Data Privacy Day 2021: Views and Tips from Top Industry Experts : @VMblog

Article

Search:

Follow VMblog.com:

Improve end user experience in VDI, DaaS and physical endpoint environments

Data Privacy Day 2021: Views and Tips from Top Industry Experts

data-privacy-day-header

Data Privacy Day, an international "holiday" that occurs each year on January 28, was created to raise awareness and promote privacy and data protection best practices. The National Cyber Security Alliance (NCSA) assumed leadership of Data Privacy Day from the Privacy Projects back in August of 2011. A nonprofit, public-private partnership dedicated to promoting a safer, more secure and more trusted Internet, NCSA is advised by a distinguished advisory committee of privacy professionals.

Data Privacy Day's educational initiative originally focused on raising awareness among businesses as well as users about the importance of protecting the privacy of their personal information online, particularly in the context of social networking. In addition to its educational initiative, Data Privacy Day promotes events and activities that stimulate the development of technology tools that promote individual control over personally identifiable information; encourage compliance with privacy laws and regulations; and create dialogues among stakeholders interested in advancing data protection and privacy.

With this in mind, VMblog has compiled some detailed perspectives, as well as some tips for better protection of sensitive corporate data, from a few industry experts on this Data Privacy Day 2021.

Rick Vanover, Senior Director, Product Strategy, Veeam

"Data Privacy is more important than ever and organizations should avoid a common pitfall: Surprises. Nobody likes surprises and a Data Privacy matter is the least desirable surprise to start your day with. Avoiding any surprises will start with well-implemented identification techniques to know what data an organization has under management. From there, additional stages such as protecting that data, detecting and analyzing that data for normal access, usage and integrity will ensure that the data goes through its lifecycle as expected. Should anything go wrong with that data or how it is consumed, stored etc. organizations should be ready to respond and recovery from whatever incident may occur.

It's clear the hard work is on the front end with identification, as organizations can’t recover what they don’t know they had or how it was used. This is a significant challenge today with explosive data growth and a strong push for ubiquitous access from mechanisms such as work-from-home. My advice is to invest more on the front side of this framework (Aligns to the NIST cybersecurity framework) to pave the way for more options in the later stages."

Dave Russell, VP of Enterprise Strategy, Veeam

"Data has never been more ubiquitous, more geographically dispersed and remotely accessed, and tragically never more at risk. The value of corporate and personal data has risen significantly, in no small part because different data can be pieced together to lead to large vulnerabilities. There is a tremendous need for improved digital hygiene, which begins with strong, unique passwords, two factor authentication, and hardening networking ports. All of this applies to individuals to F500 companies."

Simon Taylor, CEO at HYCU

"In recognition of Data Privacy Day, it serves as a good reminder that there will always be a risk that your data may be compromised. It’s no longer good enough to keep your data password protected, encrypted or use two factor authentication. You must also keep your data backed up and available in the event of a recovery. You would be surprised how many people overlook the power of backup to protect themselves in the event of human error, a ransomware attack or data breach. Use this Day as a reminder to backup your data today! By doing so, you will become much better prepared to deal with these situations should they arise."

Anurag Kahol, CTO of Bitglass

"Data Privacy Day serves as a reminder of one of the most important responsibilities for any organization: keeping sensitive data secure. Consumers are constantly discovering the information that is collected about them, how that data is used, and how daily breaches put that information at risk. Consequently, to maintain consumer trust (and remain compliant with regulations), it is imperative that companies make security a top priority.

This past year marked a pivotal change in how companies conduct business, with most being forced to rapidly shift to a remote work style of operations due to the global COVID-19 pandemic. Moving forward, we are going to see a permanent blend of remote and in-office work, as well as mobile employees whose workspaces are constantly changing. Unfortunately, many organizations are relying on outdated tools that are designed for predominately on-premises operations and lack the granularity needed today. To address these challenges, there are a few steps that must be taken.

First, organizations must have an accurate inventory of data. This step is critical for adhering to data privacy regulations including CCPA, because if companies don’t know the information they have or where it is going, then they cannot properly protect it. Next, companies need to protect access to consumer information as well as the various systems that store it. This can become more challenging for improperly equipped organizations that adopt cloud technologies and other remote work capabilities, as consumer data can then potentially be accessed across numerous applications and on various devices.

