguards demographic information, financial details, web data, and more. Organizations must secure that data and agree to delete it if requested by the user.
The GDPR also regulates the notification timeframe of any data breaches. Under the regulation, organizations have 72 hours to notify all those affected after discovering a breach. Within the articles of the GDPR, businesses must create technical and organization-wide strategies to keep private data safeguarded. Records must be obtained reflecting a comprehensive history of data processing, transfers, and consent agreements.
The GDPR applies to anyone living in the EU, but organizations in the U.S. and elsewhere also need to comply if they collect data from anyone in the EU. Some of the GDPR’s most noticeable effects have been websites adding notifications about cookies and companies sending emails about privacy policies.
How Organizations Protect Their Data
Organizations have had to adapt quickly and develop multiple ways to protect their data. One method is called Zero Standing Privilege. With this technique, each user in an organization receives limited-time credentials. Access is granted to that individual for the task's duration and then removed when it’s no longer needed. In this structure, management never gives complete access, only the tools needed to complete an individual task.
Another method used by organizations seeking to protect their data is eliminating bring-your-own-device policies. Companies sometimes allow employees to use their own devices for work purposes, but this can result in higher security risks. Individual devices can have outdated software that makes them vulnerable to attacks. The safer policy is supplying employees with company-owned devices for work.
There are plenty of other methods for organizations to protect their data – including better threat detection, multi-factor authentication and more – and employees should know what to do to protect themselves as well.
Careers in Cybersecurity
Cyberattacks are an unfortunate reality faced by modern businesses, especially since it’s estimated that less than 1% of incidents result in enforcements taken against the attackers. Cybersecurity professionals play an essential role in safeguarding company data, reducing risks, and avoiding penalties due to non-compliance.
For current and aspiring cybersecurity professionals, education is one of the many ways to stand out when applying for a job, and some schools are offering accelerated options. The need for cybersecurity pros is expected to continue growing; the Bureau of Labor Statistics projects employment of information security specialists to grow 33% from 2020 to 2030.
Here at Columbia Southern University, we offer online bachelor’s degree programs in information systems and cybersecurity, information technology, homeland security, and more. For more information, visit our website.
Multiple factors, including prior experience, geography and degree field, affect career outcomes, and CSU does not guarantee a job, promotion, salary increase, eligibility for a position, or other career growth.