Thought Leaders Provide Tips and Tricks on Data Privacy Day 2022 : @VMblog

Article

Search:

Follow VMblog.com:

Delivering a Friction-Free Experience for the Worker from Anywhere in the World

Thought Leaders Provide Tips and Tricks on Data Privacy Day 2022

Data-Privacy-Day-Tips

Data Privacy Day takes place each year at this time on January 28th. The annual event is an international effort to create awareness about the importance of respecting privacy, safeguarding data and enabling trust.

This year, as we have done many times before, VMblog reached out for tips and tricks from several influential thought leaders on how to protect and maintain client and employee personal information and data this year.

Anastasios Gkouletsos, IT Security Lead at Omnipresent, a leading global HR platform:

"Focus on Endpoint Security. Endpoint security should be a priority for every company, but particularly for those that are going global with a remote workforce. For remote teams, endpoint security should go far beyond installing off-the-shelf anti-virus software. An effective endpoint security solution should also include a firewall, malware removal, ransomware protection, device management, password manager, and a business VPN."

Brian Spanswick, Chief Information Security Officer and Head of IT at Cohesity, next-gen data management company:

"Data Privacy Week is a great reminder of the importance of protecting the privacy and security of data as well as meeting compliance and governance requirements such as GDPR, CCPA, and HIPAA. This starts with selecting a next-gen data management platform that can offer data protection, governance, and compliance on a single platform as part of an overall risk management strategy. These solutions need to be dramatically simplified so they can easily manage large complex data estates from a single UI and take advantage of AL/ML classification technology to help identify and manage sensitive data."

Peter Tsai, Head of Technology Insights at Spiceworks Ziff Davis, the trusted global marketplace that connects technology buyers and sellers:

"In our hyper-connected age, common business sayings include "data is the new oil" or "data is the new gold." While user data is indeed valuable to advertisers, companies must always remember that protecting the right to privacy is not only mandated, but also fundamental to building trusted relationships with customers. Recent SWZD research revealed 50% of B2B companies worry privacy regulations or restrictions on the use of data will make it harder to do business. But instead of fearing change, business professionals should embrace it. Not only are the penalties too high for non-compliance, now more than ever, trust and transparency are huge differentiators that help businesses attract customers and build brand loyalty."

Justyn Hornor, Chief Product Officer at Seeking, the world's largest upscale dating website:

"On Data Privacy Day and every day, online daters must prioritize their personal safety and the security of their online data. Before you hop onto a dating website, vet the security precautions in place. Is the dating platform verifying identities? Is it drawing from data and concrete evidence to strengthen the security of the platform? Is the newest technology, such as AI and bots, being tapped to monitor profiles and identify any potential concerns? Does the company block profiles that engage in unlawful activities? If the answer is no to any of these questions, find a better site."

Daniel Markuson, Digital Privacy Expert with NordVPN, the top VPN service used worldwide:

"Data Privacy Day aims to raise awareness on issues of privacy, however, awareness is meaningless if it doesn't turn into action. Protecting your individual privacy is all about creating habits, such as putting extra effort into creating strong passwords, not clicking on unknown links or downloading unverified files, disabling Wi-Fi & Bluetooth when they're not in use, and overall staying attentive while browsing online. While this may sound tedious, there are tools that can make protecting your privacy much more effortless. A VPN hides your personal information, password managers protect your credentials & generate strong passwords, while file encryption tools make it so only you can access your files."

Shekkar Ayyar, CEO of Arrcus, the hyperscale networking software company:

"Web 3.0 applications like metaverse and defi that are based on AR/VR and blockchain are stretching the requirements on scale and performance of the underlying networking infrastructure. The internet today relies on a complex global mesh of routing and switching nodes, supported by technologies like BGP, or Border Gateway Protocol. As recent outages at AWS and Facebook demonstrate, the risk of network failure is high whenever manual intervention is involved. A critical best practice we at Arrcus recommend is the adoption of intelligent, network analytics-driven automation of router operations to handle fault correction and detection of errors in configuration."

