Cybersecurity and privacy of data are constant news. Governments are approving new cybersecurity laws. Companies are investing in controls such as firewalls, encryption and training in record levels.
And yet, the privacy of the data is losing ground.
In 2024, the Identity Resource Center reported that companies sent 1.3 billion notifications to victims of data leaks. This represents more than triple the notifications sent the previous year. It is evident that, despite the growing efforts, personal data leaks not only continue, but are accelerating.
What can be done to this situation? Many people think that the cybersecurity problem is a technical problem. And they are right: technical controls are important to protect personal information, but they are not enough.
A solid protection of personal privacy consists of three pillars: accessible technical controls, public awareness about the need for privacy and public policies that prioritize personal privacy. Each one plays a crucial role in the protection of it and any weak point in any of them puts the entire system at risk.
The first line of defense
Technology is the first line of defense: protects access to computers that store data and figure the information while traveling between them to prevent intruders from accessing. But even the best security tools can fail if they are used incorrectly, they are erroneously configured or ignored.
Two technical controls are especially important: encryption and multifactor authentication. These are the backbone of digital privacy and work better when they are widely adopted and implemented correctly.
The encryption uses complex mathematics to place the confidential data in an illegible format that can only be unlocking with the correct key. For example, your web browser uses HTTPS encryption to protect your information when you visit a safe website. This prevents any person on your network, or on any network between you and the website, to fip your communications. Today, almost all web traffic is encrypted in this way.
But if we are so good by figure in the networks, why do we continue to suffer all these data leaks? The reality is to encrypting transit data is just part of the challenge.
Protection of stored data
We also need to protect the data wherever they are stored: on phones, laptops and servers that make up the cloud storage. Unfortunately, this is where security usually fails. Striving the stored data, or resting data, is not as widespread as the data that moves from one place to another.
While modern smartphones usually encrypt files by default, the same does not happen with cloud storage or business databases. Only 10% of organizations report that at least 80% of the information they store in the cloud is encrypted, according to a 2024 sector survey.
This leaves a huge amount of personal information without potentially exposed if the attackers manage to enter. Without encryption, entering a database is like opening a keyless filler: everything inside is accessible to the attacker.
Multifactor authentication is a safety measure that requires providing more than a form of verification before accessing confidential information. This type of authentication is more difficult to decipher than a simple password, since it requires a combination of different types of information. Often combines something that is known, as a password, with something that is, such as a smartphones application that can generate a verification code, or with something that is part of the identity, such as a fingerprint. The correct use of multifactor authentication reduces the risk of violation by 99.22%.
While 83% of organizations require their employees to use multifactor authentication, it indicates another sector survey, this still leaves millions of accounts protected only by a password. As the attackers become more sophisticated and the theft of credentials remains uncontrolled, closing that 17% gap is not only a good practice, but a necessity.
Multifactor authentication is one of the simplest and most effective measures that organizations can take to prevent data leaks, but remains underlined. Expanding its adoption could drastically reduce the number of successful attacks every year.
We recommend: the hidden cost of convenience: how our data generate hundreds of thousands of MDD for apps and social networks
Awareness is key to data privacy
Even the best technology falls short when people make mistakes. According to a Verizon report, human error influenced 68% of data leaks from 2024. Organizations can mitigate this risk through employee training, data minimization (that is, collecting only the necessary information for a task and eliminating it when it is no longer necessary) and strict access controls.
Policies, audits and incident response plans can help organizations to prepare for a possible data filtration so that they can stop the damage, identify those responsible and learn from experience. It is also important to protect against internal threats and physical intrusions through physical safety measures, such as the blockage of server rooms.
Legal protections help organizations responsible for maintaining data protection and giving people control over them. The General Regulation of Data Protection of the European Union is one of the most complete privacy laws in the world. It requires solid data protection practices and gives people the right to access, correct and delete their personal data. And the General Data Protection Regulation is effective: in 2023, Meta received a fine of 1.2 billion euros ($ 1.4 billion of US dollars) when it was discovered that Facebook had violated the regulations.
Despite years of debate, the United States still does not have a comprehensive federal law on data privacy. Several proposals were presented in Congress, but none prospered. Instead, a combination of state regulations and specific norms of the sector, such as the Portability and Responsibility Law of Medical Insurance for Health Data and the Gramm-Leach-Bliley Law for Financial Institutions, Lagunas Las Lagunas.
Some states approved their own privacy laws, but this disparity leaves Americans with unequal protections and generates regulatory compliance problems for companies that operate in different jurisdictions.
There are tools, policies and knowledge to protect personal data, but the use that people and institutions make are still insufficient. A more robust encryption, a more widespread use of multifactor authentication, better formation and clearer legal norms could prevent many infractions. It is clear that these tools work. What is needed now is the collective will – and a unified federal mandate – to implement those protections.
*Mike capple is a teacher’s teacher, Analytics and operations at the University of Notre Dame.
This article was originally published in The Conversation/Reuters
Little text and great information in our X, follow us!
