Data
Privacy Day, an international "holiday" that occurs each year on January
28, was created to raise awareness and promote privacy and data protection best
practices. Data Privacy Day began in the United States and Canada in January of
2008. It is an extension of Data Protection Day in Europe, which
commemorates the January 28, 1981 signing of Convention 108, the first
legally binding international treaty dealing with privacy and data
protection.
Two years ago, the National Cybersecurity Alliance (NCA) expanded Data Privacy Day beyond just January 28th, and instead, many have chosen to celebrate it all week long. And they did so because your data is simply that important!
Data Privacy Day's educational initiative originally focused
on raising awareness among businesses as well as users about the
importance of protecting the privacy of their personal information online,
particularly in the context of social networking. In addition to its
educational initiative, Data Privacy Day promotes events and activities that
stimulate the development of technology tools that promote individual control
over personally identifiable information; encourage compliance with privacy
laws and regulations; and create dialogues among stakeholders interested
in advancing data protection and privacy.
With this in mind, VMblog has compiled some detailed
perspectives, as well as some tips for better protection of sensitive corporate
data, from a few industry experts ahead of Data Privacy Day 2023.
--
Dave Russell, VP of Enterprise Strategy, Veeam Software
"The risk of data privacy continues to grow year after year. Cyberattacks have become the biggest threat and concern to organizations calling on companies to revisit current data security, protection, and recovery strategies. According to the Veeam Data Protection Trends Report, in 2022 alone 85 percent of organizations were attacked by ransomware at least once. While we hear time and time again experts telling organizations to protect data and get ahead of becoming a bad actor’s next target, many organizations don’t know the first steps to take. My advice on Data Privacy Day is to make sure systems are patched,employees are given proper training on common attack methods such as phishing links, zero-trust strategies are implemented and maintained, to be aware of the best digital hygiene practices, and to implement a data recovery strategy to ensure that when an attack happens, data remains immutable."
Rick Vanover, Senior Director, Product Strategy, Veeam Software
"As the issue of data privacy continues to be top of mind for many companies, the shift to the cloud continues to grow. Research shows 63 percent of data is now being stored in the cloud, with 67 percent stating their backups used cloud services, with the intent to move towards 74% within two years. As more organizations move portions of their data to the cloud, they must ensure the compliance requirements retain the same long-term regulatory requirements, regardless of whether that data resides within on-premises servers or cloud services. From a privacy perspective, the most important first steps are knowing where you are storing data and how to protect it. Be familiar with the software and technology being used, invest in a good backup system, and stay aware of the overall compliance requirements."
++
Andy Syrewicze, Technical Evangelist at Hornetsecurity
"When it comes to data privacy in the modern world, it’s no longer an optional thing. Data Privacy is an absolute expectation that your customers have when they consume your products/services, and the penalties are starting to (and should) become severe. With new potential pending legislation in both the US and the EU focused on data privacy It’s more important now than ever that organizations begin to take data privacy seriously if they haven’t already.
Proper security hygiene is a must for organizations starting to tackle this concern. Security tools that protect increasingly popular cloud platforms such as M365 are a must in our mobile world. These tools paired with end user security awareness training and a definitive practice of only retaining and storing the data that’s absolutely required will go a long way towards keeping your customer’s data private, and your company’s name out of the news."
++
Bob Adair, Product Manager for CloudCasa by Catalogic
"Rockwell famously sang in his 1984 hit “Somebody's Watching Me”, “I always feel like somebody's watching me; and I have no privacy.” In 1984, despite what readers of George Orwell’s eponymously named book might have been led to fear, that feeling was likely a sign of paranoia. In 2023, it’s more an acknowledgement of the unfortunate realities of our interconnected digital world.
The good news is that legislators and regulators around the world have begun to wake up to the dangers posed by this lack of data privacy. The bad news is that their “solution”, the current patchwork of privacy-related laws and regulations like GDPR and CCPA, place a heavy compliance burden on companies while often providing little in the way of actual privacy benefits to consumers.
But don’t be discouraged! One positive outcome of these laws and regulations is that most vendors must now disclose what data they collect from you, what they do with it, and who they allow to access it. Yes, these disclosures tend to be in documents that are longer than Orwell’s novel and written in language that only a lawyer could love, but the information is still available. My advice is to read it all. As an individual consumer, you probably won’t have much influence over what the giants of the tech industry do with your data. You can either accept their terms or reject their services.
However, as a business purchaser, you have more influence. You should read the privacy disclosures from your vendors, ask them questions if you don’t understand what they say, and let them know if you don’t like what you see. They have spent hundreds of hours preparing these documents, and they should want you to understand what is in them. If they don’t, that should be a red flag. Chances are that you have an obligation to your own customers and employees to do this, and even if you don’t, data privacy is everyone’s business!"
++
Thomas LaRock, Head Geek, SolarWinds
"Data creation has exploded in recent years, with entire industries being built on having access to unique and useful data. This information can enable better business outcomes, making it an invaluable asset for any company. Unfortunately, this growing emphasis on data can also present risks. It's critical that companies focus on becoming Secure by Design to ensure strong data policies by upgrading their Data Loss Prevention (DLP) solutions and adopting Zero Trust security."