Ricardo Amper, CEO and Founder Incode, an AI-based digital identity company:
"There are a lot of misconceptions about how facial recognition technology is currently used. However, despite the reported privacy mishaps and concerns, there is a true inclination among consumers to embrace this technology. Trust is essential and is often missing when consumers aren't in the forefront of the conversation around privacy. The individual must be put first, which means getting their consent. The more an individual feels that they can trust the technology, the more open they will be to using it in additional capacities."

Paul Keely, chief cloud officer at Open Systems, which provides managed detection and response (MDR) services:

"Naturally, the best way to protect critical data is to prevent bad actors from accessing it in the first place. One of the keys to this is monitoring 24/7 to identify and contain breaches as early as possible in the cyber kill chain. Done effectively, this can keep a breach from expanding beyond a single affected endpoint. Endpoints are a significant concern, as companies' attack surfaces have likely grown 10 times or more due to the pandemic forcing employees to work from home. With all of these thousands of endpoints making thousands of remote connections, the number of alerts has exploded. While the vast majority are false positives, their sheer volume makes it harder to identify the actual threats hidden among them. Understanding their attack surfaces will help companies recognize real threats. Finally, companies need to be ready should their data be encrypted – or deleted – in a ransomware attack. These preparations include routinely backing up files to a device that is not network connected. This is important because the latest ransomware tools, such as Ryuk, actively seek and delete backups on network-attached devices."

Brian Pagano, Chief Catalyst and VP at Axway, a leading API management platform:

"There is no one solution for optimized data privacy. Cloud has the same problems around data-in-motion (you have to get data to and from the cloud) and data-at-rest (storing information in the cloud). What the cloud gives you is industrial-strength physical and digital security of the cloud provider. So it is a good step, a piece of the solution."

Brian Rue, CEO and Co-founder of Rollbar, a leading continuous code improvement platform:

"Companies should embrace data privacy. Rather than viewing privacy requirements as a constraint or something holding you back, instead embrace how consumers have spoken that they need privacy - this comes through government - by fulfilling privacy needs you are fulfilling customer needs. If privacy feels like it's a distraction it might be a sign that your direction is out of line with what consumers are saying they need and what they will need and the direction that everything is going."

Aron Brand, CTO, CTERA, a distributed cloud file storage leader:

"Last year, cybercrime wreaked $6 trillion in havoc to organizations all over the globe. As if one global pandemic was not enough, another has emerged and it is called ransomware. In 2021 enterprise security was seriously challenged by ransomware attacks, and in response there has been a significant shift in how CISOs view data privacy.

Every attempt to access attempt a network should be considered suspicious until proven otherwise. In a zero-trust architecture, every user, device, or endpoint that attempts to connect to the network must be authenticated before gaining access. Here are four best practices to follow:

Minimize the storage of long-lived credentials on endpoint devices. Use multifactor authentication, as compromised passwords are often the weakest link in an organization’s security.
To reduce the risk for supply chain attacks, verify that IT suppliers prioritize security during the design and building of their products or services. Ask potential providers for their latest report from a third-party security assessment, and for certifications such as SOC2, FIPS 140-2 (Federal Information Processing Standard) and the Open Trusted Technology Provider Standard (O-TTPS).
Security patches must be regularly installed on all virtual machines and cloud instances, and password rotation and complexity should be enforced across the entire organization- even on machines inside the corporate perimeter.
Ensure segmentation and micro-segmentation of internal networks for fine grained access control.

As cyber-attackers become more sophisticated, it is essential for organizations to stay ahead of them and constantly revisit and review their security stance. Investing in a zero-trust architecture, and maintaining well protected backups could be the key for survival in the following decade."

Darren James, Head of IT at Specops Software, a leading provider of password management and authentication solutions:

"In 2022, companies still need to focus on the basics -- like password security -- to improve protection against ransomware and other increasingly common attacks. Employee passwords are the backbone of any company’s cybersecurity posture. Social engineering and AI-driven ‘spray and pray’ attacks are escalating and it's easier than ever for attackers to obtain lists of leaked passwords. If there is just one step you take during 2022 to improve your password security, this is the one. Implement a comprehensive list of breached passwords that are blocked from being used in your environment. A strong list should be updated continuously with live attack data, providing protection from the passwords that are being used in attacks today. Equally important is setting password policies for employees, ensuring best practices in line with NIST and other standards like choosing longer passphrases and utilizing multi-factor authentication tools.

