Data Privacy Day, an international "holiday" that occurs each year on January 28, was created to raise awareness and promote privacy and data protection best practices. The National Cyber Security Alliance (NCSA) assumed leadership of Data Privacy Day from the Privacy Projects back in August of 2011. A nonprofit, public-private partnership dedicated to promoting a safer, more secure and more trusted Internet, NCSA is advised by a distinguished advisory committee of privacy professionals.

Data Privacy Day's educational initiative originally focused on raising awareness among businesses as well as users about the importance of protecting the privacy of their personal information online, particularly in the context of social networking. In addition to its educational initiative, Data Privacy Day promotes events and activities that stimulate the development of technology tools that promote individual control over personally identifiable information; encourage compliance with privacy laws and regulations; and create dialogues among stakeholders interested in advancing data protection and privacy.

With this in mind, VMblog has compiled some detailed perspectives, as well as some tips for better protection of sensitive corporate data, from a few industry experts on this Data Privacy Day 2022.

--

Rick Vanover, Senior Director, Product Strategy, Veeam Software

Today, privacy matters. Data Privacy continues to be more important than ever. From an awareness standpoint, Data Privacy doesn’t get the attention it needs. I see IT organizations constantly manage large amounts of data that really doesn’t matter any longer. ROT – Redundant, Obsolete or Trivial – Data should be moved out of its storage lifecycle. My practical advice on Data Privacy day is to assess what data is where and identify what needs to be removed. If it doesn’t need to be removed, then determine if selected data should be moved to a correct tier or policy. From a privacy perspective, where it exists is an important first step of the process.

Dave Russell, VP of Enterprise Strategy, Veeam Software

Today data privacy is at greater risk than ever before.  There are concerns over accidental data leakage, which is not malicious, but still represents on opportunity for exposure.  Increasingly cyberthreats and ransomware no longer target data for bad actors to encrypt until a ransom is paid, but now data exfiltration and purposeful data leakage can be a component of the cyberattack.  Even small pieces of data can be important, and now many pieces of data can be combined to represent an even larger privacy risk.  This means that data security, frequent reviews of what data is truly required to be retained, and data availability are all needed to ensure that corporate and personal data remains safe.

++

Simon Taylor, CEO at HYCU

The issues around data privacy have never been more at the center of the industry conversation than they are now. Data Privacy Day serves as a healthy reminder to us all that not only should we do everything that we can to safeguard our personal and corporate data, but that it's a time to revisit best practices to backup, manage and protect our data, no matter where it resides. If the escalation of ransomware attacks over the past eighteen months has taught us anything, it's that you can never be too vigilant. That is why we, along with other industry pioneers like Boston College, FireEye Mandiant, SADA and Carahsoft, created the public service R-Score, designed to help companies assess their readiness to recover in the inevitable event of a ransomware attack. As the market continues to adopt SaaS-based services and technologies from on-premises to public clouds, data privacy is a reminder to us all that it's a shared responsibility.

Justin Endres, SVP of Worldwide Sales at HYCU

It’s no secret that organizations continue to face data, privacy and resiliency challenges as they adapt to new and more demanding realities across their on-premises, hybrid and multi-cloud environments. As we navigate the new year, there will be an increased focus on making processes agile, scalable, and fully available – oh and securing it all the while. We’ve seen recent cyber incidents and they certainly cause a considerable amount of anxiety; however, these are all fairly mild, relatively speaking, given the possibilities amidst rising tensions around the world. Data Privacy Day is a great reminder that Cybersecurity is not just about IT, it is about governance, planning, practice, training and individual accountability.

++

Andy Syrewicze, Technical Evangelist at Hornetsecurity

In today’s world of data breaches, ransomware, cloud storage, and easy file sharing, data-privacy has never been more important. Maintaining data privacy has become a major issue for many organizations and many of them can (and should) start by implementing best-of-breed security and DLP related tools for their organization. These types of utilities are critical in identifying sensitive information, classifying it, and preventing said information from leaving the organization in an un-controlled manner.

This, however, is only one side of the puzzle. There is always a human element to data privacy. It falls on all employees of the business to take stock of where, how, and why data is being shared. In today’s age where we can share documents with the touch of a button, user training it crucial in keeping risk low when sharing data.

With a combined technical/user-training strategy, organizations will be in a place to protect company data at all facets of the business, while also being able to conduct continuous risk assessments and respond accordingly.  