Finally, organizations need to have a thorough understanding of data jurisdictions and any security challenges they may present after migrating to the cloud. With respect to certain data privacy regulations like CCPA, data may only be stored or transferred where the state has jurisdiction or an agreement is in place. To ensure compliance, organizations should look for security solutions that allow them to encrypt cloud data (wherever it resides) while maintaining local control of encryption keys. Additionally, solutions that dynamically allow or deny access based on contextual factors like a user's location, device type, or job function are highly helpful, along with data loss prevention (DLP) capabilities. For ease of management and cost-effective, consistent security, organizations should look for a single security platform that integrates all these capabilities into one offering."

James Carder, CSO of LogRhythm

"In the wake of COVID-19 remote work cybersecurity concerns and the high-profile SolarWinds hack, we’ve seen security elevate in importance and the protection of sensitive data has become more of a shared responsibility across the company. Organizations are realizing that IT and security teams aren’t the only ones with something to lose in the event of a breach; the whole business is at stake. The board doesn’t want to risk a security breach or be found negligent based on a lack of investment in security.

With more and more companies experiencing breaches and people’s personal information being shared with so many businesses, Data Privacy Day serves as an important reminder for organization leaders to acknowledge their shared responsibility for cybersecurity and effective data protection across the entire business. For companies that aren’t currently operating in this way, it is a time for them to take a step back and make a plan to prioritize it in 2021.

For consumers, it is a time to develop a better understanding of how companies are using their data. Just a few weeks ago, WhatsApp updated its privacy policy to state that the company reserves the right to share data such as phone numbers, IP addresses, and payments made through the app with Facebook and other Facebook-owned platforms like Instagram. Consider this: if it’s free or low priced, then you (and your information) are the payment.

As we’ve seen with the recent additions and revisions to the California Consumer Privacy Act (CCPA), a U.S. privacy statute that governs residents of California, states are beginning to place more stringent requirements on themselves and businesses operating within their borders to protect their residents’ data. While there is currently no federal data privacy law in the U.S. that compares to the European Union’s General Data Protection Regulation (GDPR), we can expect to see more states step up to lead change in privacy policy in 2021 and beyond that ultimately could influence federal privacy laws."

Ashish Gupta, CEO and president of Bugcrowd

"The pandemic has made transformation nothing less than an existential imperative, and most developers and engineers are in a rush to get their products to market as quickly as possible to gain a competitive advantage. Yet, most fail to realize that speed is the natural enemy of security, and this process can put consumer data in peril. As such, engineers and developers must have a system of checks and balances in place as they seek to digitally transform to ensure that any vulnerabilities are proactively identified and secured before attackers can exploit them. 

Data Privacy Day serves as a crucial reminder for businesses to ensure they are implementing data protection best practices to protect their customers’ privacy . It is a great time for companies to consider merging the software development lifecycle (SDLC) with the security lifecycle to ensure consumer data privacy is secured at every level of innovation. This is where a crowdsourced approach to cybersecurity can help. Not only will the collective intelligence of technology and human ingenuity allow engineers and developers to continue to innovate at their own pace, but it will also allow outside researchers to uncover and report any vulnerabilities in a product’s code. The theme for Data Privacy Day 2021 is “Own Your Privacy,” and having insight into critical issues before they become breaches gives companies the security awareness needed to maintain data privacy. 

Crowdsourced cybersecurity is a security approach that uses ethical hackers - or simply, security researchers - to uncover vulnerabilities in business applications, devices, and networks. Crowdsourced cybersecurity can also help fill gaps within an organization’s internal security team, as many companies still struggle with the lack of available security talent. This approach eliminates the imbalance between the creativity and motivations of attackers with those of enterprise security teams. For example, Bugcrowd matches customers with a global network of highly-skilled and fully vetted researchers that specialize in all industries, technology stacks, and targets. These researchers can be leveraged, on-demand, to probe targets, including mobile applications, internet-connected cars, corporate networks, and more to detect potential vulnerabilities. By enlisting a crowd of ethical hackers, organizations can augment their existing team and security tools to uncover previously unknown vulnerabilities or blind spots. This approach offers customers measurable confidence that investing in a crowdsourced vulnerability disclosure program (VDP), bug bounty, or pen testing program will yield a positive return - helping to protect companies from constantly evolving cybersecurity threats."