With the continuation of COVID-19 and remote and hybrid work models, there are several other steps companies need to take in 2022 to improve overall security posture:

Encrypt all devices used outside of the office to know that if they fall into the wrong hands they will not expose confidential company data.
Implement multi-factor authentication to all network and cloud services. Many companies have identified the risk for admins and other privileged accounts but haven’t yet rolled out MFA to their entire organization. 2022 is the moment to take that step. Most cloud services office MFA today and it’s easy to configure to the requirements of your organization.
Verify callers to the IT service desk. A bad actor impersonating an employee can contact the IT service desk and receive help to perform a password reset, which opens the door to penetrate the corporate network with malware or ransomware."

Pritesh Parekh, Chief Trust & Security Officer, VP of Engineering at Delphix, a leading data company for DevOps:

"With cyber-attacks on the rise, this year’s Data Privacy Day is timelier that ever before. Take ransomware as an example. Last year’s onslaught of attacks demonstrated the impact that it can have not only on a single person or business but on the population as a whole. Whether it’s a shortage in the food supply chain or the inability to access critical healthcare services, individuals around the world are realising that successful cyber-attacks could have serious implications for us all.

Although many companies have strengthened security controls to ensure only the right people have access to sensitive data, redacting and obfuscating data in all environments - and especially lower environments - is equally critical to effectively managing risk and preventing attackers from gaining access. Too often, employees either aren’t aware they could be violating security policies or don’t understand how shortcuts can put customers’ data - and their company, too - at risk.

Modern technologies – such as data masking – could help to mitigate these attacks and improve data privacy throughout an organisation. Data masking can automatically identify where sensitive data resides — across every system including non-production environments for development, testing, and analytics. It then applies algorithms that replace the original value with a fictitious but realistic equivalent in an irreversible way. This, ultimately, decreases the risk of a breach and prevents hackers from getting hold of valuable data. The more masked data your company has, the less there is for bad actors to steal.

Staying ahead of the ransomware threat will be a continuous journey, as attacks and technologies develop. While there is no shortcut on this journey, implementing the latest solutions and focusing on data masking is a great place to start and could make all the difference in an attack situation."

Carolyn Duby, Field CTO & Cybersecurity Lead, Cloudera, a hybrid data cloud company:

"IT decision makers and CIOs are increasingly looking for companies that protect their privacy by doing the right things with their data. From our vantage point, we see companies actually using privacy as a selling point, i.e. Apple’s decision to limit other companies’ access to data from their devices. This is continuing to expand within the enterprise. Going forward, it's going to be really important for companies to carefully think about what they’re doing with data and how it affects their customers. And it can't just be one-sided: It has to be a partnership of what they’re collecting, how they’re keeping it safe, and how they’re using it in an ethical manner.

Classification of data is becoming very important when it comes to privacy conversations. You have to be able to figure out what is in your data that represents potentially protected information - in the form of security numbers, account numbers, user names, addresses, for example. The challenge is, organizations have a lot of data that is coming from multiple silos, usually ending up all in the same data lake. If not managed properly, an attacker can go after your lake and take all your data, all at once. We must embrace the idea that data should be effectively secured and governed in the form of a mix of data catalogs and a data profiler to classify private information and help IT practitioners secure and govern it appropriately."

Bryan Palma, CEO of Trellix, delivering extended detection and response (XDR):

"Keeping track of where data is and how it’s protected is a constant challenge. The explosion of sensitive data, along with the increase in digital collaboration renders traditional security approaches ineffective. Organizations need to secure their data no matter where or how it moves.

A sensitive-data aware XDR (extended detection and response) ecosystem enables the use and sharing of data confidently. It protects data from devices, between applications, or through email from data leakage. XDR bridges the gap between threat protection and data security by combining threat analysis with the context of data to enable a more accurate and timely decision-making process.

For example, if a financial executive’s email with sensitive information is being targeted by a bad actor, XDR detects, responds and remediates the attack by combining threat intelligence, data context and guided investigations together into a single interface.

Gartner predicts by year-end 2027, XDR will be used by up to 40% of organizations, and IDC projects the cloud-native XDR market will grow at a CAGR of 89.3% through 2025. As the analysts indicate, this is a trend we will see as organizations streamline their data management process to protect their unique business and operations."

