
Data Privacy Day takes place each year at this time on January 28th. The annual event is an international effort to create awareness about the importance of respecting privacy, safeguarding data and enabling trust.
This year, as we have done many times before, VMblog reached out for tips and tricks from several
influential thought leaders on how to protect and maintain client and
employee personal information and data this year.
--
Anastasios Gkouletsos, IT
Security Lead at Omnipresent,
a leading global HR platform:
"Focus on Endpoint Security.
Endpoint security should be a priority for every company, but particularly for
those that are going global with a remote workforce. For remote teams, endpoint
security should go far beyond installing off-the-shelf anti-virus software. An
effective endpoint security solution should also include a firewall, malware
removal, ransomware protection, device management, password manager, and a
business VPN."
++
Brian Spanswick, Chief
Information Security Officer and Head of IT at Cohesity, next-gen data management company:
"Data Privacy Week is a great
reminder of the importance of protecting the privacy and security of data as
well as meeting compliance and governance requirements such as GDPR,
CCPA, and HIPAA. This starts with selecting a next-gen data management platform
that can offer data protection, governance, and compliance on a single platform
as part of an overall risk management strategy. These solutions need to be
dramatically simplified so they can easily manage large complex data estates
from a single UI and take advantage of AL/ML classification technology to help
identify and manage sensitive data."
++
Peter Tsai, Head of Technology
Insights at Spiceworks
Ziff Davis, the trusted global
marketplace that connects technology buyers and sellers:
"In our hyper-connected age,
common business sayings include "data is the new oil" or "data is the new
gold." While user data is indeed valuable to advertisers, companies must always
remember that protecting the right to privacy is not only mandated, but also
fundamental to building trusted relationships with customers. Recent SWZD
research revealed 50% of B2B companies worry privacy regulations or restrictions on the use of data
will make it harder to do business. But instead of fearing change, business
professionals should embrace it. Not only are the penalties too high for
non-compliance, now more than ever, trust and transparency are huge
differentiators that help businesses attract customers and build brand
loyalty."
++
Justyn Hornor, Chief Product
Officer at Seeking, the
world's largest upscale dating website:
"On Data Privacy Day and
every day, online daters must prioritize their personal safety and the security
of their online data. Before you hop onto a dating website, vet the security
precautions in place. Is the dating platform verifying identities? Is it drawing
from data and concrete evidence to strengthen the security of the platform? Is
the newest technology, such as AI and bots, being tapped to monitor profiles
and identify any potential concerns? Does the company block profiles that
engage in unlawful activities? If the answer is no to any of these questions,
find a better site."
++
Daniel Markuson, Digital
Privacy Expert with NordVPN, the top VPN
service used worldwide:
"Data Privacy Day aims to raise awareness on issues of
privacy, however, awareness is meaningless if it doesn't turn into action.
Protecting your individual privacy is all about creating habits, such as
putting extra effort into creating strong passwords, not clicking on unknown
links or downloading unverified files, disabling Wi-Fi & Bluetooth when
they're not in use, and overall staying attentive while browsing online. While
this may sound tedious, there are tools that can make protecting your privacy
much more effortless. A VPN hides your personal information, password managers
protect your credentials & generate strong passwords, while file encryption
tools make it so only you can access your files."
++
Shekkar Ayyar, CEO of Arrcus, the hyperscale networking software company:
"Web 3.0 applications like
metaverse and defi that are based on AR/VR and blockchain are stretching the
requirements on scale and performance of the underlying networking
infrastructure. The internet today relies on a complex global mesh of routing
and switching nodes, supported by technologies like BGP, or Border Gateway
Protocol. As recent outages at AWS and Facebook demonstrate, the risk of
network failure is high whenever manual intervention is involved. A critical
best practice we at Arrcus recommend is the adoption of intelligent, network
analytics-driven automation of router operations to handle fault correction and
detection of errors in configuration."
++
Ricardo Amper, CEO and Founder Incode, an AI-based digital
identity company:
"There are a lot of misconceptions about how facial recognition technology
is currently used. However, despite the reported privacy mishaps and concerns,
there is a true inclination among consumers to embrace this technology. Trust
is essential and is often missing when consumers aren't in the forefront of the
conversation around privacy. The individual must be put first, which means
getting their consent. The more an individual feels that they can trust the
technology, the more open they will be to using it in additional capacities."