++

Rick McElroy, Principal Cybersecurity Strategist, VMware

We’re all familiar with the concept of The Great Resignation, but what organizations need to be hyper-aware of this Data Privacy Week is its significant impact on insider threats. The number of employees that have left a company but still have access to the network or proprietary data  - whether accidentally or purposefully - has significantly increased. Malicious actors know this and will start to target these employees to either carry out cyberattacks or plant ransomware. CISOs need to reevaluate their current security posture to ensure that this type of data is properly protected so that an instance of an employee departing from a company is not linked to a possible security incident.

Karen Worstell, Senior Cybersecurity Strategist at VMware

The lines between work and our personal life have increasingly been blurred over the past few years as our homes now double as our offices. This is not likely to change soon, as companies continue to delay their return to office plans. As we settle into a new era of anywhere work, enterprises must understand that data privacy practices rest on a foundation of strong cybersecurity controls. Data Privacy Week is a time for organizations to set goals for implementing best practices that improve data protection and cybersecurity. These include robust vulnerability management, implementing multifactor authentication, threat hunting, and network micro-segmentation, among others.

++

Vladislav Tushkanov, privacy expert at Kaspersky

The last year brought many new challenges and opportunities in the field of data privacy. Privacy is very complex as it is a technological, ethical and a legislative issue and is shaped by interests of governments, businesses and people as citizens and consumers. While just a few years ago data leaks were in the headlines, in 2021 we saw much more attention given to how legitimate data collection by businesses, employers and governments can be detrimental to personal privacy. This is why we see more initiatives from both corporations and public sector to promote privacy and privacy-preserving technologies: from Apple and Google moving much of data processing for their smartphones on the devices (“edge computing”) to discussions on using differential privacy in analysis of US Census data.

We expect a lot of interesting developments here, with new legislation being adopted and proposed in this field (such as TLDR Act in the US or Digital Services Act in the EU) and privacy-first products gaining popularity. Companies that rely on data analysis as their business model will have to adapt further to these new trends and find new creative ways to both empower their customers to control their data and continue to provide value.

++

William Bush, Field CTO - Europe at Catalogic Software

Data Privacy Day is now in its 15th year and is a timely reminder that data privacy goes hand in hand with data protection and data security. Data protection refers to making copies of your data to restore in the event of a loss or corruption, whereas data security refers to the mechanism of keeping your data safe from unauthorized access and distribution.
 
As a minimum for your organization’s data to be protected, we recommend following the 3-2-1-1 rule:
3 - Maintain a least three encrypted copies of your data
2 - Keep two copies on different media types
1 - Secure at least one copy at an off-site location, ideally air gapped
1 - Have at least one verified copy to recover from.
 
This rule goes a long way to creating a basic data security strategy for an organization to protect and recover its data from the growing risk cyber-criminals pose.
 
As a data protection specialist, I will be undertaking the following steps on this day:

• A review to ensure all data has the relevant RPOs and RTOs associated with it,
• A review of the results of my business’s last DR test
• A check to ensure we are running these tests at least quarterly with the target of ensuring all data can be recovered as per the defined RTOs
• And running some basic penetration testing to review what security enhancements could be made within my business’s environment to ensure all data is as safe as possible.
  

Candid Wüest, VP of Cyber Protection Research at Acronis

'Your privacy is important to us’ or ‘we take your privacy seriously’. Has reading these statements over and over again spiked some doubts in your mind as well?  Unfortunately, large data breaches are still very common. They often happen due to weak Access Control Lists (ACL), like for example, a badly configured Amazon AWS S3 bucket, which are readable by anyone or resource enumeration vulnerabilities in online services, allowing any user to view all entries. Of course, the classic stolen or weak password adds to the problem as well. No matter how many New Year’s resolutions people make, we still see too many weak passwords being used across multiple accounts. To make matters worse, multi-factor authentication (MFA) and zero-trust models are still not as common as we might hope. According to a recent global survey by Acronis, 10% of IT administrators don’t use multi-factor authentication on any of their accounts and 38% use it only on a few of their accounts.

Organizations need to ensure that no matter where their data resides, access is properly protected through ACL and additional measures such as encryption and zero-trust models. This should also include proper monitoring and tracing so that it is clear who read what data and when. Shockingly, most do not even know where all customer data is stored. It is only when these basic principles are respected that we can believe that data protection is really taken seriously.