Josh Odom, CTO, Pathwire:

"As we look towards Data Privacy Day on January 28, this is a time to examine and raise awareness around the importance of protecting personal information. Privacy and security are always top of mind when it comes to consumer data and that is especially true with email marketing. According to a recent survey by Mailjet by Sinch and Ascend2, "privacy/security" is a top priority for best-in-class email marketers, with 43% of respondents in this segment selecting it among the email marketing trends for 2022.

With big players such as Apple and Google announcing plans to phase out third-party cookies, the days when you could deploy a cookie and track people are ending. We think this will make channel marketing way more relevant, but it will also pose new challenges. The Apple Mail Privacy Protection update, for example, is forcing senders to rethink the way they measure success in their email campaigns. The ability that marketers have had until now to easily track people's behaviors is dwindling quickly.

According to the United Nations, cybercrime is on the rise - with a 600% increase in malicious emails during the pandemic -, and users are demanding more control over their personal data. Now more than ever, we need to put data privacy and security at the forefront of our email marketing strategies to establish trust and protect personal information."

Steve Cochran, CTO of ConnectWise:

"The concept of data privacy may never have been more important than it is today, on this Data Privacy Day. And never before has the concept of Data privacy been more under threat. It behooves all of us technical professionals to use this day to reflect on the growing threat and our response to that threat over the last year and prepare ourselves for the coming year. Data privacy and the effort that is required to protect it will continue to change at an accelerated rate this coming year and the years to come. Our company and our partners are doing their part and leading the charge in keeping our community safe and secure against these growing threats."

Ryan Abraham, virtual CISO of Wisetail:

"Data privacy is incredibly important in the HR industry. HR professionals are entrusted with employees' sensitive data-from social security numbers to phone numbers to home addresses and more-so it's vital that every company takes the proper steps to ensure that data is safe.

One important step here is to certify your organization as SOC 2 compliant. SOC 2 is based on five factors-security, availability, processing integrity, confidentiality, privacy-and the certification tells users that your organization maintains a high level of information security and handles their data responsibly. Additionally, SOC 2 compliance ensures that your organization has implemented security practices to defend itself from cyberattacks and breaches.

Another great way to honor Data Privacy Day this year is to start regular employee training on data privacy best practices, which can be easily created and assigned to your team through a learning experience platform (LXP). These training courses can educate employees on how to spot a phishing attack, create strong passwords, avoid suspicious and dangerous websites, and more. Your employees are your first line of defense against data privacy threats, so it's essential that they are equipped to keep themselves and your business safe."

Dottie Schindlinger, Executive Director, Diligent Institute:

"Today's workplace is no longer limited to traditional definitions or boundaries. Companies are constantly adapting to new working models and exploring innovative ways to tailor them to the needs of their organisation. The adoption of collaboration tools has skyrocketed as companies try to ensure that productivity and efficiency remain high, whether in a remote, in-office, or hybrid work environment.

Many of these tools are general-purpose solutions that meet the requirements of employee communication and collaboration well enough. But they may not be appropriate for the top layer of your organisation - the board and executives.

Boards and executives deal with information that is often highly sensitive and that consequently has higher costs of exposure. Think of the reputational, legal and financial repercussions if a classified document leaked because it was shared by executives on a general-purpose communication tool. The impact could be catastrophic. Additionally, recent cyberattacks have highlighted - not just for shareholders, but for all stakeholders - the importance of protecting an organisation's most sensitive data. General-purpose collaboration tools are unable to offer the level of protection that stakeholders expect.

Organisations need secure environments and workflows that allow the board and executives to communicate highly sensitive information safely, without worrying that it might accidentally be misrouted, forwarded, leaked or even stolen. And, the system must be intuitive and convenient, so executives remain within its workflows and processes without straying to other systems and creating security gaps."

Jeff Sizemore, Chief Governance Officer, Egnyte:

"Data Privacy Day reminds us of the mission-critical requirement to safeguard data amid rising cyberattacks and companies' adaptation to longer-term hybrid-work models. Due to increased cyber-risk and a strong consumer desire for privacy protection, there continues to be a steep rise in state-by-state data privacy requirements, with movement toward a potential federal privacy law anticipated later this year. By 2023, it's predicted that 65% of the world's population will be covered by privacy laws.