++
Paul Keely, chief cloud officer
at Open Systems,
which provides managed detection and response
(MDR) services:
"Naturally, the best way
to protect critical data is to prevent bad actors from accessing it in the
first place. One of the keys to this is monitoring 24/7 to identify and contain
breaches as early as possible in the cyber kill chain. Done effectively, this
can keep a breach from expanding beyond a single affected
endpoint. Endpoints are a significant concern, as companies' attack
surfaces have likely grown 10 times or more due to the pandemic forcing
employees to work from home. With all of these thousands of endpoints making
thousands of remote connections, the number of alerts has exploded. While the
vast majority are false positives, their sheer volume makes it harder to
identify the actual threats hidden among them. Understanding their attack
surfaces will help companies recognize real threats. Finally, companies need to be ready should their data be encrypted – or deleted – in a ransomware attack. These preparations include routinely backing up files to a device that is not network connected. This is important because the latest ransomware tools, such as Ryuk, actively seek and delete backups on network-attached devices."
++
Brian Pagano, Chief Catalyst
and VP at Axway, a
leading API management platform:
"There is no one solution for
optimized data privacy. Cloud has the same problems around data-in-motion (you
have to get data to and from the cloud) and data-at-rest (storing information
in the cloud). What the cloud gives you is industrial-strength physical and
digital security of the cloud provider. So it is a good step, a piece of the
solution."
++
Brian Rue, CEO and Co-founder
of Rollbar, a leading continuous code improvement platform:
"Companies should embrace data
privacy. Rather than viewing privacy requirements as a constraint or something
holding you back, instead embrace how consumers have spoken that they need
privacy - this comes through government - by fulfilling privacy needs you are
fulfilling customer needs. If privacy feels like it's a distraction it might be
a sign that your direction is out of line with what consumers are saying they
need and what they will need and the direction that everything is going."
++
Aron Brand, CTO, CTERA, a distributed cloud file storage leader:
"Last year, cybercrime wreaked $6 trillion in havoc to organizations all over the globe. As if one global pandemic was not enough, another has emerged and it is called ransomware. In 2021 enterprise security was seriously challenged by ransomware attacks, and in response there has been a significant shift in how CISOs view data privacy.
Every attempt to access attempt a network should be considered suspicious until proven otherwise. In a zero-trust architecture, every user, device, or endpoint that attempts to connect to the network must be authenticated before gaining access. Here are four best practices to follow:
- Minimize the storage of long-lived credentials on endpoint devices. Use multifactor authentication, as compromised passwords are often the weakest link in an organization’s security.
- To reduce the risk for supply chain attacks, verify that IT suppliers prioritize security during the design and building of their products or services. Ask potential providers for their latest report from a third-party security assessment, and for certifications such as SOC2, FIPS 140-2 (Federal Information Processing Standard) and the Open Trusted Technology Provider Standard (O-TTPS).
- Security patches must be regularly installed on all virtual machines and cloud instances, and password rotation and complexity should be enforced across the entire organization- even on machines inside the corporate perimeter.
- Ensure segmentation and micro-segmentation of internal networks for fine grained access control.
As cyber-attackers become more sophisticated, it is essential for organizations to stay ahead of them and constantly revisit and review their security stance. Investing in a zero-trust architecture, and maintaining well protected backups could be the key for survival in the following decade."
++
Darren James, Head of IT at Specops Software, a leading provider of password management and authentication solutions:
"In 2022, companies still need to focus on the basics -- like password security -- to improve protection against ransomware and other increasingly common attacks. Employee passwords are the backbone of any company’s cybersecurity posture. Social engineering and AI-driven ‘spray and pray’ attacks are escalating and it's easier than ever for attackers to obtain lists of leaked passwords. If there is just one step you take during 2022 to improve your password security, this is the one. Implement a comprehensive list of breached passwords that are blocked from being used in your environment. A strong list should be updated continuously with live attack data, providing protection from the passwords that are being used in attacks today. Equally important is setting password policies for employees, ensuring best practices in line with NIST and other standards like choosing longer passphrases and utilizing multi-factor authentication tools.
With the continuation of COVID-19 and remote and hybrid work models, there are several other steps companies need to take in 2022 to improve overall security posture:
- Encrypt all devices used outside of the office to know that if they fall into the wrong hands they will not expose confidential company data.