++
Christopher Rogers, technology evangelist, Zerto, a Hewlett-Packard Enterprise company
"In 2023, data is the most valuable asset any company owns. Whether it's the organization’s own data or its customers,’ the potential loss of revenue should this data be compromised is huge. Therefore, the primary concern for all businesses should be protecting this asset.
Unfortunately, in the golden age of cybercrime, data protection is not such an easy task. In 2022, an IDC report, ‘The State of Ransomware and Disaster Preparedness’ found that 83% of organizations had experienced data corruption from an attack, and nearly 60% experienced unrecoverable data as a result. While it's clear there is a dire need for more effective data protection, it is also crucial that businesses have disaster recovery solutions in place should the worst occur.
When it comes to ransomware, the biggest financial killer is the downtime. Therefore, having a disaster recovery solution based on continuous data protection (CDP) in conjunction with backup is vital to equip companies with the ability to be resilient in the face of potentially catastrophic circumstances. Companies using CDP can limit downtime and restore operations in a matter of seconds or minutes, rather than days or weeks.
This Data Protection Day, I want to encourage businesses to not only look at what they can be doing to protect themselves but also what solutions they have in place to recover should disaster strike."
++
Rick McElroy, Principal Cybersecurity Strategist, VMware
"As the world continues to move toward Web 3.0 and the Metaverse, consumers are feeling the impact of their online privacy being treated as an afterthought by social media platforms. Almost every social platform has had significant privacy complaints and lawsuits filed against them, but states like California have passed the CPRA which has expanded the rules for companies proving that consumers do in fact value privacy. It is worth noting that some companies are doing better than others, so we must not paint the entire tech industry with the same broad brush stroke. But as technology continues to evolve, consumers need to ask a few questions about the latest internet app fad, before it’s too late such as: What are you giving up for the service? Who made this app and why?
However, an underlying issue is that most consumers don’t take the time to read what data these companies are actually collecting. There is a role for all of us to play in the privacy of our own data, but most users aren’t taking the responsibility. Consumers should be educated on and aware of the actual risks of using the latest “on trend” app. Privacy should be presented in a way that is more easily understood by younger generations, otherwise we are missing an opportunity to meaningfully educate a whole population of people. The state of privacy is poor today, but with the right consumer engagement, it could help tip the scales back in favor of consumers."
Karen Worstell, Senior Cybersecurity Strategist, VMware
"Just as with security, the privacy landscape continues to evolve, yet as things change, some things stay the same or shift far too slowly. Weak credentials are still the number one threat to end-user data and the migration to using multi-factor authentication is still a work in progress since the US Executive Order requiring MFA for all federal agencies in 2021. As the use of modern applications expands, with API traffic comprising 50% of Internet traffic, the opportunity for attack vectors into applications through credential stuffing increases. The impact of ineffective controls around the personal information of citizens is compounded by the complexity introduced by the hybrid work environment. The internet-based economy is facing significant shifts culturally and from a regulatory perspective because of the breach of trust between data collectors/processors and data subjects. End users certainly must do their part and choose strong authentication methods and avoid reuse of passwords through the use of password management tools. Companies must change their risk management paradigm and shift from demonstrating due diligence to a defensible standard of care that includes the risk appetite of their constituents. Breaches of privacy and loss of consumer and business partner trust comes from doing the same things (that don’t work) expecting different results."
++
Steven
Chung, President, Delphix
"As we've
witnessed in recent years with breaches such as those at SolarWinds, Uber,
T-Mobile, and LastPass, development environments are often very rich targets
for cyber attacks that compromise or lead to the compromise of
sensitive private information. Attackers prey on source code management
systems, infrastructure such as virtual test servers, and the test data itself.
All three must be protected. To do so, DevOps teams will need to rely on
automation to ensure data security, such as deploying secure configurations and
masking sensitive production data that is used for development and testing. We
find that many companies often address the first two of these (systems and
infrastructure) but fail to protect sensitive customer data that's used in
test, development and analytics environments, especially with the
emergence of AI/ML use cases. This should no longer be tolerated, as
businesses should employ a zero trust model to customer data no
matter the environment --- test, development or production."
++
Tyler Adams, CEO of CertifID
"Social engineering
can circumvent just about any data privacy technology. BEC (business email
compromise) inflicts more damage each year than any other form of cybercrime according to the FBI.
BEC relies on social engineering to gain access to privileged data, and
ultimately people's money.
Data Privacy Week is an important reminder to
focus on people and process, not just technology. Focus on your crown jewels
(in industries like real estate, it's the huge amounts of closing and escrow
funds being moved daily). Enact a multi-layered defense strategy that includes
a rapid response plan if the unthinkable happens. And, foster a culture where
human error leads to education rather than punishment. That's the only way
we'll all get better."
++
Vladislav Tushkanov, privacy expert at Kaspersky
"One important trend of the geopolitically turbulent 2022 was the re-emergence of hacktivist groups. State-sponsored or grassroots, they targeted not only state services, but anything in their reach including B2C companies. They aimed to leak the customer data not for profit, but for the sakes of reputational damage. This highlights the need to put into place strict measures to protect user data, or at least minimize its collection in the first place.