Increasingly, with personal privacy viewed as a human right, how vendors manage consumer and employee data will determine how much the public trusts and wants to do business with them. To comply with governmental requirements during the global pandemic, organizations may need to store employees' Protect Health Information (PHI) like vaccination statuses for their employees, which creates its own privacy impact.

Additionally, protecting unstructured data will likely be one of the biggest challenges in 2022. If you can't see it, you can't govern it. If you can't govern it, you definitely can't manage privacy. Organizations need to have visibility into structured and unstructured data to build out effective data governance programs. Thankfully, there are data security and governance solutions available to protect that information holistically. Expect to see ongoing privacy assessments become more common in the days ahead. Those who put privacy at the forefront and ensure they are solving the problem comprehensively will be the ones who come out on top."

Avi Raichel, VP, Zerto GTM, a Hewlett Packard Enterprise company:

"Data Privacy Day serves as a critical reminder that data privacy and protection are increasingly challenging matters and organizations have no other choice than to take them seriously. Ransomware attacks are here to stay as they continue to rise in both volume and severity and as cybercriminals keep developing new and unexpected methods to encrypt data. It is estimated that by 2031, ransomware is expected to attack a business, consumer, or device every two seconds.

According to research from IDC, 95.1% of organizations suffered a malicious attack in the past 12 months and 43% of those organizations have experienced unrecoverable data loss, proving the devastating impacts of ransomware and other cyberattacks. Organizations must understand that protecting your data from ransomware is no longer about if you can recover, but rather how quickly you can get your business back up and running.

Since no single solution can offer protection from ransomware attacks with 100% certainty, having a disaster recovery and backup solution based on continuous data protection (CDP) offers companies the ability to be resilient in the face of potentially catastrophic circumstances. Companies using CDP can resume operation at scale in minutes and recover to a state a few seconds before an attack. Ultimately, having continuous data protection will put the power back in the hands of the organizations who are prepared."

Gorka Sadowski, chief strategy officer, Exabeam:

"Every year, Data Privacy Day is a timely reminder that organizations are custodians of our private information and that they must do everything in their power to protect our data from misuse and unauthorized leaks. Right now, information exfiltration via ransomware and insider threat seems to be rampant. The security community must better work together and prioritize innovation and collaboration above competition to fight our shared cyber enemies.

As global ransomware payments skyrocket, it proves that cybercriminals are willing to collaborate and pool resources with other threat actors to develop new ways to breach organizations around the world. Our greatest hope in defeating such highly coordinated cyberthreats is to become united in fending off their multifaceted attacks. To that end, I'm pleased to see governments finally mobilizing against cyber adversaries to prevent devastating consequences on companies in both the public and private sectors.

In addition to the various laws and mandates that preserve privacy and data standards for individuals, we remain committed to showing the world that cybersecurity is really a team sport. Our XDR Alliance was created to foster an open approach to extended threat detection, investigation and response (TDIR) for security teams everywhere. As the founding organization, we believe that a unified approach to fighting cybercrime is the future to stopping the adversaries from gaining new ground."

Lex Boost, CEO, Leaseweb USA:

"IBM recently reported that 2021 saw the highest average cost of a data breach in 17 years, with the cost rising from $3.86 million in 2020 to $4.24 million. As a result, data protection has been getting more attention than it ever has before. The headlines consistently permeating the news might be a source of dread for IT administrators and their teams, but luckily, they are not alone. Choosing the right hosting provider can help tremendously.

Many hosting providers are picking up their proverbial swords and helping the fight against cyberadversaries. The right hosting provider can deliver extra protection by offering 24/7 security-related support services to act as an extra set of eyes against attackers. In addition, hosting providers can also provide standard security training for employees so that they can become more cyberaware.

Data Privacy Day should serve as a reminder to choose hosting providers who are willing to enter the battle against adversaries and safeguard your data."