- Implement multi-factor authentication to all network and cloud services. Many companies have identified the risk for admins and other privileged accounts but haven’t yet rolled out MFA to their entire organization. 2022 is the moment to take that step. Most cloud services office MFA today and it’s easy to configure to the requirements of your organization.
- Verify callers to the IT service desk. A bad actor impersonating an employee can contact the IT service desk and receive help to perform a password reset, which opens the door to penetrate the corporate network with malware or ransomware."
++
Pritesh Parekh, Chief Trust & Security Officer, VP of Engineering at Delphix, a leading data company for DevOps:
"With cyber-attacks on the rise, this year’s Data Privacy Day is timelier that ever before. Take ransomware as an example. Last year’s onslaught of attacks demonstrated the impact that it can have not only on a single person or business but on the population as a whole. Whether it’s a shortage in the food supply chain or the inability to access critical healthcare services, individuals around the world are realising that successful cyber-attacks could have serious implications for us all.
Although many companies have strengthened security controls to ensure only the right people have access to sensitive data, redacting and obfuscating data in all environments - and especially lower environments - is equally critical to effectively managing risk and preventing attackers from gaining access. Too often, employees either aren’t aware they could be violating security policies or don’t understand how shortcuts can put customers’ data - and their company, too - at risk.
Modern technologies – such as data masking – could help to mitigate these attacks and improve data privacy throughout an organisation. Data masking can automatically identify where sensitive data resides — across every system including non-production environments for development, testing, and analytics. It then applies algorithms that replace the original value with a fictitious but realistic equivalent in an irreversible way. This, ultimately, decreases the risk of a breach and prevents hackers from getting hold of valuable data. The more masked data your company has, the less there is for bad actors to steal.
Staying ahead of the ransomware threat will be a continuous journey, as attacks and technologies develop. While there is no shortcut on this journey, implementing the latest solutions and focusing on data masking is a great place to start and could make all the difference in an attack situation."
++
Carolyn Duby, Field CTO & Cybersecurity Lead, Cloudera, a hybrid data cloud company:
"IT decision makers and CIOs are increasingly looking for companies that protect their privacy by doing the right things with their data. From our vantage point, we see companies actually using privacy as a selling point, i.e. Apple’s decision to limit other companies’ access to data from their devices. This is continuing to expand within the enterprise. Going forward, it's going to be really important for companies to carefully think about what they’re doing with data and how it affects their customers. And it can't just be one-sided: It has to be a partnership of what they’re collecting, how they’re keeping it safe, and how they’re using it in an ethical manner.
Classification of data is becoming very important when it comes to privacy conversations. You have to be able to figure out what is in your data that represents potentially protected information - in the form of security numbers, account numbers, user names, addresses, for example. The challenge is, organizations have a lot of data that is coming from multiple silos, usually ending up all in the same data lake. If not managed properly, an attacker can go after your lake and take all your data, all at once. We must embrace the idea that data should be effectively secured and governed in the form of a mix of data catalogs and a data profiler to classify private information and help IT practitioners secure and govern it appropriately."
++
Bryan Palma, CEO of Trellix, delivering extended detection and response (XDR):
"Keeping track of where data is and how it’s protected is a constant challenge. The explosion of sensitive data, along with the increase in digital collaboration renders traditional security approaches ineffective. Organizations need to secure their data no matter where or how it moves.
A sensitive-data aware XDR (extended detection and response) ecosystem enables the use and sharing of data confidently. It protects data from devices, between applications, or through email from data leakage. XDR bridges the gap between threat protection and data security by combining threat analysis with the context of data to enable a more accurate and timely decision-making process.
For example, if a financial executive’s email with sensitive information is being targeted by a bad actor, XDR detects, responds and remediates the attack by combining threat intelligence, data context and guided investigations together into a single interface.
Gartner predicts by year-end 2027, XDR will be used by up to 40% of organizations, and IDC projects the cloud-native XDR market will grow at a CAGR of 89.3% through 2025. As the analysts indicate, this is a trend we will see as organizations streamline their data management process to protect their unique business and operations."
++
Josh Odom, CTO, Pathwire:
"As
we look towards Data Privacy Day on January 28, this is a time to examine and
raise awareness around the importance of protecting personal information.