A prime example of this approach taken on a scale of a tech giant is when Apple introduced end-to-end encryption for iCloud. This means that in the event of a large-scale data breach, information from users who enabled e2e-encryption will remain secure. Another example is the introduction of e2e-encryption for WhatsApp cloud backups, the main vector of attack on WhatsApp users. All of this could mean that both tech giants and governments understand that the risk of a massive data breach is higher than the hurdles that additional encryption and user privacy may create for law enforcement.
I would like to hope that these developments are only the beginning, and we will see more privacy-preserving technologies introduced in 2023."
++
Rodman Ramezanian, Global Cloud Thread Lead at Skyhigh Security
"Data Privacy Week (expanded to a week by the NCA); an international effort to raise awareness about digital data privacy, and to encourage individuals, businesses, and governments to better protect their data and digital identities.
Similar to most New Years’ resolutions, however, these efforts can’t just last for one week or the beginning of a year – they must be prioritized all year round with unwavering commitment. Sadly, the moment that organizations take their “eyes off the ball” and lack focus, it can be detrimental to the privacy and security of their valuable data.
It must be said that initiatives like these are absolutely welcome, and serve as good reminders for global citizens to remain cautious and vigilant with matters relating to their data. Nevertheless, as seen in countless incidents where high-valued data has been leaked or compromised, users and organizations tend to, respectively, let their guards down over time, ultimately becoming complacent beyond the days spanning “Data Privacy Week”.
Data privacy and security are undoubtedly key considerations for any robust enterprise strategy. Based on Gartner’s predictions, “by the end of 2024…….75% of the world's population will have its personal data covered under modern privacy regulations. This regulatory evolution has been the dominant catalyst for the operationalization of privacy”.
For users, small to medium businesses, large scale enterprises, critical infrastructure entities, government agencies, and everyone in-between – Data Privacy, Data Protection, and overall Data Security must continue to remain priorities this week, and every single week well into the future.”
++
Tim Callan, Chief Experience Officer, Sectigo
"Identity is now a critical attack vector and establishing digital trust for both human and machine identities is mission-critical for enterprises. To maintain security and data privacy, organizations will increasingly adopt digital processes requiring unspoofable digital identities to defeat these sophisticated attacks.
As business priorities are set for the year, organizational security frameworks must validate and secure every identity seeking network access to establish digital trust and ensure the privacy and safety of human and machine digital identities that make up our digital lives. This is accomplished with public key infrastructure (PKI)-based digital certificates. Having an identity-first security approach centered around PKI and digital certificates provides immutable proof that ‘this person or entity can be trusted.’"
++
Carolyn Duby, Field CTO & Cybersecurity GTM Lead at Cloudera
"Going into this year one of the main things that comes to mind on Data Privacy Day, is that data security has never been more complex or complicated, and a fraught geopolitical climate has only escalated the threats. Security vulnerabilities have increased exponentially, fueled by new remote-work strategies and global stressors such as inflation, food shortages, increased unemployment and a looming recession.
With new innovations such as the metaverse, cryptocurrency and DeFi, 5G and quantum computing all in their infancy, the cyber battle lines where businesses and bad actors engage will continually be redrawn. For every step organizations take to get better, smarter and safer, bad actors mirror our footprints, often armed with equal determination, resourcefulness and technological assets.
For businesses to truly be able to call themselves “data-first,” they must prioritize security and governance as a foundational pillar of any data management strategy. If they don’t, they may find themselves letting the foxes into the henhouse — and never even know it."
++
Lisa Erickson, head of data protection product management at Veritas
"Over the past couple of years, ransomware, once thought of as primarily a security threat, has evolved into one of the biggest data privacy challenges that businesses continue to face. Today, double and triple extortion tactics that up the ante by threatening to sell or otherwise leak sensitive data are table stakes. Data Privacy Day is a great reminder of the importance of keeping sensitive data protected against the ever-evolving threat landscape where ransomware is the attack du jour. Here are three things organizations can do to reduce data privacy risks associated with ransomware and other threats:
- Organize and assess your data. Understanding what kinds of data you have enables you to assess what it’s worth and who needs access to it. These, in turn, inform where it should be stored and how access is managed. Limiting access to only those who need it limits exposure in the event of an attack.
- Have a cross-functional response plan in place so you’re prepared to respond to a ransomware attack that involves sensitive data. As part of this, test your ability to quickly and even automatically take compromised storage devices offline to prevent sensitive data from being exfiltrated.
- Identify, categorize and remediate compromised data. With organized data and a response plan in place, you’ll be prepared to quickly identify what data, if any, has been compromised during an attack so you can make informed decisions about your next steps. You’ll be able to know, for example, if the bad actors took sensitive customer PII or simply next week’s lunch menu for the cafeteria."