Carl D'Halluin, CTO, Datadobi:

"No one can deny that unstructured data is growing exponentially. With the creation of so much data, a wide range of new management tools and processes to oversee it have emerged - from global data availability, data protection, data archival, and more. In this multi-vendor, multi-platform world spanning from on-premises to the cloud it cannot be denied that management, visibility, and reporting software are indispensable for a business to run efficiently and to optimize revenue. It is up to IT administrators and their teams to take on the important job of protecting its arsenal of data against threats by choosing the right data management software.

To safeguard data, organizations must use a platform that understands what data is stored where, what data needs to be relocated, be able to relocate that data, and ensure the validity of that data as it is relocated. On this year's Data Privacy Day, I would like to issue a call to action for organizations across every industry to reevaluate what data management platform they are using in order to protect against today's modern threats as best as possible."

Michael Primeaux, chief architect, Umo, Cubic Transportation Systems:

"In this digital age where people are more mobile and distributed than ever before, data privacy and the protection of their personal information are of paramount importance. In the mobility space, in particular, forward-thinking transit agencies are leaning on mobile applications to modernize and simplify their riders' fare payment and reward earning capabilities. With consumer payment data cycling through these applications, it is essential that transit agencies and the technology providers involved protect that information to prevent potential fraud.

Rewards programs through transit mobile applications offer a unique challenge in that the riders have to relinquish some of their data in order to benefit from the perks. Umo Rewards, for instance, delivers real-time incentives, fare discounts, and loyalty rewards through the complementary mobility app. If riders embrace these programs, they will get an overall better travel experience, whether it be a smoother transit journey, discounts on goods or even money to use towards future trips.

To gain and keep rider trust, as we have at Cubic, we recommend that organizations handling transit rider data refine their agility and focus on adversarial threat analysis across every part of their business in order to detect and mitigate security events at a rapid pace. Often, transit agencies work with several technology partners to keep their fare payment systems and rider apps moving. Thus, supply chain security should be a key area of focus at all times. We hope this advice helps transit agencies and the technology partners that support them this Data Privacy Day and beyond."

Danny Lopez, CEO, Glasswall:

"Data Privacy Day serves as a reminder of how important the human element is in the world of cybersecurity. Without a proper understanding of online privacy risks, organisations can be left defenceless against hackers.

According to the IBM Cost of a Data Breach Report 2022, stolen credentials are the most common attack vector, leading to 20% of breaches costing an average of USD $4.37 million. In addition, the Verizon 2021 Data Breach Investigations Report stated that phishing attacks increased by 11% last year, with cybercriminals tweaking their scams to fit current events and grab attention.

The solution to fending off cyberattacks at both an individual and company level is twofold: training and technology. Training will arm employees to be alert to risks and follow best practices. This can be as simple as using strong passwords and multi-factor authentication, not opening links and/or attachments from unfamiliar sources, and using anti-virus software.

On the technology side, taking a proactive, zero trust (never trust/always verify) approach when it comes to security can not only protect the companies that implement them but their customers as well. Having these measures in place will not only assist with preventing attacks, but it's also more cost effective and efficient than using employees as an organisation's first line of defence. By combining training and technology, individual, company, and client data privacy is significantly more achievable for organisations around the globe."

Amit Shaked, CEO, Laminar:

"Data Privacy Day is a critical reminder for every organization to ask: where is our sensitive data? In recent years, we've seen new security tooling and practices for cloud infrastructure emerge, but oftentimes, the usage and prioritization of such tools ignore the actual treasure that needs protecting - the data itself.

Compared to corporate networks and services, there is a massive amount of data in cloud application environments. When building a cloud application, data is still managed and housed in a single database during the early stages. However, as developers and data scientists advance the application and continue utilizing the data, where it resides and who has access to it can become uncontrollable. At this point, it is known as ‘shadow data.'

To combat these increasingly common cloud data protection challenges, security teams need a new set of cloud-native tools that are always on and continuously monitoring their environments. Trust is not enough. The solutions must allow a ‘trust but verify' stance towards data security - this helps those handling the data get their jobs done while ensuring it is managed and protected properly.

These always-on and automated solutions allow data protection teams to finally shift left and adjust from being gatekeepers to being business enablers. This allows company productivity to be paired with data security and privacy."

Published Friday, January 28, 2022 8:30 AM by David Marshall