3 Steps to Safeguard Privacy

Published at 07:18 on 07 May 2023

In the spirit of Privacy Awareness Week 2023, we are sharing 3 tips to safeguard privacy and thereby improve privacy compliance within organisations. These tips are aimed at helping organisations keep the personal information they collect, hold and use, safe. They’re impactful changes that can help to move the needle for privacy.  

3 Steps to Safeguard Privacy & Security 

Enable Multi-Factor Authentication  

Identify networks and systems in your organisation that collect, transmit and hold personal information and ensure they are secure from misuse, loss and unauthorised access and disclosure.  

One way of mitigating the risk of unauthorised access to, and disclosure of, personal information is to require users to identify themselves by more than a username and password when accessing your organisation’s systems where the personal information is kept. This can be done by enforcing the use of multi-factor authentication (MFA) which involves users having to provide additional verification information (factors) such as one-time passwords (OTPs) or answers to personal security questions.  And it is so important.  

Implementing MFA can help organisations minimise the possibility of unauthorised access to personal information and protect against phishing (a very common type of cyberattack which involves stealing a user’s login credentials e.g., usually a username and password) and compromised passwords. In fact, according to CISA, MFA can reduce an organisation’s risk of being hacked by 99%.  

Minimise and Manage API Security Risks   

Many organisations utilise application programming interfaces (APIs) to allow systems and applications to interact with each other. APIs are used more than ever to connect systems and transfer personal information and other data between systems. However, APIs are becoming increasingly challenging to secure.  

The most critical API security risks include: broken API links, unauthorized access, excessive data exposure, improperly configured APIs and insufficient logging and monitoring. The implications of these risks are huge.  

Several of the most serious breaches involving personal information in recent years have been the result of vulnerable APIs. The cyberattack on Australian telco, Optus, in 2022 shows the danger of having a lack of visibility over APIs. The incident at Optus reportedly started with the attacker accessing an API server that was not protected with proper authentication.  

One way that organisations can get on top of mitigating API security risks is to create an effective API security strategy which involves building out an API inventory to help with automatic validation of all API types, implementing regular security testing of APIs and API access controls and logging and monitoring API access.  

Get a Grip on Over-Collecting and Holding Personal Information   

Over collection of personal information and retention or storage of personal information for an indefinite duration, increases your organisation’s risk in the event of a data breach and can also undermine customer trust. Concerns among the public around over-collection and retention of personal information has increased due to recent data breaches in Australia.  

Organisations should only keep personal information for as long as it is required to provide their products or services or to legitimately comply with legal obligations.  

One way that organisations can get a better handle on what data they are collecting and how long they are holding data for, is to pay more attention to the data lifecycle and data retention and deletion process.  Privacy risks can be minimised by reviewing products, services and systems that collect personal information and ensuring your organisation is only collecting the minimal personal information it needs to carry out its functions and activities. Equally important, is to implement processes to destroy or de-identify personal information that is no longer needed.  

How Privacy 108 Can Help Your Organisation 

We offer services to help organisations manage privacy and cybersecurity risks. We can deliver expert advice and operational support for your organisation’s needs. We can also help your organisation get started building a privacy compliance program or understand where the gaps may be in your existing program.  

Straight away, you can try our online self-guided Privacy Compliance Tool to compare your organisation’s current practices against the Australian Privacy Principles. Our privacy compliance tool takes between 30 minutes to 2 hours to complete. At the end, you’ll receive a report that shows:  

  • The overall privacy compliance level for your organisation. 
  • Your organisation’s current compliance level against each of the APPs, with easy-to-understand information on what is needed to achieve a higher level of compliance. 
  • Recommendations on steps to take to improve the maturity of your privacy program. 

Alternatively, get in touch:  

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.