++
Alfredo Hickman, Head of Information Security, Obsidian
Security
"This year's Data Privacy Week themes are about coming together on
both an organizational and individual level to ethically leverage, store, and
secure sensitive data. For organizations, this means acting transparently and
in good faith when managing customer data, and respecting the vulnerable nature
of the information if accessed by a malicious actor. It's also important for
companies to comply with regulatory oversight as most of the traction in
improving data security, privacy, and ethics comes from regulation rather than
market forces.
Individuals can do their part by providing the least amount of
information required to engage with a business or service while taking the time
to learn what is actually done with that information. Many don't realize that
their data is often shared with third-parties outside the direct control of the
organization. In the future, I'm hopeful that states like California-who are
adopting more stringent privacy regulations than others-will compel the federal
government to follow their lead to avoid the growing Balkanized data privacy
landscape we're seeing in the US today. In the meantime, however, individuals
must remain vigilant in understanding their data privacy rights and reading the
fine print when choosing the organizations with which they are willing to share
their ‘story.'"
++
Eve Maler, CTO, ForgeRock
"This
Data Privacy Week, it's critical to pay close attention to the increased use of
artificial intelligence (AI) in the age of social media. Consumer-accessible AI
is increasingly making its way into popular social media sharing applications.
For instance, enhancing self portraits with AI to then share with followers on
social media is the latest trend in photo editing applications. However,
in doing so, consumers are handing over biometrically-significant data - a
dozen or more photos of your face - to an unknown third party. The service's
privacy policy, security protections, AI model particularities, and
trustworthiness gain new importance in light of the need to share so much data.
Biometrics
have special requirements when it comes to keeping personal data safe and
secure. Service providers need to make ethical management of biometric data a
guiding principle. Pay special attention to meaningful user consent and to
oversight of data management. Performing facial recognition also exposes the
service to a wealth of derivable personal data, such as age, gender, ethnicity,
and health. Decentralized device-based storage of biometric data is always
safest."
++
Mark Ailsworth, VP of Partnerships, Opaque
Systems
"This
Data Privacy Week it is important to remember that privacy is more than just a
set of rules AdTech must abide by -- It has become a critical part of AdTech's
commitment to consumer safety, and is now woven into corporate mission
statements, as it should be. But more must be done to regulate and mitigate
data mishandling and malfeasance. Via the GDPR, Europe has maintained a strong
approach to such regulatory needs, but the US market has a very long way to go.
For example, just look at the massive fines that Meta faces for violating
consumer control standards. Their approach to "contractual
assumption" with users is not an issue in the US, but it soon will be. The
emerging industry privacy laws at a state level will consume US-based privacy
experts for the near term, affecting not only companies based in those states,
but those advertising to consumers in those states.
Looking
into the next year, the biggest advancement the industry will see is the
merging of "confidential computing" principles with existing data
governance regulation. There will be an array of PETs, or privacy-enhancing
technologies, that come onto the scene and get evaluated by the industry. Some
will be integrated into operating systems and browsers, but most will be
enabled via ad hoc solutions like data clean rooms. For more on that see the
IAB's PETs plan (https://iabtechlab.com/pets/).
Given that a (mostly) free and open internet is (mostly) supported by ad
revenue, ensuring that earning ad revenue is not overly complicated by privacy
standards is vital to practically any company with a website. Organizations
like the IAB are working on this, and the downstream effects on consumer data
should be that personalization capabilities evolve while those engaged in
nefarious practices will dissolve."
++
Theresa Lanowitz, Head of Cybersecurity Evangelism, AT&T
Business
"Edge
computing is all about data - collecting, using, and enriching. In 2023, we should
expect more emphasis and focus placed on this data including its collection,
management, use, and governance. This means that from a security perspective,
we can expect to see solutions that focus on the data lifecycle to help ensure
data governance policies are automated and enforced. As more edge applications
are deployed, the sheer amount of data will multiply at a rapid scale. Data, at
the heart of the edge app, needs to be protected, intact/trusted, and
usable.
All
of an organization's edges and edge use cases by design will connect across an
increasingly distributed network architecture. Gone are the days in which
enterprise network architecture included two distinct places in the network:
the campus and the data center. Today's enterprise has an expanded geographic
footprint, along with an increasingly global dispersion of applications,
workloads, and employees. This reality requires a reexamination of network
architectures and how network architectures align with current business
dynamics, which includes planning for extraordinary volume, velocity, and
variety of data, while determining what a data life cycle means for the
organization. By placing IT resources on the edge, closer to where data is
generated and consumed, organizations can more effectively drive business,
technology, and operational outcomes. In response, it is critical to make sure
that this data lifecycle is managed with the proper data governance policies."
++
Jason Keogh, Field CTO, 1E
"Data
Privacy Week should be a time for organizations to focus on striking a balance
between driving a positive digital employee experience - or DEX - without
compromising security. Not only do draconian security controls lead to bad DEX,
but they also lead to users trying to find workarounds to security challenges -
which can create a myriad of security and privacy implications for personal and
organizational data. Users may try to circumvent security controls by creating
or storing company data on personal devices or personal clouds, or accessing
company apps or data from unprotected personal devices because they think their
work device is restrictive. To address these challenges, organizations should
implement real-time controls and exception handling in order to implement a
successful DEX strategy without impacting data privacy and security."