Vladislav Tushkanov, privacy expert at Kaspersky

"With record GDPR fines and frequent data breaches, 2020 showed once again that unfettered data collection for the sake of “Big Data” is not actually the best practice. Consumers are growing more aware of the perils of sharing their private data, which boosts the popularity of privacy-focused services such as messengers (Signal) and search engines (DuckDuckGo). We hope that 2021 will become the year when enterprises realize that the best course of action is not to collect as much data as possible and then struggle to contain it and comply with regulations, but to invest in privacy-preserving technologies, such as differential privacy and federated learning, which allow to extract insights about users without having to transfer private date to their own servers."

Heather Paunet, SVP Products of Untangle

"Data Privacy Day, now in its 14^th year, is a date well worth noting for businesses of all sizes. It is easy to let a whole year go by after performing an assessment of data access privileges and user access privileges. Having a ring on the calendar is a reminder that puts the importance of this assessment back top of mind once a year.

Software providers can use this day to review new features they are planning to deliver within the next six to twelve months and make sure that GDPR and similar requirements are included as part of the implementation.

Businesses can also review their own IT policies. IT departments should review who has access to different types of data and remove access from anyone that doesn't have to have that access. In a year, employees' roles within a company can change and their responsibilities and what they need access to may also change.

Data privacy is not only about stopping data from being stolen, but it's also about trust of the information that we access and use in good faith. If someone's personal information can be stolen and used such that that person's identity could be misrepresented, that can cause widespread knock on effects of misinformation. For example, the Twitter accounts of Barack Obama, and Jeff Bezos were hacked in 2020. Someone with their Twitter accounts would have the ability to reach and influence millions of people who have trust in the things they tweet."

Sam Roguine, backup, DR and ransomware prevention evangelist at Arcserve

"Data Privacy Day is a great reminder for IT pros to reexamine data protection protocols and ensure they’re set up for success this year. It’s no secret that things have changed a lot in the last 12 months – the sudden shift to remote work left many companies scrambling to move their data to the cloud and patch security gaps brought on by distributed employee devices. Certain quick fixes may have worked in the moment, but now that it’s clear remote work isn’t going anywhere, it’s important to review the changes that were made and fix any issues before a breach or data loss occurs. Many are predicting 2021 will be the year of the hybrid cloud, but also need to remember hybrid cloud models can be complex. Those in charge of deployment must pay special attention to prevent added security risks to data stored in the cloud.

Another important consideration is the fierce need to protect COVID-19 data, both to improve contact tracing and maintain public trust. As individuals are waiving some of their rights to privacy by allowing personal health data to be collected, stored, and shared to benefit the greater good, a cyberattack or loss event compromising this data would be devastating. Developing a strategy that employs the 3-2-1 backup rule of keeping three copies of data, in two separate locations with one being offsite, and also integrates backup and disaster recovery protocols with best-in-the-industry cybersecurity, is a good place to start. A strong data protection plan has never been more key to protecting the privacy rights of individuals."

Mohit Tiwari, Co-Founder and CEO at Symmetry Systems

"The two most dangerous root-causes are vulnerable applications and over-privileged identity & access management (IAM) policies -- and often, these problems amplify the other.

• Applications act as gatekeepers to through which users access data, but it is almost impossible to ensure that authorization checks are perfect and the millions of lines of code (including libraries and framework code) have no exploits.
• Similarly, access management policies are a sprawl of permissions that are exceptionally hard to keep consistent over time and across services and clouds, especially as people/applications are added, move, or leave.

It is irresponsible to expect people to get their day jobs done while being a single click or action from such breaches. Instead, organizations are better off investing in guardrails that reduce data risk and make it hard for normal human actions to result in big breaches.

Imposing reasonable fines is indeed a good way to make measuring and improving data risk a board-level priority. And this can only be good for both customers and enterprises that host their data."

Steve Grewal, CTO, Federal, Cohesity

"To better address the challenges of data privacy regulations and customer concerns, organizations need to adopt a data-first mindset. This means prioritizing and investing in the management and protection of data in a manner that effectively balances the intrinsic business value of data with the needs and rights of customers and consumers.

