To honor National Data Privacy Day on January 28, 2025, we have distilled dozens of possible action items into the most pressing cybersecurity/privacy "hot tips." Immediate action is recommended to help keep your data safe throughout the new year.
1. Prioritize Training on New Data Threats.
Novel approaches to individually
targeted "spear phishing" enabled by artificial
intelligence (AI) justify security-related outreach efforts to
employees well above the longstanding once-a-year security training
regime. The recent reality is that too many systems are being
compromised by employee responses to threat actor social
engineering, notably individual employees clicking on links in
emails or texts from apparently reliable sources (internal firm
leaders, health care, insurance or investment companies, state and
federal agencies) that download malware or capture confidential
data or individual financial information. As a priority matter,
companies should implement protocols to advise employees of new
threats as they arise and, in so doing, continually reinforce good
data hygiene (including scanning for possible red flags such as
external email notices on purportedly internal communications or
oddities in message wording or source email address and undertaking
independent checks on validity before clicking on emailed or texted
links or entering sensitive data in response to an external
message).
2. Implement Multi-Factor Authentication.
In addition to password compromise
through spear phishing efforts (as mentioned above), threat actors
have become increasingly effective at obtaining password
information through purchases from the dark web of previously
hacked individuals and cracking weak passwords using sophisticated
algorithms. Once passwords are compromised, authentication –
especially multi-factor authentication – that requires users
to verify identities in multiple ways, is the last and best defense
to prevent a system breach.
3. Comprehensively Review Your Security Program to Reflect Your Business Changes and Threat Environment.
Maintaining a strong and evolving
written security program is not just the law in Massachusetts and
other states; it represents an increasingly critical bulwark of
individually tailored protections to save your business and
employees from the risk of data losses. Instead of leaving security
programs to a once-a-year update process, leadership should
regularly consider whether program updates during the year are
warranted by experience with new threats, any company breaches and
near misses, and any vendor breaches and near misses (such as the
2023 MoveIt software breach, used by payroll vendors, that affected
60-plus million users). Leadership should also consider whether
breach or business risks justify consideration of increases in
cyber insurance and insurance coverage and liability limits.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