++

Erkang Zheng, Founder and CEO at JupiterOne

The industry is grappling with a fragmentary approach to privacy, which has significant security implications. From a security standpoint, it's a massive challenge because there is no single global privacy standard to build upon, which leaves room for errors.

Security is often a game of details, so as the privacy landscape becomes increasingly complex, it introduces more things that can go wrong. In addition, a patchwork approach makes operations difficult as security professionals must understand and implement the disparate privacy and compliance regulations from around the world and jerry-rig them together for business continuity.

Ideally, an international consortium would address these diverse privacy rules worldwide. New privacy rules create complexity and not just from a compliance standpoint. It also creates operational complexities for security teams.

We need to see greater simplification on the process side, driven by the unification of regulations. So many things sound great on paper, but how practical is it to implement security across so many different regulatory frameworks? At the very least, national rules will need to come together for organizations to implement a cohesive privacy framework for each country. By not reaching some consensus about privacy, we introduce greater risks for everyone to stand up with adequate security protections.

++

Corey O'Connor, Director of Products at DoControl

Data privacy has been top of mind for both individuals and organizations alike. There are now global, national and local regulations that require companies of all sizes and types to have the appropriate cyber security measures in place to prevent PII from making its way into the public domain. From a business' perspective, the negative implications for non-compliance with some of these regulations such as General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) are significant.  At the individual or consumer level, people are more frustrated than ever with losing control over how their own PII is handled, manipulated and processed by businesses.

Software as a service (SaaS) applications are a critical data source for business today. These productivity and collaboration tools are what drives the business forward. PII files and data are enveloped into many of the SaaS applications being utilized by the business. Whether its data within SFDC, or files exchanged over Slack many of the tools and technologies being leveraged by organizations today are not granular enough to prevent data leakage or data exfiltration. There's a need to go deeper down the stack and introduce granular data access controls across the SaaS application data layer.

Industry regulations evolve. Cyber attackers' techniques improve and evolve as well. Organizations need to have the right people, process and technology in place to stay one step ahead and establish a strong data privacy program that effectively mitigates the risk of non-compliance, as well as a data breach.

++

Archie Agarwal, Founder and CEO at ThreatModeler

A major part of data privacy is safeguarding the data. And when it comes to safeguarding data, we feel organizations should operate from a very simple paradigm: identify all the threats and then mitigate them.

Safeguarding data means different things to different organizations. But for those involved in developing software systems, we feel strongly that the best way to identify all the threats and mitigate them is by incorporating threat modeling right into their development lifecycle. It's the most effective way to identify threats prior to deployment, which is obviously preferable.

++

Heather Paunet, Senior Vice President at Untangle

In today's connected era, people disclose personal data during dozens of daily interactions, from online shopping, healthcare portals, social media, wearable devices to streaming services. This data is used to create profile-specific experiences across a multitude of devices and mediums, resulting in personalized, effective marketing campaigns. 

However, the information customers give in exchange for a personalized experience can be very attractive to hackers, yet there is growing concern as to how companies are using information. As a result, many people want to trust that the companies they give their information to will keep it safe, but it also means consumers must take some privacy matters into their own hands to keep their personal data safe.

• Deploy Multi-Factor authentication for cloud-based tools
• Ensure that passwords are strong
• Lock your computer when away from your desk, even at home
• Don't use public Wi-Fi for transactions
• Install anti-virus & anti-spyware software, and a firewall
  

As more high-profile data breaches and cyberattacks come to light, customers are looking to businesses to strike a balance between data protection and collection. 

To ensure compliance with current, and new regulations, businesses need to understand the data they're taking in and who has access. Laws such as the Colorado Privacy Act (CPA), with similar versions in CCPA and CDPA, include a requirement to conduct a data protection assessment. This is an important first step that any business collecting consumer data should take. Businesses will need to understand what is being collected, and how to protect customer data, while also continuing employee education about data ownership and protection.

In addition, businesses need an effective strategy to communicate how customer information is collected, used and when it may be sold or disclosed for business-related purposes. Transparency in data collection is a foundational pillar for businesses looking to maintain a trusting relationship with their customers.

++

Mohit Tiwari, Co-Founder and CEO at Symmetry Systems

You do not need to give up data privacy so that organizations can thrive off of personalized advertising or by hosting customer data in a Software-as-a-Service (SaaS) application. Road safety is a great example where protocols and training sets appropriate expectations among drivers, bikers, pedestrians, etc. Similarly, there is considerable research and new commercial tools for organizations to measure how customer data is used internally and safeguard it -- and the recent exodus towards Signal shows that respecting customer privacy can actually be good for business.