++
Poojan Kumar, Co-founder and CEO, Clumio
"In
the last three months alone, there have been at least a dozen high-profile data
breaches and ransomware attacks impacting school districts, higher educational
institutions, and education technology companies (e.g., Chegg, McGraw
Hill, and Illuminate). For a sector that is supposed to be a custodian of
sensitive information for millions of students- including financial,
demographic, health, and transcript data-its overall security practices have
been woeful. Unfortunately, given the rampant use of unencrypted cloud
databases, publicly accessible unstructured data buckets, and unsecure backups,
these breaches are hardly shocking. Despite requiring adherence to the
Children's Online Privacy Protection Act (COPPA) and the Family Educational
Rights and Privacy Act (FERPA), many companies and institutions in the
educational sector still continue to be lax about student data protection. Data
Privacy Week is a time to refocus our attention on where security is needed
most and what essential changes need to be made in 2023 and beyond. Any
identifiable information needs to be encrypted, access controlled, and backed
in immutable air gapped cloud vaults. This ensures that even if a data breach
occurs, the information remains secure and cannot be accessed or tampered with,
and there's always a safe copy to recover from. Educational institutions and edtech companies must
take these basic data security steps to protect the privacy of our
students.
Following
Data Privacy Week, Clumio will be hosting a virtual event on Protecting
Student Data in 2023, where we will deep-dive
into data security practices for educational institutions and edtech companies storing
student information in the cloud."
++
Chad Peterson, Managing Director, NetSPI
"Several
privacy regulations (GDPR, HIPAA, FERPA, CPRA) are in place to protect data
from being exposed to unintended recipients, however the increasingly
sophisticated threat landscape means the focus in 2023 and beyond must be
on on how to ensure that an environment remains in a state of
security. The proliferation of social engineering attacks such as vishing and
deepfakes makes employees and consumers particularly vulnerable to hackers,
making the need for security education more and more important. By conducting
regular penetration testing, an organization can check that they have
successfully remedied known issues and identify any new concerns due to new
equipment, configuration changes, or even missed patches on software or
hardware."
++
Julian Zottl, Chief Technology Officer - Cyber Protection
Solutions, Raytheon
Intelligence & Space
"There
have been many breaches of consumer and personal information in recent years
from hackers and ransomware cybercriminals attacking government, businesses and
organizations looking for whatever data they can find to make money, protest,
or prove themselves. What can the average person do?
- Be a knowledgeable
consumer. Know when you opt into things that you are trusting your
information to that business or organization. Always ask if you would
want that information made public.
- Only provide the minimum
information necessary.
- Create long unique passwords
for each account. At least 12 characters preferably 20. Use passphrases instead
of passwords to make it easier to remember.
- Use a password manager to
create strong passwords and store them for you. Understand this can be
breached as well.
- Turn on multi-factor
authentication. Use an authentication app, and not text messages which
can be more vulnerable, on your phone.
- Keep your phone, computer,
tablets, browsers, etc. up to date with the latest software updates.
- Be a savvy user and be
mindful of phishing attempts in every form of communication you have.
- Be wary of any devices that
you bring in to your home and what information they might be sharing."
++
Andy Teichholz - Global Industry Strategist, Compliance & Legal, OpenText
"While government authorities and businesses have been challenged during the pandemic with balancing the twin priorities of protecting public health and protecting personal data, consumers have become more aware of the growing risks around their personal data, including where it may end up and who has access to it. With ongoing news coverage of high-profile data breaches and publicity around new government legislation on the horizon, consumers are more aware than ever before of their data privacy rights and organisational obligations to safeguard personal data. Our recent research found that almost three-quarters (72%) of consumers say they have new concerns about how organisations use their data, since the start of the pandemic.
Customer trust is crucial for business success but gaining and maintaining that trust is not always easy. Almost half (46%) say they would no longer use or buy from a company they were previously loyal to if it failed to protect or leaked their personal data. In today’s digital age, consumer priorities are rapidly shifting to take stock of how their personal data is being processed and used. To this end, customers are more empowered than ever to exercise their rights and reclaim control of their information by submitting Subject Rights Requests (SRRs), with our research showing that more than a third (34%) of consumers would completely abandon a brand if the company failed to respond to a SRR.
With the help of available technologies including AI and ML tools, organisations cannot only locate all personal and sensitive information, they can appropriately classify, manage, and protect it throughout its lifecycle and apply policy-based retention tools to support data minimization. They can also automate the SRR fulfilment process to ensure deadlines are met and that processes are repeatable and defensible. It’s also essential to bake cyber resilience into the fibre of an organisation. While it is impossible to totally remove the risk of a breach, cyber resilience encourages a solid recovery plan to be put in place in the event of one. To create a true information advantage, establishing an integrated data management strategy will also help businesses differentiate themselves in the marketplace.
Customer trust is fragile, and Data Privacy Day is an opportunity for organisations to reflect on their practices - to ensure they are doing all that they can to respect privacy rights, safeguard their customer’s personal data and maintain their loyalty."