Consumers and customers expect to be informed of how their data is being used and protected. This is a significant challenge for all organizations, and it will require greater collaboration between the individuals tasked with providing data security, privacy, and compliance to meet these expectations and enhanced regulations.

Greater levels of collaboration, scrutiny, and the adoption of modern data management technologies and strategies will be needed to better protect the data organizations have been entrusted with."

Rita Gurevich, Founder and CEO, SPHERE Technology Solutions

“In the enterprise world, there is an increased focus on protecting data from internal and external threats, especially across highly regulated corporations. Safeguarding sensitive data, including your employee and customer data, is not a “should do” concept anymore but a “must do” directive coming from the top. Whether its regulatory bodies or internal auditors enforcing the proper data privacy and data protection practices, the repercussions financially and from a reputation perspective, are reason enough for companies to focus their attention to implementing a Least Privileged Access model.

Proactive measures, such as ensuring only the appropriate personnel have access to only the data they need to perform their job functions, is a central theme. Cleaning up the mountains of inappropriate entitlements is step 1 and many organizations are recognizing that this foundational requirement is not as easy as it may superficially seem but a mandate that must be achieved.

We predict that organizations will start to go back to the basics and fine tune their practices for basic inventory of all their data repositories with more in-depth analytics on the state of their access controls. Remediation and ongoing certification of entitlements will expand in coverage, automation will be critical, and the onus on the business to partake in these processes will be more of a business-as-usual expectation. This is actually a positive effect and forces not just IT and Security teams to accept this onus and will create a culture of Security First across all business units within an organization.”

Tom Pendergast, Chief Learning Officer of MediaPRO

"The essence of Data Privacy Day to me is the realization that data privacy is everyone’s responsibility. From the boardroom to the loading dock, everyone has a role to play. From a training and awareness perspective (where I come from), one of the best ways to do this is to provide education that employees can use both at work and at home.

For the majority of employees, many of the attributes of the sensitive data they handle as part of their job should be recognizable when it comes to keeping their own information secure. When an organization goes about educating their employees on their own data privacy requirements, I’ve seen success using a “golden rule” approach. That is, telling employees to treat the data they handle as part of their job the same way they’d want their own data treated. This more personal approach makes privacy more “real” and less theoretical. Most employees do not need to know the letter of the law. What’s often best is taking a principles-based approach to data privacy that they can use both at work and at home.

Whether you plan to recognize Data Privacy Day on just Thursday, January 28, or extend it into the entire week, this occasion is the perfect opportunity to reinforce the importance of handling sensitive data with respect, no matter where it’s found."

Stephen Manley, CTO, Druva

"Data Privacy Day is an annual reminder to review and refresh your privacy and data protection practices. As cyberthreats become more vicious and regulations more complex, organizations must evolve how they protect the personal data of their employees and customers. An effective data privacy policy will safeguard from GDPR and CCPA fines and build trust with customers who are wary of how organizations handle their data.

On this Data Privacy Day, don’t just try to “get well” on your protection policy, but plan how to “stay healthy.” Over the next year, data will fuel your business growth, and protecting data privacy will help you build a company that your customers trust. To keep pace with the business, you must integrate data privacy and protection into your organization’s data management strategy because it takes only one wrong step to lose the customers’ trust. Data Privacy Day only comes once a year, but data protection matters every day. With an integrated approach to data protection and privacy, next year’s Data Privacy Day will be a reminder to celebrate your successes!"

Marc Laliberte, Sr. Security Analyst at WatchGuard Technologies

"User privacy has been crumbling for years. Each new security breach and data dump further chips away at what little privacy does remain. Adding to the challenge is the fact that connected devices are far more intertwined in our lives than ever before. We rely heavily on digital assistants such as Alexa or Siri, smart home management products, wearables and more. While these technologies do make our lives easier, the privacy and security risks are undeniable.

Corporations use advanced machine learning algorithms to correlate the data that smart devices collect and amass troves of information about us. These algorithms help them quantify and analyze our behavior, and even influence our actions through advertisements and personalized social media feeds. Worse yet, they often sell our data to third parties behind the scenes. Cybercriminals present further risks. Attackers can leverage user data stolen from corporations, or collected from any number of public-facing pages on the internet, to mount effective spear phishing campaigns against us, crack our passwords and more.

