Last year saw a boom in remote work for several industries, which
lead to vulnerable systems and a
boom in cyberattacks. With this trend expecting to continue (and in some
cases increase) in 2021, Data Privacy Day could not come at a better time. As
we begin to work on making this year better than the last, it is important to
look at ways we are protecting our data, since such a large part of our economy
depends on it. In celebration of Data Privacy Day some tech industry leaders
provided expert tips on how to
increase
the safety and security of data.
Lex Boost, CEO,
Leaseweb USA
"2020 saw a boom in remote
workforces for companies spanning most industries and sub sectors. Businesses
shifted, en masse, from having a system in place for remote work as the
exception, to remote work as the rule. This shift caused many businesses to
solve immediate issues of business continuity, on both the large and minute scale.
Data Privacy Day comes as we all begin settling into the comfort of normalcy of
remote working, and provides an opportunity for business leaders to consider
whether their current hosting solutions are meeting business needs.
Companies should take this opportunity
to reassess their current office environment and corresponding data strategies.
Organizations leveraging an on-prem data strategy should consider restructuring
to a data center model. As office spaces continue to remain largely unoccupied,
the security of data housed on-premises increases in vulnerability--both to
malicious actors and to unforeseen events like natural disasters. A hosting
provider can offer a variety of solutions and configurations (i.e. dedicated
servers, hybrid cloud, colocation, etc.) that moves your data to an offsite
location with enhanced physical and cybersecurity measures.
Many hosting providers have
the extra layer of protection by offering 24/7 security-related support
services to guarantee your data is secure at all times. Hosting providers are
required to comply with critical and stringent standards such as ISO 27001, SOC
type 1, HIPAA, GDPR and CCPA. The physical buildings where the data centers are
located are also typically gated, and require identification to enter.
During Data Privacy Day
this year, it's important for organizations to remember that protecting data
doesn't have to be a job done alone. As we continue to telecommute, it is
important to rely on hosting providers for an extra layer of protection and
peace of mind."
Trevor Bidle, CISO, US Signal
"A major boost in remote
workforces over the past year was accompanied by a substantial rise in
cybercriminal activity. In 2019, a survey revealed
that 83% of organizations were hit with a cyberattack. In 2020, that greatly
increased, with more cyberattacks reported in
the just the first half of 2020 than the entirety of 2019. This Data Privacy
Day is a great opportunity for companies to take heed of these cyber risks and
implement a robust data management solution -- or update their current one.
Modern data management
solutions in 2021 should include disaster-recovery-as-a-service (DRaaS) and
automatic data backup archive-as-a-service (AaaS). AaaS benefits from the
ability to render data immutable to protect it from cyberattacks -- and
securely store data without increasing bandwidth costs.
These solutions should also
incorporate vulnerability management tools. Traditionally, these tools were
programmed to be reactive. However, best-of-breed solutions should utilize
threat intelligence to become proactive and identify and prioritize vulnerabilities
dependent on their criticality. This allows companies to recognize their
systems' weak points and rectify them before the cybercriminals spot them.
In 2021, data center
providers should provide data management solutions that offer an array of features,
including the traditional and the innovative, to ensure that a company's data
is protected regardless of the attack method the cybercriminal chooses. As the
danger of cyberattacks continues to grow in the new year, it is important to
revisit your data management and security approaches to keep one (or more steps
ahead) of digital adversaries -- and ensure data privacy for your employees and
customers."
Laurent Fanichet, VP of Corporate
Communications, Sinequa
"We understand that for
some organizations, data privacy requirements like GDPR and CCPA can feel like
a burden, however necessary. Still, we caution businesses to avoid the trap
that compliance requirements are antithetical to using enterprise data to gather
valuable business insights. As privacy and protection regulations continue to
evolve, Data Privacy Day is a reminder to companies that creating a
comprehensive view of all enterprise data is necessary to maintaining
compliance. You cannot protect what you cannot see.
Especially in a remote work
environment, it is imperative to recognize the differences between strong
governance practices that protect data, and the insight mechanisms needed to
leverage the data into broader insights that have direct benefit to business
growth. This is exactly where technologies like intelligent search and natural
language processing are even more critical in helping workers to consistently
find, evaluate, associate, and retrieve information across business units,
while protecting and sustaining the highest levels of data privacy."
Sam Humphries, security strategist,
Exabeam
"With organizations
considering ‘immunity passports' to get employees safely back to work,
companies are going to have to maintain a delicate balance between protecting
the health and privacy of their teams. New
legislation such as California's AB685 order - which mandates employers must
tell workers in writing that they may have been exposed to the virus - requires
businesses to establish an exposure notification system or face a fine.
Naturally, some employees might be concerned about data privacy in the
workplace and personal health data being exposed. On this year's Data Privacy
Day, I would encourage employees to tackle this problem head on as we all look
forward to getting employees back into the office.
In order to alleviate an
employee's worry about health information being revealed, be sure to be
transparent about data monitoring and craft policies for employees that are
accessible either through paper or digital training. Reassure the team that
exposure notification will not violate HIPAA and all names will remain
anonymous. Content on the process should avoid confusing jargon and feature an
appropriate contact person who can answer all questions.
Companies also need to make
sure that exposure notification systems are compliant with not only AB685, but
data privacy regulations such as CCPA, GDPR and HIPAA. Utilizing existing
technologies in their arsenal such as security analytics, organizations can
establish exposure notification without the need for additional investment or
worry about breaking compliance laws. This particular approach will help
organizations identify individuals' movement around the physical office based
on Wi-Fi connections, scans, etc. - and determine who may have been exposed.
Without naming the individual who has the virus, companies can make sure
employees know when to quarantine and work from home.