++
Tim Mullen, CISO, OneTrust
"Data Privacy Week this year coincides with incredible momentum in the industry. In the first few weeks of 2023 alone, two state laws have gone into effect in the US, three more laws will go live throughout the year, and multiple additional states have now proposed their own privacy laws. As companies ramp up their privacy programs, they’re facing a complex landscape where the biggest challenge will be how to keep pace with constant change. This will require a new approach, rooted in regulatory agility and data literacy.
Regulatory agility: Compliance is the foundation for trust. In a landscape where regulatory change is expected, regular horizon-scanning exercises can ensure that the relevant stakeholders within a compliance team have visibility into what lies ahead. Solutions based in automation help organizations streamline key requirements like data rights requests, while real-time intelligence ensures they’re informed of the latest regulatory updates.
Data literacy: The most lucrative commodity in the world has changed over the decades, from gold to oil, and now data. The past five years have seen data volumes more than double, and companies are now dealing with more unstructured data than ever before. The understanding and responsible use of data will be vital from the top down. As organizations start to own their data collection, and begin their data security and governance journeys, all must come to the forefront of data operations. By knowing their data and where it lives, they can enable data quality, usability, and integrity."
++
Julie Smith, Executive Director at the Identity Defined Security Alliance (IDSA)
"The need to secure digital identities is one of the biggest privacy and data issues facing organizations today. Privacy and data concerns regularly butt up against technology and innovation, which are accelerating faster than ever as organizations and consumers increase their digital interactions.
While some data privacy regulations have existed for several years, such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), the variation of guidelines and liabilities make the data privacy landscape even more challenging for organizations to navigate. With a mashup of state data breach and consumer privacy laws across the U.S. – and with no national data breach or privacy law on the horizon – it is largely up to organizations to find the essential balance between privacy and security.
As data and privacy regulations roll out in the coming years, it will become imperative to have processes in place that dynamically manage data. Organizations will be forced to shift their data architecture and management to adhere to evolving guidelines and ensure access is only available to authorized users—not to mention the additional challenge of providing a seamless user experience. The balancing of these efforts will require collaboration between lawmakers, organizations, and advocacy groups to be effective.
In this landscape, verified identity plays a prominent role in securing users and regulating content; of the 84% of organizations that experienced an identity-related breach in the last year, 96% reported the breach could have been prevented or minimized simply by implementing identity-focused security outcomes. As the industry gathers to raise awareness and share best practices for Data Privacy Day, managing and securing digital identities must remain at the forefront of the conversation—all year round. And days like Identity Management Day, coming up on April 11, 2023, continue to raise awareness of the costs of poorly managed digital identities."
++
Tilo Weigandt, COO and co-founder of Vaultree
"It is important to note that data privacy is a complex issue and there is no one-size-fits-all solution. For example, a zero-trust framework powered by AI and machine learning is not the only solution to best protect your data. Other approaches include using encryption, implementing strict access controls, and regular monitoring and auditing systems."
"Organizations should consult experts to determine the best approach for their specific needs and requirements, especially with data privacy rules certain to get more strict. State-level momentum for privacy bills is at an all-time high to regulate how consumer data is shared. Recent developments such as the California Privacy Rights Act, the quantum computing security legislation, and Virginia Consumer Data Protection Act clearly show that protecting consumer privacy is a growing priority in the U.S."
"Compliance with relevant data privacy regulations such as GDPR or HIPAA is also crucial. One tactic able to support all of the above and the essential basis of all cybersecurity practices is data-in-use encryption because working with data in a fully encrypted format opens up numerous possibilities for companies. Data Privacy is a complex and ongoing process, but it is worth it. Protecting your data properly will mitigate a data breach's financial, cyber, legal, reputational, and business risk."
++
Brad Jones, CISO and VP of Information Security at Seagate Technology
"Cloud misconfiguration is a key challenge to data privacy in 2023. Organizations need to prioritize compliance across their entire cloud infrastructure. An error in a cloud’s configuration could mean that an employee is just a click away from accidentally exposing an entire database – and opening the organization up to regulatory risk and reputation damage."
"Good data privacy is good for business and not just because it enhances an organization’s reputation. Compliance helps unlock innovation by driving efficiency. The common systems and controls that come with good data security and privacy strategies help enable knowledge sharing across an organization, which gives employees the information they need to be more efficient and make better decisions."
"A comprehensive data classification strategy is essential for maintaining data privacy but implementing one is easier said than done. Many organizations don’t fully understand where all of their data is, let alone how it should be classified. Organizations need to establish simple, clear data classification standards and should foster close collaboration between their security teams and stakeholders across the organization to maintain data privacy and security."
"Cloud platforms offer various native features for data classification that can help maintain privacy. This could be as simple as a tag on a server or storage location mapped to the most sensitive level of data that an application contains, or a more granular object or database level of classification offered by some Platform as a Service providers. Organizations starting a new cloud journey should build data classification into the design and leverage the capabilities of the platform. Organizations that are already in the cloud should understand what features they are not yet leveraging and make a plan to maximize control."