++ 

Keith Neilson, Technical Evangelist at CloudSphere

In the U.S. alone, there are several disparate federal and state laws, some of which only regulate specific types of data - like credit or health data, or specific populations - like children. Combine these regulations with the many different international laws that aim to ensure data privacy, such as GDPR, and compliance for companies with global operations becomes an extremely complex undertaking.
 
Data Privacy Day serves as a reminder that cyber asset management should be a top priority for every organization. Enterprises cannot ensure compliance and data security unless all assets are properly known, tagged, and mapped in the cloud. To avoid jeopardizing sensitive company or customer data, organizations must take the first step of cyber asset management to secure visibility of all cyber assets in their IT environment and understand connections between business services. This includes identifying misconfigurations and automatically prioritizing risks to improve overall security posture, allowing for real-time visibility and management of all sensitive data.

++

Kevin Breen, Director of Cyber Threat Research at Immersive Labs

As organizations continue to migrate to the cloud and put a heavier reliance on third parties and SaaS platforms managing their data, it can be easy for individuals and organizations to lose track of who has what data and how it is being used. Data breaches impact our daily lives - just look at the harrowing statistics provided by haveibeenpwned. To date, more than 11 billion accounts have been compromised in data breaches from almost 600 third-party services.

There is no magic bullet or single solution that can fix this problem. Each person has their part to play.

Organizations running these kinds of services need to ensure their developers understand the risks of this data being compromised and put the relevant authentication and access controls in place. Bringing security considerations and training in earlier on in the development process - what is considered “shifting security left”- can help prevent breaches before they happen. This is critical when you consider that 81% of developers have knowingly released vulnerable applications.

However, it doesn’t just come down to the developers and security teams. As an organization, you need to know how to respond in the event of a breach that compromises your data privacy. It’s easy to see a public data breach and think it doesn’t affect you. In reality, password reuse is common across platforms and is a well-known technique used by attackers following any kind of breach. It’s not enough to have playbooks in place - you need to ensure you exercise these playbooks with regular cadence and include wider audiences than just your security teams. Legal, Compliance, and Communication teams all have vital roles to play.

Finally, don’t ignore your users. Whilst they are commonly the first line of attack, they are also the first line of defense. Having a well-informed and trained user base can help security teams identify potential attacks before they can take hold.

++

Lewis Carr, Senior Director, Product Marketing at Actian
 
2021 was one of the worst years for cybersecurity ransomware attacks to date. The threat will only grow in the upcoming year as attackers become emboldened by their success and the lack of adequate responses against them. However, data privacy will be driven by changing perceptions of how important it is for public and private sector organizations to safeguard personal data and what exactly is considered ‘personal data.’ The need to protect personal data and information will impact where and how data is stored, integrated and analyzed in accordance with an expanding set of data privacy regulations, balanced against the need to better understand consumers, citizens, patients and employees working remotely.
 
In 2022, expect to see all personal information and data sharing options get more granular as to how we control them – both on our devices and in the cloud – specific to each company, school or government agency. We’ll also start to get some visibility into and control over how our data is shared between organizations without us involved. Companies and public sector organizations will begin to pivot away from the binary options (opt-in or opt-out) tied to a lengthy legal letter that no one will read and will instead provide the data management and cybersecurity platforms with granular permission to parts of your personal data, such as where it’s stored, for how long, and under what circumstances it can be used. You can also expect new service companies to sprout up that will offer intermediary support to monitor and manage your data privacy across.

++

Rob Price, Principal Expert Solution Consultant at Snow Software

Data privacy and protection is the responsibility of every employee within the organization, and safeguarding sensitive information is core to every organizations’ business. However, data privacy laws differ around the world and across industries, so when it comes to data protection, organizations need to understand what they are legally obligated to do. This is especially true when it comes to data retention, as organizations need to understand how long they must keep data. Once their data retention period ends, organizations should get rid of excess data they no longer need, because it quickly becomes a liability as well an unneeded expense.
 
The adoption of cloud technology has been a critical component to how we approach privacy and data protection today. A common misconception is that if your data is offsite or cloud-based it’s not your problem – but that is not true because the cloud is not a data management system. Two fundamental factors for data protection and security are the recovery point objective (how old can data be when you recover it) and the recovery time objective (how quickly can you recover the data). Every company’s needs are different, but these two factors are important when planning for data loss.

