Virtualization Technology News and Information
The Seven Best Practices for Data Privacy and Cybersecurity


By Rick McElroy, Principal Cybersecurity Strategist, VMware Carbon Black

If the past year taught us anything, it's that people and data are two of the most valuable assets a company can protect. As the pandemic began to spread worldwide, organizations took the proper measures to protect the health of their employees transitioning to remote workforces. With this sudden shift, many quickly realized there would be new challenges and threats when it came to protecting their data, especially as organizations accelerated cloud adoption. An IDC report indicated that 59 Zettabytes of data would be created, captured, copied, and consumed this year alone with no sign of that slowing down.

The increased diversification of threats online continues to put the security of this data at risk, with cybercrime as a business exceeding $1.5 trillion each year. More personally identifiable information such as credit cards, birth dates and social security numbers are being sold on the dark web every day for small dollar amounts, but costing those impacted by attacks a great deal more. Together, this is jeopardizing the consumer and stakeholder trust while creating steep fines and consequences. While data privacy and protection can seem daunting, CISOs, CIOs and all leaders should consider the following best practices to improve both data protection measures and cybersecurity initiatives:

  1. Understand where vulnerabilities lie: Get a baseline understanding on where vulnerabilities lie. A "Red Team" or "Purple Team" (using third party plus in-house security experts) audit and/or cyber-hunt exercise can help expose where systems are vulnerable and where increased controls need to be applied. Pen tests and general audits are also recommended.
  2. Use multi-factor authentication: Multi-factor authentication with "just in time" administration should be deployed to Web servers and servers holding key data. Websites that are accessible to the general public should be reviewed for accuracy continuously.
  3. Deploy application control: Whitelisting on critical servers can help ensure they do not touch the public Internet. Place them in high enforcement and only allow approved programs to run. Stop all unauthorized file or memory modifications.
  4. Create a micro-segmentation strategy: A comprehensive micro-segmentation strategy should be executed again to help protect the business network. Flat networks are much more easily hacked.
  5. Deploy endpoint detection and response (EDR) technology: EDR, as well as non-signature based next-generation antivirus (NGAV), uses unfiltered data to detect and remediate advanced attacks. Remember, the endpoint is the easiest attack surface for hackers.
  6. Secure workloads against modern attacks: Attackers have increasingly been using advanced hacking techniques in order to bypass traditional security tools, allowing them to stay in an organization's data center undetected for weeks on end. Taking advantage of advanced workload protection can block both known and unknown attacks, keeping your most valuable assets safe.
  7. Educate! Stay up to date on the latest attack methodologies and attack vehicles. Ensure that everyone in your network, your administration and your leadership team understand the importance of cybersecurity, how to avoid phishing attacks, and how to maintain a secure environment.

With many hopeful that the vaccine will bring us all back to the office sooner, it's critical that organizations understand the impact this past year has had on the critical need to improve data privacy and cybersecurity measures. A great example of this being put in motion is by states like California, which in November voted to enact the CPRA, a stricter version of the original CCPA as a means to strengthen data protection. James Alliband, Security Strategist at VMware Carbon Black, recently noted "It's never been more important to take on a security-first mindset not just in business, but in personal life as well, for a stronger, more well-rounded security posture. Organizations can help make this possible by providing the necessary, regular training to empower employees, without feeling vulnerable.  In the end, it's all about providing people with the proper tools, assets and resources they need to do their jobs safely and empowering them with the knowledge and responsibility to do so." As a privacy advocate, I agree that this type of education could significantly improve the security landscape as it stands now.

Today, CISOs share responsibility for privacy enforcement, adding more pressure to the traditionally strained role. Moving forward, to allow security roles to learn more about privacy, organizations will either have to invest in automation and the proper tooling to bolster cybersecurity measures or appoint Chief Privacy Officers in a new role focused solely on data privacy. Overall, the practices discussed today should serve as a guide for corporations and consumers as we continue to navigate this rapidly evolving digital landscape.



Rick McElroy 

Rick McElroy, Principal Cybersecurity Strategist at VMware Carbon Black, has 20 years of information security experience educating and advising organizations on reducing their risk posture and tackling tough security challenges. He has held security positions with the U.S. Department of Defense, and in several industries including retail, insurance, entertainment, cloud computing, and higher education.

McElroy's experience ranges from performing penetration testing to building and leading security programs. He is a Certified Information Systems Security Professional (CISSP), a Certified Information Security Manager (CSIM), and Certified in Risk and Information Systems Control (CRISC). As a United States Marine, McElroy's work included physical security and counterterrorism services. His current role takes him all over the world working with organizations to improve their security strategies and speaking on security and privacy.

Published Friday, February 19, 2021 7:46 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<February 2021>