"Organizations must maintain different layers of security in their architecture, and data encryption is a key factor that should not be overlooked along with other access controls. Ensuring that data is encrypted at rest and that the keys are maintained securely (and not with the data itself) can help ensure data confidentiality and integrity when other controls fail."
++
Charles Lalieu, VP of Marketing, Virtuozzo
"The current (many would say unfortunate) geo-political environment is accelerating de-globalization, certainly in the cloud computing markets that we serve.
We're seeing businesses move away from hyperscale clouds and an "eggs in one basket" approach. As they look to source the apps and services they need from local cloud service providers, one benefit is that local providers are more likely to comply with local privacy and data protection laws. However, it also requires businesses to keep track of multiple data privacy and compliance policies.
It's more complicated, but that is just one more consequence of the current market situation."
++
Molly Presley, SVP of Marketing at Hammerspace
"With global rules governing how data should be stored, used, and shared, combined with escalating data losses, explosive personal data growth, and customer expectations, addressing data privacy is now an obligatory business requirement. However, as organizations expand and navigate compliance and legal requirements in the rapidly evolving age of big data, AI/ML, and government regulations, the existing processes surrounding data privacy need to evolve to 1) automate processes and 2) scale to meet increasingly complex new challenges.
Privacy and security concerns increasingly impact multiple vertical markets, including finance, government, healthcare and life sciences, telecommunications, IT, online retail, and others, as they quickly outgrow legacy data storage architectures. As a result, there is increasing pressure to develop and implement a data strategy and architecture for decentralized data that is more cohesive, making access to critical information simplified and secure.
To protect the organizations' and individual users' sensitive data, organizations must take the steps necessary to control how data is shared and eliminate the proliferation of data copies outside the controls of IT security systems. Accelerating IT modernization efforts while managing the ever-increasing volumes of data requires a data solution that simplifies, automates, and secures access to global data. Most importantly, to ensure data privacy and secure data collaboration, a data solution must be able to put data to use across multiple locations and to multiple users while simplifying IT Operations by automating data protection and data management to meet policies set by administrators."
++
Anthony Cusimano, Technical Director, Object First
"The internet may be written in stone, but that doesn’t mean you can’t start taking privacy seriously now. Ensuring you understand how businesses and bad actors can use your data is a crucial first step to making more significant changes that can help protect you, your family, and your company. I often hear people say: “I was part of a breach” or “I have already posted everything online anyway,” and while there might be some validity in this level of resignation, the truth is, just like business data, the more recent the data, the more valuable it is. Think about all the new interests, hobbies, and life events in the last month; some may influence buying decisions, behaviors, and even passwords you create. These data points can be used to socially engineer us to get to more sensitive data or to become victims of targeted ads that can manipulate or falsely inform. When you become aware of the value of your ever-changing data and just how much it can impact your life, you realize it’s never too late to obfuscate.
Fortunately, today, many phones, browsers, and computers all offer options to turn off tracking or implement various types of data masking. Every step you take is one less piece of you exposed to the unknowns of the digital world. Take the time this Data Privacy Day to learn all the latest ways to take back control of your data and ensure that you are one step ahead of whoever is trying to profit off your data. On top of this, ensure businesses you trust your data with have robust privacy and data protection strategies in place. As ransomware attacks continue to rise — targeting primary data and, more often than ever, targeting backups are also on the rise. Knowing these organizations have multiple co-located immutable backup copies, detection, and remediation in place is critical to ensure resilience."
++
Kayla Williams, Chief Information Security Officer at Devo
"Amid organizations’ explosion of data, adopting hybrid work models, and navigating a looming recession, reinforcing data privacy efforts and best practices can fall under the radar. However, recent incidents strengthen the need for security professionals to proactively educate and refresh their workforce’s knowledge of data privacy.
For employees, especially non-security teams, to truly understand the need to safeguard data and implement best practices into their daily routines, it's essential to outline how the lines between work and personal cyber hygiene and privacy have blurred. Security professionals should inspire all employees to adopt practices they can easily carry from work or home or vice-versa. Often, the KISS model - keep it simple, stupid - is a preferred method as it helps keep information concise while retaining employees' attention and encouraging them to take the necessary actions.
This Data Privacy Day and beyond, organizations should maintain an open dialogue about data privacy – educating employees on best practices, keeping recommendations simple, and ensuring data protection guidelines and procedures are upheld, ultimately keeping everyone safe and secure."
++
Rob Price, Director, Field Security Office at Snow Software
“Safeguarding sensitive company and client information is crucial to every organization’s success. However, data privacy requirements differ around the world and across industries, so when it comes to data protection, organizations need to understand what they are legally obligated to do. For instance, the U.S. government is cracking down on security precautions given that several federal agencies and corporations were compromised by the 2020 SolarWinds cyberattack. In response, the White House is requiring federal agencies to get letters from vendors about all software used by September 2023. In the next few months, business leaders must gain comprehensive insight across their active software inventory and entire technology estate, allowing them to shore up their security vulnerabilities and protect their data privacy in the long term. Yet, this is an impossible job without automation.