The path forward back to
the office from COVID-19 must include data privacy. Data Privacy Day should
serve as a reminder that even when things go back to some semblance of
'normal,' it is good to be open and honest with employees on current privacy
policies. Regular audits should also be conducted during this time, like when
new laws such as the AB685 extension emerge. This will reassure skeptical
employees that both their health and digital data are protected, while the
organization is also being safeguarded."
Jay Ryerse, VP of Cybersecurity Initiatives, ConnectWise
"The age of data privacy
and security is now. We are continuing to educate colleagues and our customers
that data privacy should be built into everything we do. Service providers need
to fully immerse themselves into the threat landscape and the best practices
associated with securing data. Without cybersecurity, there is no such thing as
privacy. This deep dive includes the governance aspect of data protection as
well as the technical and physical controls necessary for the confidentiality,
integrity, and availability of data.
Consumers and businesses
need to start asking the tough questions of their vendors. They need to
understand the supply chain for the services they outsource and what those
companies are doing to provide the best in class cybersecurity protections. If
those vendors don't believe they are at risk, then it may be time to find a new
provider."
Josh Odom, CTO, Mailgun
"In honor of Data Privacy
Day 2021, it's time we broke down the most prominent privacy regulations and
how they play into the data-saturated world of email marketing.
The EU's General Data
Protection Regulation (GDPR) covers several lawful bases for data processing,
and consent is one of them. As email marketers, we need to shift our
understanding of consent from permanent to dynamic. This means that consent
under GDPR is specific to the activity. We must ask ourselves: do I have permission
to send marketing messages to them? Are they expecting my emails?
Even a scammer would need
my explicit consent to continue sending me spam. While this might frustrate
email marketers, customers must also have the option to withdraw consent
(objecting to use of information for direct marketing) if they decide they
don't want to hear from you anymore. But why would you want to talk to someone
who isn't interested in what you have to say anyway?
The requirements for the
U.S.'s California Consumer Privacy Act (CCPA) echo the importance of consent.
Email marketers must be explicit about any information collected or sold from
the exchanges with the California-based contact -- and work with their sales
teams to ensure that contact receives the same quality service at the same
price as all prospects, regardless of their privacy decisions.
Whether you're looking to
optimize your GDPR and CCPA compliance or just getting started in email
marketing and want to ensure you're on the right path, prioritizing steps into
actionable pieces is the way to go. Confirming consent with existing contacts
and protecting data with proper security measures can seem overwhelming, but
when in doubt don't hesitate to reach out for advice or to a lawyer that
specializes in data protection.
At the end of the day, what
matters is keeping your contacts informed at all times of what's being done
with their information. Having a trail of documentation that you can show to
prove this will prepare you in case you're audited for compliance purposes.
There is no one-stop shop for achieving compliance, but we hope these tips will
help our email marketing friends this Data Privacy Day -- and far beyond."
JG Heithcock, GM, Retrospect, a StorCentric company
"According to IBM, the
average cost of a data breach in 2020 was $3.86 million.
After a year rife with economic uncertainty, massive shifts of data to the
cloud and an increase in remote workers, ransomware and phishing attacks have
grown exponentially. Cybercriminals have leveraged information about COVID-19
testing, research and vaccine rollout to lure victims with phishing attacks,
increasing the attack surface faced by organizations who might be operating
with lean teams and limited resources.
As business leaders look to
secure their data, an arsenal of standard practices will protect sensitive and
important information from ransomware and other cyberattacks. By maintaining
proper password hygiene and vigilance around suspicious email addresses,
requests and links, employees can reduce the risk of phishing and other data
privacy violations. When organizations incorporate the added layer of
maintaining an effective backup strategy with a 3-2-1 backup rule,
organizations are better equipped to store sensitive information, which can be
recovered quickly, easily and safely to avoid disruption."
Surya Varanasi, CTO, Nexsan, a StorCentric Company
"In 2020, organizations
were forced to rapidly shift to remote work models in response to COVID-19. As
we contemplate safe returns to the office, many organizations will explore
either full or hybrid remote work options for this year and into the future.
With an increased reliance on the cloud and a distributed enterprise, new
challenges are brought on by an expanding threatscape spurred by cybercriminals
looking to exploit the pandemic for
their gain.
In order to fight the
mounting threats and protect their data, organizations must combine known best
practices with modern technology. Once those are in place, incorporating
unbreakable backup solutions will serve as a last line of defense, allowing
organizations the ability to recover, maintain uninterrupted operations and
avoid paying ransoms should they be attacked. This way, sensitive information
is kept safe and business continuity remains intact."
David McNeely, Chief Strategy Officer,
Centrify
"Beginning the year by
observing Data Privacy Day serves as an excellent reminder for organizations to
explore the mounting threats to their data and systems, and review the security
of their credentials. This year, it's imperative to note that the exponential
growth of non-human identities means human users are not the only identities
that can or will have access to sensitive data, often leaving credentials with
broad privileges open to compromise. As the threatscape continues to expand,
organizations must realize the importance of securing all identities including
humans, machines, services, APIs, etc., which often provide privileged access
to sensitive data.
Complexities around
protecting and securing identities have been compounded by the industry's mass
shift to remote work and disbursement of security teams. Additionally, as
modern organizations continue to expand automation's role in DevOps and cloud
environments, organizations must protect their credentials by following best
practices to reduce the use of shared passwords, implement multi-factor
authentication, strive for zero standing privileges, and adopt a centralized
privileged access management (PAM) solution.
Authentication methods such
as federation, ephemeral tokens, and delegated machine credentials can also
help to reduce the overall attack surface and seamlessly incorporate PAM into
the DevOps pipeline. When combined with a least privilege approach, these best
practices and modern solutions can improve an organization's security posture,
minimize the risks of compromised credentials, and ensure data privacy for both
the organization and its customers, throughout 2021 and for the long term."
##