The risks are high and growing more so with each passing year. But society has realized that giving companies so much insight into our lives is neither healthy nor safe, and is beginning to turn the tide. GDPR and the CCPA are perfect examples of countries and states putting more pressure on businesses to protect users' data and privacy. To expedite an even broader commitment to privacy, we believe users will finally revolt en masse and force into existence new privacy regulations for social media services, connected devices and more. In the meantime, everyday users should continue to acknowledge that privacy is a significant issue, restrict the type of information they share online or with smart devices, and keep an eye out for attacks that might leverage their own personal data."

Candid Wüest, VP of Cyber Protection Research at Acronis

"Companies slowly start to realize that privacy is a crucial part of a wholistic Cyber Protection strategy, that needs to be incorporated with cyber security and data protection. Unfortunately, with the sudden rush to cloud adoption and the increase of remote workers during the lockdown, data protection was often neglected. Organizations need to ask themselves whether their corporate data is adequately protected on the workloads at their home workers, if they even know where their data is. The same goes for cloud data storage, which still shows a multitude of misconfigured S3 data buckets, containers and cloud databases that can be accessed across the internet by anyone.

The adoption of data regulations increases slowly, but fines and penalties have increased, as for example, a German retailer had to learn in January, as they were fined US $12.7M under GDPR for monitoring their employees through video.

Public awareness of privacy issues is also growing, but at a slower pace. There are the occasional outcries and concerns, for example, as has been witness as a result of changes to the WhatsApp privacy policy, logging of Covid-19 tracing apps or the video recordings of autonomous cars.

However, many people still don't value their privacy highly enough to be bothered. Perhaps they are dulled by the multitude of data breaches.

It shows that we still have a lot to do, to find the right balance between the pillars of cyber protection. It has to be integrated in a seamless and transparent way, so that it does not represent an additional burden for the user, but rather something desirable. Take the Data Privacy Day to think about data privacy of your data – and then improve it."

Joseph Carson, chief security scientist and Advisory CISO at Thycotic

"Data privacy will, and already is, evolving into a Data Rights Management issue.

Citizens' privacy will continue to be under the spotlight in 2021. The end of privacy as we know it is closer than you may think. Privacy definitions are very different between nation states and cultures, however, one thing that is common is that privacy is becoming less and less of an option for most citizens. In public and online, almost everyone is being watched and monitored 24/7 with thousands of cameras using your expressions, fashion, walk, directions, interactions, and speech to determine what you need, what you might be thinking, who you are going to meet, who is nearby, and even algorithms that determine what your next action might be.

Regulations will continue to put pressure on companies to provide adequate cyber security measures and follow the principle of least privilege to protect the data they have been entitled to collect or process.

I believe the big question, when it comes to data privacy, is "How is citizens' data being used, collected and processed?" Ultimately data privacy will evolve into Data Rights Management which means rather than giving up personal data for so called free use of internet services, citizens should and can get paid for allowing their personal data to be used for marketing purposes. It will become more about how the personal data will be used, and what monetization is resulting from the data. In the future everyone will become an influencer this difference is how much is it worth."

Robert Meyers, channel solutions architect at One Identity

"2020 was a very tumultuous year, and in privacy, some good things happened, and some bad things happened. On the good side, we had the NIST Privacy Framework 1.0, and on the bad side, breach after breach, let alone things that aren’t directly privacy related. The problem with privacy programs is there is too much that comes under the category of privacy, and a lot of people don’t understand what that means. 2021 is a year starting with hope: privacy professionals finally have some simple tools.

When building privacy programs it’s imperative to utilize the new tools, like the NIST Framework to build a privacy program, and build strong cybersecurity programs around privileged accounts, control data access, and implementing least privilege management tools. While doing this, remember this is part of the privacy program too. With good things on the horizon and the tools available to make understanding privacy easier, 2021 starts as a year of hope. With the NIST Framework privacy programs, privacy professionals and people who are interested in privacy now have a checklist. This is something we’ve never had at this level before, which makes the future look clear for the first time since privacy programs began."

