Data
Privacy Day, an international "holiday" that occurs each year on January
28th, was created to raise awareness and promote privacy and data protection best
practices. The National Cyber Security Alliance (NCSA) assumed leadership of Data Privacy Day from the
Privacy Projects back in August of 2011. A nonprofit, public-private
partnership dedicated to promoting a safer, more secure and more trusted
Internet, NCSA is advised by a distinguished advisory committee of privacy professionals.
Data Privacy Day's educational initiative originally focused
on raising awareness among businesses as well as users about the
importance of protecting the privacy of their personal information online,
particularly in the context of social networking. In addition to its
educational initiative, Data Privacy Day promotes events and activities that
stimulate the development of technology tools that promote individual control
over personally identifiable information; encourage compliance
with privacy laws and regulations; and create dialogues among
stakeholders interested in advancing data protection and privacy.
With this in mind, we've compiled some detailed perspectives,
as well as some tips for better protection of sensitive corporate data, from a
few industry experts in advance of Data Privacy Day 2019.
Enjoy!
--
Heather Paunet, Vice President of Product Management at Untangle, a San Jose, Calif.-based provider
of comprehensive network security for SMBs:
"Data privacy has become a hot topic over the last few
years, especially with the recent large-scale data breaches. It is important
that organizations of all sizes take data privacy seriously and proactively
ensure personally identifiable information (PII) is protected. Protecting data
in the event of a breach is crucial to maintain the trust and respect of the
public. Businesses can take some simple steps to protect the data they are
collecting. Storing the private data on a network or server that is separate
from the public, or even separate from the main corporate network, can provide
an extra layer of protection. Encrypting the data, especially PII, is another
standard practice to comply with a variety of regulations like PCI and HIPAA in
the United States and GDPR in Europe. With GDPR in full effect, data
privacy and transparency is now more relevant than ever. Businesses must
realize that the GDPR rules are not a hindrance, but a chance to show consumers
that they can trust them and that they are taking a proactive approach to data
privacy.
On a consumer level, protecting your data is becoming more
and more difficult as apps and websites demand the information. However,
consumers can be proactive and choose what they share. For example, don't fill
out social profiles completely (address, high school/college, birth date are
all considered PII). The Facebook breach is a prime example of sharing too much
information through a "fun, free quiz"; those participants'
information was sold to advertisers without their knowledge. Sharing your
social security number is never a good idea. The only businesses that need that
information are your work, bank and possibly your healthcare provider; anyone
else asking is just phishing for more of your PII. For citizens in Europe, GDPR
rules allow consumers to request their data from any company, so you can see
what they have gathered about you. You can then further ask the company to
delete that data. With this new privacy law in place, the hope is that other
countries will enforce similar rules so consumers globally have more control
and rights over their personal data."
Ali Golshan, CTO and co-founder at StackRox, a Mountain View, Calif.-based
leader in security for Kubernetes and containers:
"Considering the volume and range of data being collected
from services and users, targeting and reaching the user has become a very
personal experience. We can clearly see the negative impacts of it in politics
and American culture.
Analytic infrastructures allow for powerful insights into
data, but they create compliance and security risks for companies because data
is often dumped into data lakes without proper labeling, auditing, or policy
enforcement. We are seeing companies such as Apple building trust with
customers by providing visibility and transparency into how that data is used.
Additionally, Europe's GDPR require all companies serving European citizens,
regardless of the company's HQ location, to implement controls around data
privacy.
Due to development timelines, developers often have to delay
building granular privacy permissions into their applications. Such permissions
enable individual customers to define how their data can be used, or the right
to be forgotten - both of these parameters are cornerstones of GDPR compliance.
One key feature for data privacy is ensuring up-to-date
controls and configurations around access. To ensure data is protected from
unauthorized access, systems need controls such as identity and authentication
of users. Limits to access must also extend to developers of platforms as well,
to avoid situations such as Ring is experiencing, with reports of broad access
to customer videos: https://theintercept.com/2019/01/10/amazon-ring-security-camera/
All services working with personal and private data should
apply crypto best practices for data in motion and data at rest or stored.
Beyond encryption, the best way to secure data is to not collect it, so
applying principles of minimal data collection or applying additional layers of
obfuscation. One method of obfuscation is differential privacy, which allows
providers to offer customized services for users while maintaining privacy for
individual users."
Shahrokh Shahidzadeh, CEO at Acceptto, a Portland, Oregon-based
provider of Cognitive Continuous Authentication:
"Assume all of your credentials have already been stolen,
even those credentials that haven't been created yet.
Due to the frequency of data breaches, we all must operate
under the assumption that it's only a matter of time that we become aware of
the fact that our credentials and personal information are compromised.
Protecting our citizens' identity and privacy requires new regulatory
measures and the collaboration of private and public sectors including all
(large or small) companies that today are taking overt advantage of harvested
consumer data that is readily available for corporate welfare but not well
protected.
2019 is the year of new solutions that employ a
combination of multi-modal and contextual controls that continuously and
accurately protect user identity and privacy with the assumption that all your online
credentials are already compromised."