Privacy and security are always top of mind when it comes to consumer data and
that is especially true with email marketing. According to a recent survey by
Mailjet by Sinch and Ascend2, "privacy/security" is a top priority for
best-in-class email marketers, with 43% of respondents in this segment selecting
it among the email marketing trends for 2022.
With
big players such as Apple and Google announcing plans to phase out third-party
cookies, the days when you could deploy a cookie and track people are ending.
We think this will make channel marketing way more relevant, but it will also
pose new challenges. The Apple Mail Privacy Protection update, for example, is
forcing senders to rethink the way they measure success in their email
campaigns. The ability that marketers have had until now to easily track
people's behaviors is dwindling quickly.
According
to the United Nations, cybercrime is on the rise
- with a 600% increase in malicious emails during the pandemic -, and users are
demanding more control over their personal data. Now more than ever, we need to
put data privacy and security at the forefront of our email marketing
strategies to establish trust and protect personal information."
++
Steve Cochran, CTO of ConnectWise:
"The
concept of data privacy may never have been more important than it is today, on
this Data Privacy Day. And never before has the concept of Data privacy been
more under threat. It behooves all of us technical professionals to use this
day to reflect on the growing threat and our response to that threat over the
last year and prepare ourselves for the coming year. Data privacy and the
effort that is required to protect it will continue to change at an accelerated
rate this coming year and the years to come. Our company and our partners are
doing their part and leading the charge in keeping our community safe and
secure against these growing threats."
++
Ryan Abraham, virtual CISO of Wisetail:
"Data
privacy is incredibly important in the HR industry. HR professionals are
entrusted with employees' sensitive data-from social security numbers to phone
numbers to home addresses and more-so it's vital that every company takes the
proper steps to ensure that data is safe.
One
important step here is to certify your organization as SOC 2 compliant. SOC 2
is based on five factors-security, availability, processing integrity,
confidentiality, privacy-and the certification tells users that your
organization maintains a high level of information security and handles their
data responsibly. Additionally, SOC 2 compliance ensures that your organization
has implemented security practices to defend itself from cyberattacks and
breaches.
Another
great way to honor Data Privacy Day this year is to start regular employee
training on data privacy best practices, which can be easily created and
assigned to your team through a learning experience platform (LXP). These
training courses can educate employees on how to spot a phishing attack, create
strong passwords, avoid suspicious and dangerous websites, and more. Your
employees are your first line of defense against data privacy threats, so it's
essential that they are equipped to keep themselves and your business safe."
++
Dottie Schindlinger, Executive Director, Diligent
Institute:
"Today's
workplace is no longer limited to traditional definitions or boundaries.
Companies are constantly adapting to new working models and exploring
innovative ways to tailor them to the needs of their organisation. The adoption
of collaboration tools has skyrocketed as companies try to ensure that
productivity and efficiency remain high, whether in a remote, in-office, or
hybrid work environment.
Many
of these tools are general-purpose solutions that meet the requirements of
employee communication and collaboration well enough. But they may not be
appropriate for the top layer of your organisation - the board and executives.
Boards
and executives deal with information that is often highly sensitive and that
consequently has higher costs of exposure. Think of the reputational, legal and
financial repercussions if a classified document leaked because it was shared
by executives on a general-purpose communication tool. The impact could be
catastrophic. Additionally, recent cyberattacks have highlighted - not just for
shareholders, but for all stakeholders - the importance of protecting an
organisation's most sensitive data. General-purpose collaboration tools are
unable to offer the level of protection that stakeholders expect.
Organisations
need secure environments and workflows that allow the board and executives to
communicate highly sensitive information safely, without worrying that it might
accidentally be misrouted, forwarded, leaked or even stolen. And, the system
must be intuitive and convenient, so executives remain within its workflows and
processes without straying to other systems and creating security gaps."
++
Jeff Sizemore, Chief Governance Officer, Egnyte:
"Data
Privacy Day reminds us of the mission-critical requirement to safeguard data
amid rising cyberattacks and companies' adaptation to longer-term
hybrid-work models. Due to increased cyber-risk and a strong consumer
desire for privacy protection, there continues to be a steep rise in
state-by-state data privacy requirements, with movement toward a
potential federal privacy law anticipated later this year. By 2023, it's
predicted that 65% of the world's population will be
covered by privacy laws.