++

Rajesh Ganesan, Vice President of Product Management at ManageEngine
 
As more countries implement data privacy laws, organizations should consider the deployment of on-premises applications to keep sensitive data within geographical boundaries and to facilitate better control of business data. Not only do on-premises applications provide increased safety and regulatory benefits, they also offer a significant cost advantage. Given the increased volume of corporate data and the rising costs of cloud storage, it's no wonder that many organizations are looking at on-premises applications as a cost-effective approach to data management.
 
Data protection is only successful when all components within the infrastructure—including all employees—are prepared to handle it. To do this efficiently, data protection must be built right from the design stages of all services and operations. Moreover, data protection should be present as a strong, invisible layer; it shouldn't hamper operations, nor should it require big changes or specialized training. It’s best to educate employees on the do’s and don’ts of data protection in a way that is contextually integrated into their work, as opposed to relying solely on periodic trainings. To do this, leaders should implement alerts in the system that pop up and inform users about any violations to data protection policies the users' actions are causing. Such alerts help employees learn contextually, and ultimately, this training results in fewer data management errors.

++

Adrian Moir, Technology Strategist and Principal Engineer, Quest Software

Data privacy is becoming more important due to the increase in data risk and loss of business information. With Microsoft Exchange, Kaseya, and even Log4j at the end of the year, organizations are recognizing the business need for data privacy. Looking toward the future, we’re likely to see the way data is perceived, used, and regulated increase and become more refined. Regulatory elements such as the privacy of data itself and the levels of intrusion, data scraping and ransomware events seem to continue unabated. However, we have seen traction in the right direction this year including multiple new policies emerging affecting privacy in different areas of the globe such as CPRA, China’s Personal Information Protection Law, ColPA and more.
 
Attack vectors are constantly evolving, so these regulatory changes are driving a more involved process around security. An increasing number of organizations have a dedicated security team assessing technology before it is purchased and deployed. We also have to look at recent announcements from banks about starting to regulate cryptocurrencies. Depending on whether this trend increases or matures into full blown regulation, it might be the first warning signs that potential hackers may not have the level of anonymity in ransom transactions that they have been used to.
 
This leads businesses to recognize the need for cyber-insurance to help the nature of uncertainties that can impact data at any time. However the insurance companies are also stepping up their game by insisting on certain protective measures. Backup now must be ‘immutable’, have multiple copies, have air gapped solutions, and have multi-factor authentication (MFA). The insurance companies are asking their customers to adequately demonstrate their policies and technologies they have deployed. Without these, businesses will either not be able to get cyber-insurance or their premiums will be substantially higher due to increased risk.
 
In 2022 and beyond, protecting your data and users' privacy is its own business need.

++

Yogesh Badwe, CSO, Druva

Data privacy had a big year; hybrid work opened the floodgates to new data security and privacy risks, there were eye-watering fines from high profile data breaches and new privacy laws such as the China Personal Information Protection Law (PIPL) went into effect as more regulations continue to surface. The India Data Protection Bill will likely be passed soon and a federal data privacy regulation is under serious discussion in the United States. Regardless of how the data privacy landscape continues to evolve, there are fundamental steps every business can take to put privacy first and protect the personal data of both employees and customers.

This year’s Data Privacy Day is an opportunity for businesses to take inventory of their privacy practices and identify what more they can do to build trust. Seize the moment by reviewing data processing activities to understand what’s being collected, how it’s being stored, and who it’s being shared with. Keeping the end user’s privacy interests at heart and leading with transparency in all your technology and business decisions is always a good strategy. By taking these fundamental steps, businesses will be that much closer to improving their resiliency and successfully navigating today’s evolving regulatory landscape.

Organizations also should look to leverage the cloud to streamline governance and achieve data resilience at scale. Just in the last week, the Biden administration has mandated federal agencies to more widely deploy cloud technologies in an effort to strengthen the nation’s defenses. Now is the time to act before violations result in fines, loss in customer trust, or worse. 

++

Jean-Claude Kuo, Principal Product Manager for Cloud Security, Talend

So often, there’s a disconnect between innovations that customers value and the associated compliance protocols that keep a customer’s data secure. Data Privacy Day reminds everyone that personal and sensitive data needs to be protected every step of the way, and governance must be a business priority.