Mike Kiser, Senior Identity Strategist, SailPoint

"In the past year, consumers and enterprises alike elevated data privacy to a critical requirement for their digital lives—rising as an indicator of health and a safeguard against the risk of exploitation. This ‘assessment of health’ currently plays a role on both the individual and societal levels:

On the individual level, users are shifting rapidly to systems and applications that ensure their privacy. Enterprises such as Apple are beginning to emulate nutrition labels with their online store applications, providing end-users the opportunity to make ‘healthy’ choices. If there was any question about individual’s desire for privacy, the recent shift from WhatsApp to other messaging platforms such as Signal and Telegram (as many as 1.3 million in a single day) demonstrates that how identity data is protected is a key feature for the public at large.

On the societal level, while nations such as the United States wait on the creation of national privacy regulation, the discussion around data privacy is currently being driven by the worldwide pandemic. Covid19 and the subsequent vaccination initiatives raise new questions about the intersection of societal health and individual privacy. Covid19 contact-tracing applications present challenges for privacy; a trade-off is being made that exchanges some individual data to protect the population at large. A similar choice exists as vaccination becomes more widespread: how do you prove that you’ve been vaccinated without revealing more identity data than necessary? Organizations such as the Vaccine Credential Initiative seek to answer these questions in a standardized way (but these solutions raise questions of fairness and access to technology, which were already issues that surfaced by the pandemic).

Data privacy, then, has expanded its impact over the last twelve months, rising to become a ‘vital sign’ for the health of both society and individuals."

Lewis Carr, Senior Director at Actian

"We’re likely going to see technology following the latest workplace/workforce trends, such as increased reliance on remote-enablement tech, collaboration and internal communications tools, IoT sensors and cloud storage to support a hybrid and distributed workforce. For example, Kubernetes managed containers, seen as critical in the Cloud and for DevOps, will start to be used in IoT and front-end mobile environments and standards, such as Multi-access Edge Computing (MEC). This container model will be applied within 5G, WLAN-6 and edge fixed networks to support enterprises with both IoT and branch and remote environments with isolated channels to improve security (something missing from earlier Wireless standards). These MEC platforms will bring rich interactive applications found today in the Cloud and Data Centers all the way down to the Edge, collocating them with edge networks and directly placing real value at the edge.

This is critical because it means issues around data privacy and sovereignty, latency and QoS can be better solved by placing applications – and AI to support more intelligence within them – directly next to end-users where there is more accountability for data versus when it traverses multiple ownership domains. Data privacy and security have never been more prudent as work and life remain largely online, but as with any technology, the policies and use will always need to be embedded into the software and technology to improve data privacy."

--

Alan Krassowski, VP of Technology at Acceptto

"For decades, user credentials unlocked access to data. Being so valuable, they have long been attacked, aided by dozens of password cracking tools. As hacker tooling improved and attacker techniques advanced, locks protecting data privacy became brittle.

Since 2014, attackers have used Mimikatz to steal Kerberos credentials and escalate privileges using a Golden Ticket. In 2017, researchers theorized a Golden SAML attack and released a similar tool called Shimit.

As thousands of enterprises were besieged by SolarWinds attacks, traditional enterprise authentication mechanisms were subverted at an unprecedented scale. In countless Microsoft 365 environments, attackers stole Active Directory Federation Services (AD FS) token-signing certificates and private keys. By forging tokens with arbitrary claims, attackers impersonated arbitrary users, thus gaining unfettered access to critical information including corporate email.

With credentials so easily compromised, data privacy becomes a broken promise. To truly protect data privacy, we must reframe authentication. Instead of a single event based on untrustworthy credentials, it is a continuum.

Modern data science and cloud computing can upgrade defenders' capabilities. We can now incorporate diverse aspects of user behavior, device characteristics, and other environmental factors into our identity models. This more holistic perspective makes attacks orders of magnitude harder. Simultaneously, it improves the legitimate user experience, removing the burden of remembering complex passwords.

When evaluating passwordless continuous authentication vendors, look for solutions that:

Empower IT and Infosec teams to define custom policies and enforcement rules to balance security risks as data access occurs, especially post-authorization
Provide passwordless everywhere - via web, mobile, workstation, and existing SSO platforms
Detect anomalies in real-time on live data streams
Deploy flexibly in cloud, on-prem, or hybrid environments, with multiple forests and/or disjoint domains
Establish a root of trust via Desktop SSO on macOS and Windows 10
Support standards like WebAuthn, OpenID Connect, OAuth2 and are FIDO(R) Certified

In progressive organizations, continuous authentication has already been proven as the most effective method of keeping imposters out while maintaining the confidentiality, integrity, and availability of private data. This is technology advancement worth celebrating."