Increasingly,
with personal privacy viewed as a human right, how vendors manage consumer and
employee data will determine how much the public trusts and wants to do
business with them. To comply with governmental requirements during the global
pandemic, organizations may need to store employees' Protect Health Information
(PHI) like vaccination statuses for their employees, which creates its own
privacy impact.
Additionally,
protecting unstructured data will likely be one of the biggest challenges in
2022. If you can't see it, you can't govern it. If you can't govern it, you
definitely can't manage privacy. Organizations need to have visibility into
structured and unstructured data to build out effective data governance
programs. Thankfully, there are data security and governance solutions
available to protect that information holistically. Expect to see ongoing
privacy assessments become more common in the days ahead. Those who put privacy
at the forefront and ensure they are solving the problem comprehensively will
be the ones who come out on top."
++
Avi Raichel, VP, Zerto
GTM, a Hewlett Packard Enterprise company:
"Data
Privacy Day serves as a critical reminder that data privacy and protection are
increasingly challenging matters and organizations have no other choice than to
take them seriously. Ransomware attacks are here to stay as they continue to
rise in both volume and severity and as cybercriminals keep developing new and
unexpected methods to encrypt data. It is estimated that by 2031, ransomware is
expected to attack a business, consumer, or device every two seconds.
According
to research from IDC, 95.1% of organizations suffered a malicious attack in the
past 12 months and 43% of those organizations have experienced unrecoverable
data loss, proving the devastating impacts of ransomware and other
cyberattacks. Organizations must understand that protecting your data from
ransomware is no longer about if you can recover, but rather how quickly you
can get your business back up and running.
Since
no single solution can offer protection from ransomware attacks with 100%
certainty, having a disaster recovery and backup solution based on continuous
data protection (CDP) offers companies the ability to be resilient in the face
of potentially catastrophic circumstances. Companies using CDP can resume
operation at scale in minutes and recover to a state a few seconds before an
attack. Ultimately, having continuous data protection will put the power back
in the hands of the organizations who are prepared."
++
Gorka Sadowski, chief strategy officer, Exabeam:
"Every
year, Data Privacy Day is a timely reminder that organizations are custodians
of our private information and that they must do everything in their power to
protect our data from misuse and unauthorized leaks. Right now, information
exfiltration via ransomware and insider threat seems to be rampant. The
security community must better work together and prioritize innovation and
collaboration above competition to fight our shared cyber enemies.
As
global ransomware payments skyrocket, it proves that cybercriminals are willing
to collaborate and pool resources with other threat actors to develop new ways
to breach organizations around the world. Our greatest hope in defeating such
highly coordinated cyberthreats is to become united in fending off their
multifaceted attacks. To that end, I'm pleased to see governments finally
mobilizing against cyber adversaries to prevent devastating consequences on
companies in both the public and private sectors.
In
addition to the various laws and mandates that preserve privacy and data
standards for individuals, we remain committed to showing the world that
cybersecurity is really a team sport. Our XDR Alliance was created to foster an
open approach to extended threat detection, investigation and response (TDIR)
for security teams everywhere. As the founding organization, we believe that a
unified approach to fighting cybercrime is the future to stopping the
adversaries from gaining new ground."
++
Lex Boost, CEO, Leaseweb
USA:
"IBM
recently reported that 2021 saw the highest average cost of a data breach in 17
years, with the cost rising from $3.86
million in 2020 to $4.24 million. As a result, data protection has been
getting more attention than it ever has before. The headlines consistently
permeating the news might be a source of dread for IT administrators and their
teams, but luckily, they are not alone. Choosing the right hosting provider can
help tremendously.
Many
hosting providers are picking up their proverbial swords and helping the fight
against cyberadversaries. The right hosting provider can deliver extra
protection by offering 24/7 security-related support services to act as an
extra set of eyes against attackers. In addition, hosting providers can also
provide standard security training for employees so that they can become more
cyberaware.
Data
Privacy Day should serve as a reminder to choose hosting providers who are
willing to enter the battle against adversaries and safeguard your data."
