Data Privacy & Protection – Why you should be concerned

In the digital age data privacy & protection is a huge concern for company of all sizes. In part, because data breaches are happening daily, exposing personal data of millions of people.

A direct consequence of a breach – individuals whose data is exposed can suffer identity theft/financial loss; and companies risk financial costs, loss of credibility in the marketplace, damage to public, investors and customer trust. And, significant penalties are levied by regulatory authorities and companies incur significant cost to remedy the breached systems/processes.

Let’s take a comprehensive look at understanding data privacy and protection world:

What is Data Privacy Regulation – Rules on how companies can collect, store & use personal data.

What is Data Protection –Security controls that provide confidentiality, integrity and availability of data.

Objectives for both are same – safeguard sensitive information from data breach, cyberattacks and accidental/intentional data loss.

Types of data commonly considered sensitive data – Most commonly considered sensitive information, both by the general public and by legal mandates:

  • Personally identifiable information (PII) – Data that can identify, contact or locate an individual or distinguish one person from another
  • Personal health information (PHI) – An individual’s medical history, insurance information and other private data collected by healthcare providers
  • Personally identifiable financial information (PIFI) – An individual’s credit card, bank account numbers, or personal finances
  • Student records – An individual’s grades, transcripts, billing details, etc.

Personal data protection and privacy regulations: Governments across the world are framing and adopting privacy data protection laws that regulate how personal data can be collected, used, stored and/or disclosed. Below are common privacy laws that restrict companies the amount of data collected & used. Several US states have passed or in the process of framing their own privacy frameworks:

  • Health Insurance Portability and Accountability Act (HIPAA) / Health Information Technology for Economic and Clinical Health Act (HITECH) – Protects personal health information
  • General Data Protection Regulation (GDPR) –EU’s data privacy regulation
  • California Consumer Privacy Act (CCPA) – California data privacy regulation
  • Gramm–Leach–Bliley Act (GLBA) – Limited to financial information
  • Family Educational Rights and Privacy Act (FERPA) – Protects students’ personal information

Most common pitfalls to achieving compliance / data privacy regulation –

  • Assumption – current controls, policies & procedures are adequate
  • Lack of clear understanding of the required industry guidelines
  • Lack of proper policies & procedures for internal users & external vendors
  • Neglecting physical security

How your company can ensure safeguarding & protecting consumer data from the hands of attackers?

While your business may require you to adopt industry specific security and/or compliance frameworks, that alone may not guarantee data protection. Accorian has successfully helped clients (across several industries) to adopt best practices and achieve industry specific regulatory compliance. 

Best practices to consider:

  • Security Risk Assessment (SRA) – Conduct a comprehensive SRA to identify gaps
  • Know your data – Understand data at rest and data in transit; where sensitive information is being collected, how it is used and if it is being shared/sold to 3rd parties.
  • Understand how data is stored and backups – Are your end-users storing customer information on their devices? Trace data storage and access mechanism. Develop data use & retention policies and minimize personal data according to its value and risk.
  • Standard Policies & Procedures – Our industry and privacy regulation, compliance specific policy & procedure templates, for you to build upon for your needs
  • Protect unauthorized access – Implement and periodically monitor access logs, monitor systems for suspicious/unintentional access attempts. Ensure adequate access controls, encryption, antivirus and endpoint protection are instituted.
  • Perform Risk Assessment – Conduct period assessment and ensure the compliance frameworks are adopted by across people, process & technology.
  • Security Training – Provide security training to end-users as well as technology team across the organization

Accorian

The days of uncontrolled collection & sharing of personal data are gone. Our experienced SMEs can guide you every step of the way to adequately protect consumer information and adhere to compliance frameworks. Organizations must store and use financial, health and other personal information with proper customer consent and controls. Using our best practices and approach you can implement the needed privacy policies & procedures across your organization.

Our industry experts will provide most apt strategy towards business, systems and data security for your needs.