Joseph Carson, chief security scientist at Thycotic, a Washington D.C.
based provider of privileged access management (PAM) solutions:
"Is Data Privacy Day turning into Data Privacy Remembrance
Day? Is it even reversible? The
answer is yes. The end of privacy as we know it is closer than you may
think. Privacy definitions are very different between nation states and
cultures, however, one thing that is common is that privacy is becoming less
and less of an option for most citizens. In public, almost everyone is
being watched and monitored 24/7 with thousands of cameras using your
expressions, fashion, walk, directions, interactions and speech to determine what
you need, what you might be thinking, who you are going to meet, who is nearby
and even algorithms that determine what your next action might be. All of
this is used to help provide a custom experience unique to everyone as well as
predict and prevent security threats. The term 'if you have nothing to
hide you have nothing to fear' is quickly becoming reality and privacy and
could certainly disappear in the near future. Can we ever regain back our
privacy?"
Rishi Bhargava, Co-founder at Demisto, a Cupertino, Calif.-based provider
of security automation and orchestration and response technology:
Str!ct P@ssw0rds
"Make sure that employees use strong passwords and that they
use different passwords across systems. A single password used across
applications might be convenient but it then takes just one vulnerability to
compromise all the employee's accounts. For guidelines on password strength,
you can refer to NIST's latest
identity guidelines.
Historically, lengthy passwords with a combination of
letters, numbers, and special characters are less likely to get breached
through brute force. Contrary to popular opinion, NIST recommends against
changing passwords regularly. Employees usually change just a couple of
characters from password to password this way, leading to confusion without
increased security.
VPNs Are A Must
Whether employees are working from home or any other public
location, organizations should ensure that Virtual Private Networks or VPNs are
used. By combining encryption protocols and virtual P2P connections, VPNs
protect any sensitive company data that employees might access while connected
to non-enterprise public/private networks.
There are various VPN protocols out there: some provide
encryption, some facilitate connections, and some do both. Protocols such as
SSH, SSL, or TLS fulfill both duties (encryption and connection) and should be
preferred by organizations that aim for security as well as convenience.
Awareness Programs With A Twist
Security awareness programs delivered through dry,
text-heavy presentations are unlikely to have the intended effects, no matter
how positive the intent. A few tactical tweaks to awareness programs can
drastically improve uptake:
- Including interactive, engaging assignments as part of
the training. For example, a ‘design your own phishing email' contest
where employees come up with their best phishing emails.
- Encouraging and rewarding employees that show ‘good
security behaviors' and sharing their successes with the group.
- Learning from security failures and sharing with
transparency to avoid repetitive mistakes.
- Creating a culture of openness and blamelessness so
that employees that have made mistakes come forward honestly without fear
of being punished.
Update, Patch, Maintain
Devices with out-of-date software, certificates, and agents
create conditions where compromise becomes easier and more likely.
Organizations should monitor the version recency of operating systems, SSL
certificates, and security software (such as firewalls and endpoint tools) on
all employee devices and especially those that avail of remote work.
Although any deficiencies along these lines won't create
security incidents on their own, they will weaken a device's ‘immune system'.
Attackers will usually scan devices for these deficiencies and target
accordingly.
These solutions are by no means exhaustive, but they
represent ‘first-pass' guidelines that organizations can set up and build upon.
Even with all these precautions (and more) in place, it's inevitable that
breaches will occur. But by being proactive in defense and agile in response,
organizations and their remote workers stand a good chance of coming out on
top."
David Ginsburg, Vice President of Marketing at Cavirin, a Santa Clara, Calif.-based
provider of cybersecurity risk posture and compliance for the enterprise hybrid
cloud:
"Data Privacy Day is upon us, and there is no need to
mention the our just concluded ‘Annus horribilis,' and I'm not talking about US
or EU politics. Over the last twelve months, we've endured a constant
barrage of news regarding the latest hacks, vulnerabilities, or organizations
paying the price for just plain stupidity. Though IoT and critical
infrastructure vulnerabilities as well as foreign attacks were top of mind,
ongoing thefts of confidential financial, healthcare, and other PII data
presented greater risk to enterprises and individuals. As related at
BlackHat, the hackers are definitely on the offensive, with organizations
playing catch-up across an increasingly complex hybrid cloud infrastructure.
However, 2019 doesn't need to be a repeat of 2018.
The intent of Data Privacy Day is to raise the awareness of
data privacy within organizations as well as for individuals. Focusing on
the former, recommendations
in fact follow the universal five-phase approach outlined in the NISF CSF -
Identify, Protect, Detect, Respond, and Recover. This approach is in fact
a great baseline for organizations of any size, from the corner dentist to the
Fortune 100.
Cavirin has taken the lead in leveraging the CSF
as one of our building blocks for CyberPosture Intelligence. Our eBook, The
Enterprise Journey to the Hybrid Cloud, describes the mapping from
the CSF to typical deployment concerns, outlining a path for success.
And, a recent Cavirin Playbook, Leveraging
the NIST CSF, looks at high-risk critical infrastructure verticals
and how to adopt best practices. We've also done quite a bit of work to
help ensure organizations are equipped for GDPR as well as
looking ahead to the California Consumer Privacy Act."
##