++
Carl D'Halluin, CTO, Datadobi:
"No
one can deny that unstructured data is growing exponentially. With the creation
of so much data, a wide range of new management tools and processes to oversee
it have emerged - from global data availability, data protection, data
archival, and more. In this multi-vendor, multi-platform world spanning from
on-premises to the cloud it cannot be denied that management, visibility, and
reporting software are indispensable for a business to run efficiently and to
optimize revenue. It is up to IT administrators and their teams to take on the
important job of protecting its arsenal of data against threats by choosing the
right data management software.
To safeguard data,
organizations must use a platform that understands what data is stored where,
what data needs to be relocated, be able to relocate that data, and ensure the
validity of that data as it is relocated. On this year's Data Privacy Day, I
would like to issue a call to action for organizations across every industry to
reevaluate what data management platform they are using in order to protect
against today's modern threats as best as possible."
++
Michael Primeaux, chief
architect, Umo, Cubic
Transportation Systems:
"In this digital
age where people are more mobile and distributed than ever before, data privacy
and the protection of their personal information are of paramount importance.
In the mobility space, in particular, forward-thinking transit agencies are
leaning on mobile applications to modernize and simplify their riders' fare
payment and reward earning capabilities. With consumer payment data cycling
through these applications, it is essential that transit agencies and the
technology providers involved protect that information to prevent potential
fraud.
Rewards programs
through transit mobile applications offer a unique challenge in that the riders
have to relinquish some of their data in order to benefit from the perks. Umo
Rewards, for instance, delivers real-time incentives, fare discounts, and
loyalty rewards through the complementary mobility app. If riders embrace these
programs, they will get an overall better travel experience, whether it be a
smoother transit journey, discounts on goods or even money to use towards
future trips.
To gain and keep
rider trust, as we have at Cubic, we recommend that organizations handling
transit rider data refine their agility and focus on adversarial threat
analysis across every part of their business in order to detect and mitigate
security events at a rapid pace. Often, transit agencies work with several
technology partners to keep their fare payment systems and rider apps moving.
Thus, supply chain security should be a key area of focus at all times. We hope
this advice helps transit agencies and the technology partners that support
them this Data Privacy Day and beyond."
++
Danny Lopez, CEO, Glasswall:
"Data
Privacy Day serves as a reminder of how important the human element is in the
world of cybersecurity. Without a proper understanding of online privacy risks,
organisations can be left defenceless against hackers.
According
to the IBM
Cost of a Data Breach Report 2022, stolen credentials are the most common
attack vector, leading to 20% of breaches costing an average of USD $4.37
million. In addition, the Verizon 2021 Data Breach Investigations
Report stated that phishing attacks increased by 11% last year, with
cybercriminals tweaking their scams to fit current events and grab attention.
The
solution to fending off cyberattacks at both an individual and company level is
twofold: training and technology. Training will arm employees to be alert to
risks and follow best practices. This can be as simple as using strong
passwords and multi-factor authentication, not opening links and/or attachments
from unfamiliar sources, and using anti-virus software.
On
the technology side, taking a proactive, zero trust (never trust/always verify)
approach when it comes to security can not only protect the companies that
implement them but their customers as well. Having these measures in place will
not only assist with preventing attacks, but it's also more cost effective and
efficient than using employees as an organisation's first line of defence. By
combining training and technology, individual, company, and client data privacy
is significantly more achievable for organisations around the globe."
++
Amit Shaked, CEO, Laminar:
"Data
Privacy Day is a critical reminder for every organization to ask: where is
our sensitive data? In recent years, we've seen new security tooling and
practices for cloud infrastructure emerge, but oftentimes, the usage and
prioritization of such tools ignore the actual treasure that needs protecting -
the data itself.
Compared
to corporate networks and services, there is a massive amount of data in cloud
application environments. When building a cloud application, data is still
managed and housed in a single database during the early stages. However, as
developers and data scientists advance the application and continue utilizing
the data, where it resides and who has access to it can become uncontrollable.
At this point, it is known as ‘shadow data.'
To
combat these increasingly common cloud data protection challenges, security
teams need a new set of cloud-native tools that are always on and continuously
monitoring their environments. Trust is not enough. The solutions must allow a
‘trust but verify' stance towards data security - this helps those handling the
data get their jobs done while ensuring it is managed and protected
properly.
These
always-on and automated solutions allow data protection teams to finally shift
left and adjust from being gatekeepers to being business enablers. This allows
company productivity to be paired with data security and privacy."
##