However, data privacy prowess isn’t just about complying with regulations; it can be an asset that transforms a workforce’s culture and even attracts customers. Users are savvier than ever about how their data is used and want to trust businesses to keep it safe and private. Businesses with an ethical data mindset, that design products and services with privacy in mind, will set themselves apart from the competition and win the loyalty of their customers.
 
Creating a data privacy culture isn’t easy, but it is valuable - both from an ethical perspective and for a company’s bottom line. This Data Privacy Day, business leaders must think about how they can build privacy into all aspects of their business proactively, before regulations force them to react while their competitors drive business forward.

++

David Higgins, Technical Director, CyberArk

It’s not just humans that are susceptible to clicking on the wrong link or are perhaps a little too cavalier about what they share about themselves. Software bots have sharing issues too, and this Data Privacy Day we highlight how we can better protect the data that they access from being exposed.
 
Software bots – little pieces of code that do repetitive tasks – exist in huge numbers in organizations around the world, in banking, government and all other major verticals. The idea behind them is they free up human staff to work on business-critical, cognitive and creative work, but also helping improve efficiency, accuracy, agility and scalability. They are a major component of digital business.
 
The privacy problem arises when you start to think about what these bots need so they can do what they do.  Much of the time it’s access: If they gather together sensitive and personal medical data to help doctors make informed clinical predictions, they need access to it. If they need to process customer data stored on a public cloud server or a web portal, they need to get to it.
 
We’ve seen the problems that can arise when humans get compromised and the same can happen to bots – and at scale. If bots are configured and coded badly, so they can access more data than they need to, the output might be leaking that data to places where it shouldn’t be.   
 
Likewise, we hear about insider attacks and humans being compromised to get at sensitive data virtually daily. Machines have the exact same security issues; if they can access sensitive data and they aren’t being secured properly, that’s an open door for attackers – one that can put individuals’ privacy at risk.  Attackers don’t target humans to get to data, they just target the data.  If machines -especially those in charge of automated processes (think repeatable tasks like bank transfers, scraping web data and moving customer data files) are the best path to take to get to it, that’s the one they will choose.

++

Gary E. Barnett, CEO of Semafone
 
Trust is paramount to organizations committed to forging lasting, loyal relationships. As people grow their digital footprints and the physical workplace remains dispersed, safeguarding payment and sensitive data plus personally identifiable information (PII) is non-negotiable.
 
We’re entering an era where laggards, who have yet to reconcile flawed privacy practices and security systems, will truly be left behind. Removing outdated practices and legacy technology is one of the most important early steps to take when prioritizing data privacy. The healthcare industry, for example, experienced a 25% increase in data breaches year over year. Today’s providers are not only tasked with protecting patients' health information but an abundance of payment and personal data as well. Two-thirds of consumers in a recent survey would leave their healthcare providers if their data was compromised due to a lack of security measures, putting the onus on organizations to make critical improvements.
 
To proactively safeguard data and garner trust, adopting dual-factor authentication, biometrics, single sign-on services, and password vaults can enhance security and improve data privacy. Another critical element in protecting data is to not store sensitive information within the IT infrastructure at all. Take for example, contact centers that have traditionally handled various payments for organizations’ customers like purchasing airline tickets or paying electricity bills. By using dual-tone multi-frequency (DTMF) masking technology, companies can process sensitive payment information without it being handled directly by any individual. Because the sensitive card data is no longer being stored, transmitted, or processed within the business infrastructure, individuals and hackers are not able to steal payment information. Simply put, they can’t hack data you don’t hold!
 
There’s no escaping data privacy and security concerns or conversations today. By using the right tools, technologies and processes, organizations can create secure, compliant, and effective practices that improve customer experiences and more importantly that customers can trust.

++

Dave Sikora, CEO, ALTR

Data Privacy Day could really be called Data Trust Day, and that is exactly how organizations and leaders need to look at it. The meaning of privacy has evolved; we now live in a world where there is an increased desire for personalization in everything we do online. The more personalized the experience, the more sensitive data a business holds. With that comes a greater responsibility to not just protect sensitive data for regulatory reasons, but to ensure that customers can trust the business. Trust regarding data privacy and business success are directly proportional to each other. Yet in order to commit fully to trust, it can’t be called a “nice to have”; businesses have to create a culture of trust that the full organization buys into and commits to with standardized, agreed-upon values. We all know building trust in data privacy is much harder than breaking it; this Data Privacy Day, it’s up to business leaders to commit to trust as a core value of their business.