Yoji Watanabe, President and CEO of Cybersecurity Cloud (CSC)

"With the continued rise in human-operated ransomware and cyberattacks exploiting remote workforces, it’s never been more paramount for enterprises to take data protection concerns seriously. The first step is for enterprises to make sure they are staying compliant with all national, regional and industry privacy laws that apply to their business and to be transparent about how they collect, use and share consumers’ personal information. Enterprises also need to be aware of flaws in their security measures, including Virtual Private Network (VPN) connections with vulnerabilities that can exploited by hackers. Finally, an increasingly integral part of IT security is to set up a cloud-based Web Application Firewall (WAF), a next-generation firewall that can protect business networks against malicious third-party attacks like Distributed Denial of Service (DDoS) attacks to direct hacking activity, to malware infiltration and exfiltration."

Adrian Moir, Technology Strategist and Principal Engineer, Quest Software

"With a change in working practices comes an opportunity to look closer at the impact of data privacy and privilege. With a distributed workforce, there are issues surrounding differing threat vectors and data usage that may compromise data privacy. While an organisation can have a robust data protection and privacy policy, a substantial change in work practices can, over night, impact that policy such that it’s no longer effective. Consider, now that you may have hundreds or thousands of workers at home sharing their network with devices that do not meet corporate standards: Where do they store corporate data so it’s kept from prying eyes? How do they transfer that data, share data with other home workers? What’s the exposure of ‘just use a cloud storage solution to share data’? Sharing data and data use become simpler to do, but that can lead to not only data breaches but breaches in privacy policies too. Who can access what data, who can use what data and how can be changed with just a few clicks. Human involvement has a lot to do with a level of data or privacy breach.

As your home workers become more adept at using new services and techniques to share data, they increasingly become a target for bad actors. Now your threat vectors are distributed like your workforce, except your workforce are unlikely to have enterprise grade protection of their home infrastructure. It’s important to educate your workers and reinforce your data protection and privacy policies, and provide the solution deemed suitable to sustaining the new working culture, so workers don’t need to or will not fall outside of your desired policy. Make this an easy thing for your workers so that the uptake is swift but controllable."

Brendan O’Connor, CEO and Co-Founder at AppOmni

"The way organizations store data has shifted rapidly to the cloud. At the same time, SaaS vendors that house sensitive data have grown in scope and complexity. They have evolved into complex platforms that provide access not only to internal users, but also to external users, 3rd party apps, contractors, and managed service providers. In short, there are now many more access points to data housed in the cloud. Unfortunately, these relatively new access points are often unknown, or simply overlooked, by enterprise security teams. This has created a massive opportunity for attackers to exploit these applications, which is why we’ve seen so many successful hacks in recent weeks and months. To ensure data privacy for everyone, security teams need to take ownership of data governance in cloud applications.

Specifically, organizations need to:

Have visibility to which 3rd party applications have access to their data, and actively manage that access on a continuous basis
Ensure that external users have the appropriate level of access to data. AppOmni has found that external users are over-provisioned and have access to sensitive data in over 95% of enterprises
Continuously review the permissions for internal users and ensure that they are not able to inadvertently expose sensitive data"

Rahul Pradhan, Director of Product Management at Couchbase

"Data Privacy Day 2021 is upon us, and what a year last year was. Spiraling cloud consumption costs, compliance failures, and security breaches have resulted from companies taking their eye off the ball. As most of us know, the cloud can help on all three counts, yet only when managed correctly. If you hand all your autonomy over to a technology vendor, you begin to lose control. And you need to control ownership, policy, compliance, and security - especially around your data. No SLA is so iron-clad that a cloud provider will always accept fault if something terrible happens. Certain bucks always stop at the customer.