Unsecured APIs – Underlying threat waiting to be realized

APIs & Web Services are essential supporting building blocks for today’s applications. They’re not only the connective tissue between applications, systems, and data, but also the mechanisms that allow developers to leverage and reuse these digital assets for new purposes. Developers can utilize these building blocks to integrate advanced functionality and features into their software without having to design the API from scratch.

Businesses can also integrate software, in-house and third-party using reusable APIs to meet partner/customer requirements, improve performance, optimize usage, etc. The economic benefits and flexibility that the APIs allow have inspired SMEs to adopt the usage and development of APIs.  For example: If a hospital intends to consolidate patient history from all clinicians, the operation can be performed merely by using readily available APIs provided by various providers. The developer does not need to understand how the API functions.

These utilities can be used to access sensitive information or, perform sensitive transactions. An adversary with a valid request format and key could also access this data, leading to data leakage. Hence, the security risk in API extends beyond the risks associated with the protocol (HTTP) or, applications. Most developers rely on frameworks and hence, framework associated flaws creep into the mix as well.

Considering more than half the traffic on the internet includes an API sending/retrieving information from applications. APIs are now the new attack surface which could incapacitate or, leveraged to gather information from multiple applications/software. A successful attack campaign could lead to reputation & revenue loss, fines, compliance failures and even spike in infrastructure costs.

It is critical that developers follow secure coding guidelines to eliminate commonly found vulnerabilities. From insecure coding practices like hard coding secrets in code to the usage of unpatched libraries; the cause for introducing a vulnerability could be anything. Hence, it becomes critical that all software/applications and the corresponding APIs be tested for all possible threats. We have also noticed a significant growth in authorization related vulnerabilities while assessing APIs. This is critical to understand that endpoints of APIs are mostly exposed on the internet making it easier for attackers to exploit. A lack of authorization checks leads to attackers successfully guessing/brute-forcing relevant object IDs to get information from the server. This is also the most commonly observed weakness in APIs according to recent attack reports.

APIs have also been known to be vulnerable to traditional vulnerabilities like Injection attacks, broken authentication, sensitive data exposure, security misconfiguration, etc. It is also critical to limit the usage of resources to defend against denial of service attacks. The API or the software itself could become unresponsive if limits are not set for the requests and input parameters.

In the healthcare sector, usage of an API that transmits PHI data should be secured during transmission and in rest. End-user consent is mandatory before sharing of sensitive PHI/PII data and the end-user should have the option to permit and revoke APIs from accessing/sharing these data. These privacy considerations should be made while drafting policies, developing APIs or, using third-party APIs. It is also critical to understand the flow of data for third party APIs. It is essential to ensure that APIs are secured & devoid of security vulnerabilities that could lead to its compromise or, it’s data. This will in turn ensure that the API meets the requirements set by HIPAA & HITRUST. Thus, enabling in achieving and maintaining the health data security compliance of the overall organisation.

In an attempt to help organizations’ leveraging APIs/Web Services understand their current security posture and protect their information;  OWASP has released the API Security Top 10. This is also aimed to provide organizations with a basis to measure the readiness to protect itself from known vulnerabilities. We would recommend an annual penetration test across all APIs & web services to understand the current vulnerabilities present in these externally exposed assets. This will ensure that all issues (due to changes or, recently detected findings) are identified and mitigated in a timely manner before being exploited by an adversary.

Accorian is a full-service cybersecurity partner. We can help protect your data, monitor your networks, conduct penetration tests and provide anti-phishing training for your employees. We have extensive experience in conducting penetration tests & vulnerability scanning for applications (Web & Mobile), APIs, networks, and social engineering assessments.

    Ready to Start?



      Download Case study




        Download Guide




        Human Resources Director

        Posted On: 09 May, 2022

        Drop your CVs to joinourteam@accorian.com

          Interested Position

          First Name

          Last Name

          Email

          Total Experience

          Mobile Number

          Upload Resume