++

Milissa Campbell, managing director of healthcare insights at NTT DATA Services

Interoperability was a hot topic in 2021 and will continue to be a focus in 2022, as data privacy regulations shift, and organizations work to meet them. The challenge for healthcare leaders is to look at interoperability as more than a box to check – but as an asset bringing them significant value. It will be essential to access the large data sets needed to train precision care models, but there are inherent risks to privacy when bringing together multiple data sources and systems.  Interoperability strategies should include privacy and security assessments and monitoring from the very beginning to ensure that the additional vulnerabilities aren’t exacerbated along the way. This allows organizations to safely unlock the power of their data and use it to drive growth and better care for patients.

++

Every day should be Data Privacy Day. But only a few leading companies like Apple are built that way. They think about data privacy as something intrinsic to their systems and processes, they dedicate resources to it, and – in the best cases – they make it a core public value of the company. They are very clear about how they think about the privacy of their customers' data, and puts privacy at the center of its business. People may not choose an iPhone over alternatives based solely on data privacy, but it is definitely a differentiator. And I am sure it stops many iPhone users from thinking about switching. So the first tip is to think about data privacy as an intrinsic function, not an add-on. The next tip is to think the way Apple does: personally identifiable data (PII) is a distinct data type, that must be isolated and protected with zero trust policies, latest encryption, and fine-grained access and sharing controls that allow the data to be used safely and securely. And finally, don’t forget, every day is data privacy day.

++

People's personal data has become a hot commodity. As a result, we have seen a record number of cyberattacks and data breaches in recent years as cybercriminals will stop at nothing to get their hands on people's data.  Personal data is used for advanced social engineering attacks, password stuffing attacks and ransomware attacks against companies and individuals.

Despite this, people and companies do not pay enough attention to the tools and software that has access to their personal and corporate data. Rigorous vetting of software that is installed by end-users on mobile and desktop devices is not taking place in many cases, which may inadvertently be placing user and corporate data at risk.

As we mark Data Protection Day, it is therefore critical to highlight the importance of using powerful and sophisticated tools that properly secure people's data. Users should pay particular attention that the software has strict privacy policies and utilizes a zero-knowledge architecture, which ensures that the company developing the software has no ability to access or decrypt the user's data stored within. This is key if consumers and business users want to make sure their personal and sensitive data is - and continues to be - well protected.

++

When there are options to purchase an item or service, brand reputation is a key element in the selection process. Effectively, the purchaser expects delivery of a quality product and that the supplier will stand behind their products and be there should support be required. Since the majority of business activity involves personal data – even to the degree of a simple credit card transaction in a shop – businesses who fail to properly manage the data their customers willingly share risk damaging their reputation and by extension break the trust their customers have placed in them.
 
It is far easier to break trust than to build it, or rebuild it. Trust is effectively a series of small successes that in the aggregate represent the value of a brand. A business that only requests a minimum of data from their customers and only retains it for the minimum time period required to satisfy the customer’s expectations reduces their potential exposure should a data breach occur. After all, the only data contained in a data breach is data that was available to breach, so it stands to reason that an abundance of customer data and profiles increases the interest cyber criminals might have in targeting specific businesses.
 
Transparency, simplicity and consistency are keys to restoring trust. Be transparent about the nature of the attack, which weaknesses were exploited, when it occurred and why specific customers might be impacted. The more complex communications are, the more likely some customers will view that complexity as being part of an effort to paint the business in a positive light. Accept and own responsibility for the weaknesses that were exploited, and outline the steps taken to prevent similar attacks from being successful in the future. Of course, you never want to change details on the attack, unless they are material to the customer impact. While regulators might require the additional information, they are also positioned to interpret that information within the context of the attack and often without any biases a customer might have on the situation.
 
Privacy statements that are written in plain English are best. Detail what information is collected and why its required. Ensure that internal software development teams understand the privacy statements and their implications. After all, the last thing a business wants is to have a clear privacy statement, and then have a development team implement software changes that invalidate that statement.

++

Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify

The notion of real ‘privacy’ is perhaps something that no longer truly exists. Internet connected device usage has exploded in recent years, bringing huge changes to our society, but this has come with risks as we’re all tracked and monitored 24/7.
 
It means we need to consider not just data privacy, but the safeguards that govern how data is collected and processed. Thanks to stricter regulations, the public now has greater say on how their data is used, but regulatory bodies need to continue to pressurise companies and governments to maintain good cyber security practice, incorporating the principle of least privilege to protect collected data and provide users with transparent access to such data.
 