In 2023, automation will be the cornerstone to effective data protection, especially as the cybersecurity industry is shrinking. Isolationist government policies, financial impacts of the recession, an increasingly malicious threat landscape and other contributing factors have created a widening technical skills gap and security vulnerabilities, forcing security teams to take on the same volume of work with fewer resources, less historical knowledge, and higher stakes. This means organizations need machines to pick up the manual task slack to support employees - and ultimately, data privacy - through automation. Moving forward, the need for technology intelligence will grow as organizations require platforms and services to ensure the security posture is up-to-par and a holistic view of the technology estate is achieved.”
++
Will Bass, Vice President, Cybersecurity Services at Flexential
“Data is integral to business operations and success – and it should be housed with utmost care and concern. When handled improperly, disasters happen, like the tragic disclosure of highly personal tax records. To mitigate this type of reputation-shattering, budget-crushing event, organizations need preventive processes, procedures, and technologies in place. The initial steps to be taken include: (1) understand the data you have on hand and where it lives, (2) delete data you don’t need, especially sensitive data such as personal information, and (3) safeguard sensitive data via reliable methods like Zero Trust. While boiling down the critical steps to data privacy appears simple, there are many intricacies that require substantial time, resources, and continuous learning, like the rise of data privacy laws.
Many states - like Virginia and California - have distinct privacy rules and regulations when it comes to data collection and processing and staying abreast of the laws is a nearly impossible task without well-versed expertise and tools. As U.S. state privacy laws and cyber threats continue to evolve in 2023, it’s vital for privacy leaders to be plugged into the changing landscape and pivot their business practices accordingly. Protecting data can be complicated but proactivity and adjustability are paramount to properly securing sensitive information.”
++
Dharma Kuthanur, Vice President Marketing at Informatica
"There will absolutely be heightened awareness around data privacy and appropriate data governance as we move throughout 2023. The continued proliferation of enterprise data in both volume and complexity, along with greater cloud migration and seemingly more brazen attempts from bad actors to access it, means customers will rightfully seek assurances their personal information is collected, accessed, stored, and protected appropriately.
Jurisdictions around the world have taken notice too. From Europe, the Americas, Asia Pacific, and everywhere in between, governments and regulatory bodies have introduced legislation or have laid the foundation for directives – such as data sovereignty laws – that demand greater transparency, accountability, and compliance for how businesses manage sensitive customer information. That’s likely why in a study we recently conducted with Wakefield Research, set to be released at month’s end, 44% of data leaders surveyed from the U.S., Europe, and Asia Pacific said a priority this year is to improve data privacy and security.
With most of today’s enterprises dealing with hundreds if not thousands of data sources (and indications are this is only set to increase), a comprehensive data governance framework and equally stringent data stewardship should no longer be punted 365 days down the road. To help mitigate reputational risk and financial exposure, and maintain customer trust and loyalty, organizations must invest in a data management solution that automates data privacy, protection, and governance consistently and reliably across their data ecosystem."
++
Janer Gorohhov, CPO and co-founder, Veriff
“When customers grant businesses access to their most sensitive information – such as biometrics, the very data that makes up an individual’s identity – they are placing an immense amount of trust in that business to handle it responsibly. Identity is not a password that can be easily changed when it leaks. During Data Privacy Week, it is critical for organizations like Veriff to reflect on their responsibility to earn, and retain, this accountability every day.
This is grounded in making a firm commitment to the principles of data privacy. Businesses must commit to staunchly protect the personal data they are entrusted with, refrain from oversteps in data collection beyond what is necessary for their service, and use this information in a conscientious manner.
As service providers, we also owe it to people entrusting their sensitive data to us to be as transparent and accountable as possible, yet be careful and not hand anything on the plate to the fraudsters who could reverse engineer the solutions. We at Veriff are strong advocates for making sure that people are aware of how and why their data is collected, how it will be handled and for how long, and the rights they are entitled to. Building trust is a critical part of the customer-company relationship, and extends well beyond an initial agreement to terms and conditions.”
++
W. Curtis Preston, Chief Technical Evangelist, Druva"Privacy is now at the forefront and one of the top concerns for consumers, making it the responsibility of everyone in IT. On Data Privacy Day, organizations have the opportunity to reflect and commit to a holistic approach within their IT teams to ensure data privacy standards are upheld and data resiliency is achieved.
In an IT team, it's the web developer's job to ensure that any personal data received via the web is stored directly in a special database designed for personal information.
It's the database administrator (DBA)’s job to ensure that database is treated differently, judiciously applying the process of least privilege to it, to ensure only a select few are granted access, and everyone else (including bad actors) sees encrypted nonsense.
It's the system administrator's job to apply the same concepts to wherever that database resides. It is the backup person's responsibility to ensure the backups of this database follow best practices, and are encrypted and air gapped.
Finally, it is, of course, the security person's job to check in with everyone else to help them understand their responsibilities and ensure they are meeting them.
When all of these pieces of the team are aligned, organizations can be certain that they’ve done everything possible to keep their data resilient in the face of unexpected threats and adversity."
##