In today’s world, Virtual Private Clouds (VPCs) can help address this challenge. In the age of technology, you really cannot hand off your data ownership and policy responsibilities, nor do those responsibilities effortlessly propagate into hosted environments. Failure to address the issue leads to cracks, such as when 23,000 databases were breached last year through an automated scripting attack that exploited misconfigurations that left sensitive information exposed. Retaining full control and ownership of your data and extending your policies into your virtual environments is very important - and an In-VPC approach facilitates that responsibility for the database layer."

Anshu Sharma, CEO of Skyflow

"Covid-19 has surfaced a false dichotomy between data privacy and data sharing. With privacy protections that also freely allow collaboration and information sharing, individuals can use digital Covid immunization passports more effectively without fear of losing their personal healthcare data. That means businesses and governments will be able to accept vaccine passports for determining access to travel, schools, workplaces, and more."

Stefan Keller, Senior Director SASE at Open Systems

"The proliferation of cyberattacks on healthcare organizations that have exposed sensitive financial and medical data of thousands of patients underscores the need for organizations and individuals in every sector to be vigilant in securing their IT operations on Data Privacy Day and beyond. Secure email and web gateways can provide organizations with robust perimeter protections against phishing attacks, which have become a common occurrence at enterprises. However, many targets are not within the physical office perimeter – especially right now, as many people are working from home. That’s why it’s important for organizations to secure the whole of their widely distributed IT landscapes with a cloud access security broker (CASB) paired with complete, managed web protection. A complete web protection platform enables enterprises to easily ingest data from proxies, decrypt SSL traffic, do rule filtering, block applications from a central console and provide deep visibility into user activity. For best results, enterprises should start with an out-of-band solution to focus on detection and response, while building the baseline for an enforcement policy of cloud usage. Often, the cloud is the best option due to its availability and scalability. Once an enterprise starts deploying the active components of a CASB solution, it may experience issues like false classifications or needed whitelists for some applications. This isn‘t very different from any new deployment and is not a problem. But organizations should be sure to implement troubleshooting and change management – which is a core part of the managed CASB service with complete web protection and adjustments – in very short order. That will enable enterprises – which should expect breaches to occur – and their managed detection and response providers to quickly identify and address threats to prevent or minimize damage and protect sensitive data."

Wim Stoop, CDP Customer and Product Director, Cloudera

"When it comes to data protection, the list of considerations for businesses can feel never ending. But as a first port of call, it is vital business leaders and IT teams adopt the right approach to data protection. Namely, a proactive, as opposed to reactive, one. To do this, organisations need to close the gap when it comes to tracking, identifying, and classifying information, at scale, in real time. Doing this proactively, as the data enters the lifecycle, rather than retrospectively, is what will set them apart. After all, understanding what data is sensitive or not from the moment you have it, is key to making sure it is protected properly."

"While the checklist for data protection is a lengthy one for businesses, their top priority must be a focus on getting governance right from the start. In doing so, data protection and privacy will become embedded into the business as a natural side effect. Just as is the case with good data, good governance doesn’t just rely on good tech. It requires people, processes and technology operating together to derive value from the data, while keeping it compliant and ultimately, protected."

Rick McElroy, Principal Cybersecurity Strategist, VMware Carbon Black

"As a privacy advocate, I commend governments like California for enacting the CCPA, now CPRA, as a means to strengthen data protection. Today, CISOs share responsibility for privacy enforcement, adding more pressure to the traditionally strained role. Moving forward, to allow security roles to learn more about privacy, organizations will either have to invest in automation and the proper tooling to bolster cybersecurity measures or appoint Chief Privacy Officers in a new role focused solely on data privacy. Overall, consumers will ultimately benefit from this shift, as it means their information is held to stringent protection standards and privacy is prioritized across the business."

James Alliband, Security Strategist, VMware Carbon Black

"The merging of personal and professional life has created immense opportunity for nefarious cybercriminals. As a result, we’re seeing new phishing attacks where the adversary, understanding that individuals are constantly shifting between work and personal emails, target personal email aliases with malicious links asking for business credentials. It’s never been more important to take on a security-first mindset not just in business, but in personal life as well, for a stronger, more well-rounded security posture. Organizations can help make this possible by providing the necessary, regular training to empower employees, without feeling vulnerable. In the end, it’s all about providing people with the proper tools, assets and resources they need to do their jobs safely, and empowering them with the knowledge and responsibility to do so."

Published Thursday, January 28, 2021 7:45 AM by David Marshall