Our personal data is becoming more and more profitable, and many will begin to ask how citizens will be incentivised, or perhaps paid, for their data? What will the future hold for personal data ‘renting’?

++

Clara Angotti, Co-Founder and President, Next Pathway

Data privacy is more than just security. Privacy is a basic human right, yet each day we are faced with the decision to share private information as a necessity to conduct our lives, while hoping that the recipient respects our data and that it is not misused or exploited. As individuals become more aware of the value of their data and the potential impact of it ending up in the wrong hands, it is essential for companies or any parties collecting, storing and managing people's information to build a mutual trust. These organizations should practice transparency by outlining what data is being collected and why, whether the data is being sold or shared, and who it is being sold or shared with.

++

Chad McDonald, Chief of Staff and CISO of Radiant Logic

With the number of cyberattacks substantially increasing during the pandemic, organisations must put in measures which can stop identity sprawl by ensuring they have a unified global profile which has all the attributes of a user irrespective of which source it’s located in. Organisations that fail to manage identity data will suffer from further data breaches as threat actors know that data is not secure and easy to get hold of. Whilst this sounds like a complicated problem to solve, it can be easily done thanks to Identity Data Fabric.

++

Andy Teichholz, senior industry strategist, Compliance and Legal, at OpenText
 
People are more empowered than ever to exercise their rights, submit Subject Rights Requests (SRRs) and reclaim control of their information. They want to understand how their data is used and to access, correct, delete, and restrict use. To meet these data-intensive demands and overcome a scarcity of resources to support key business activities, organizations must embrace process automation for SRR response and apply case management tools that best track its performance and effectiveness.

Many organizations are still far from fully operationalizing their data privacy programs. Organizations that take an integrated data-centric approach to support critical foundational needs, including but not limited to discovery and classification, risk mapping, data retention, and Subject Rights Requests management – will be in the best position to execute on these priorities and earn individual or consumer trust.  

Reputational management boardroom discussions. Executives will look to innovate not only to ensure compliance with applicable data privacy and protection laws but to get a leg up on their competition. Establishing an integrated data management approach following information governance principles will enable these organizations to not only avoid regulatory risk but demonstrate the requisite trust to differentiate themselves in the marketplace.  

++

Pete Starr, Director of Customer Engineering at Cyren
 
Phishing and other forms of social engineering attacks represent great opportunities for cyber criminals. The primary motivation behind every phisher is the procurement of credentials that unlock an organisation’s vault of sensitive information or gains access to critical systems. With standard phishing attacks, attackers can easily access data with very minimal effort, but with very high reward. With that being said, we have also recently seen an increase in adversaries directly pursuing the high-value information such as bank details or social security numbers, rather than going for the easy targets like usernames and passwords. This information may be harder to access, but the profitable rewards are well worth some additional effort.
 
While phishing is often deployed as a single step attack, it also features in more complex, multistage attacks. Phishing is usually the first step – as the technique used to gain initial access to the network- but it is then followed by a second stage with a different objective, like the launch of a ransomware attack for example. The main purpose of these attacks is to steal data and credentials and use the stolen information for monetary gain. These multi-stage attacks can be extremely damaging for businesses, but it all starts with a simple phishing email. So how do they even gain access?
 
We are often told that the weakest link in an organisation is its people. Unfortunately, cyber criminals know this, and employees are a great vector for the cyber criminals to launch a phishing attack in order to gain access to the organisation’s data and sensitive information. Teaching employees how to recognise the signs of a phishing attack with security awareness training and then equipping them to apply those learnings in practice will be highly effective against criminals’ social engineering techniques.
 
Organisations need to learn that their employees will be the target of phishing attacks, and that some may get through. So instead of focusing on prevention, they need to know how to remediate and further protect their network and future employees from falling victim to the same attack. There are several other forms of protection against phishing attacks that organisations can deploy as well to ensure data is protected. As a starting point, businesses should consider deploying an email security solution that analyses the email content to determine whether it’s genuine.  The in-built email filters can deliver high-speed detection for a wide selection of incoming threats, such as malware, spam, and any well-known phishing URLs. These defences can be strengthened with specialist layers of detection that learn and identify more advanced threats by using machine learning and natural language processing.
 
By adopting measures, investing in the right solutions, and ensuring our employees understand the value of our data, we can make the difference between a contained phishing email, and a serious cyber attack that causes significant damage with customer data leaked for all to see.

##