Data Privacy Day and Ensuring our Safety in 2023 : @VMblog

Article

Search:

Follow VMblog.com:

Improve end user experience in VDI, DaaS and physical endpoint environments

Data Privacy Day and Ensuring our Safety in 2023

As you may already know, Data Privacy Day, also known in Europe as Data Protection Day, is globally recognized each year on January 28th. Some have now even extended this to a weeklong celebration. The event's purpose is to raise awareness and promote privacy and data protection best practices.

VMblog has spoken with experts from a number of companies, and they had a lot to say about this very timely and important topic.

Aron Brand, CTO of CTERA

"2022 has brought about a quantum leap in the capabilities of generative AI algorithms, with the ability to create media such as images, videos, and text that are easily passable for real. This technology has the potential to revolutionize industries and change the way we consume media.

However, it also brings about powerful concerns surrounding the ability of these models to generate fake voice, images, and footage. As we move forward, it's important to consider the privacy implications of this technology and work towards solutions to prevent its abuse. This may include government regulations, industry standards, and the development of technology to detect and remove fake content. It's also important to educate the public about the potential privacy dangers of deepfakes and other forms of generated content."

Carl D'Halluin, CTO, Datadobi

"A staggering amount of unstructured data has been and continues to be created. In response, a variety of innovative new tools and techniques have been developed so that IT professionals can better get their arms around it. Savvy IT professionals know that effective and efficient management of unstructured data is critical in order to maximize revenue potential, control costs, and minimize risk across today's heterogeneous, hybrid-cloud environments. However, savvy IT professionals also know this can be easier said than done, without the right unstructured data management solution(s) in place. And, on Data Privacy Day we are reminded that data privacy is among the many business-critical objectives being faced by those trying to rein-in their unstructured data.

The ideal unstructured data management platform is one that enables companies to assess, organize, and act on their data, regardless of the platform or cloud environment in which it is being stored. From the second it is installed, users should be able to garner insights into their unstructured data. From there, users should be able to quickly and easily organize the data in a way that makes sense and to enable them to achieve their highest priorities, whether it is controlling costs, CO2, or risk - or ensuring end-to-end data privacy."

Don Boxley, CEO and Co-Founder, DH2i

"The perpetual concern around data privacy and protection has led to an abundance of new and increasingly stringent regulations around the world. According to the United Nations Conference on Trade and Development (UNCTAD), 71% of countries now have data protection and privacy legislation, with another 9% having draft legislation.

This increased scrutiny makes perfect sense. Data is being created and flowing not just from our business endeavors, but countless personal interactions we make every day - whether we are hosting an online conference, making an online purchase, or using a third party for ride-hailing, food delivery, or package transport.

Today, as organizations endeavor to protect data - their own as well as their customers' - many still face the hurdle of trying to do so with outdated technology that was simply not designed for the way we work and live today. Most notably, many organizations are relying on virtual private networks (VPNs) for network access and security. Unfortunately, both external and internal bad actors are now exploiting VPN's inherent vulnerabilities. However, there is light at the end of the tunnel. Forward looking IT organizations have discovered the answer to the VPN dilemma. It is an innovative and highly reliable approach to networking connectivity - the Software Defined Perimeter (SDP). This approach enables organizations to build a secure software-defined perimeter and use Zero Trust Network Access (ZTNA) tunnels to seamlessly connect all applications, servers, IoT devices, and users behind any symmetric network address translation (NAT) to any full cone NAT: without having to reconfigure networks or set up complicated and problematic VPNs. With SDP, organizations can ensure safe, fast and easy network and data access; while ensuring they adhere to internal governance and external regulations compliance mandates."

Steve Santamaria, CEO, Folio Photonics

"It is no secret that data is at the center of everything you do. Whether you are a business, a nonprofit, an educational institution, a government agency, or the military, it is vital to your everyday operations. It is therefore critical that the appropriate person(s) in your organization have access to the data they need anytime, anywhere, and under any conditions. However, it is of the equal importance that you keep it from falling in the wrong hands.

Therefore, when managing current and archival data, a top concern must be data security and durability, not just today but for decades upon decades into the future. The ideal data storage solution must offer encryption and WORM (write-once, read-many) capabilities. It must require little power and minimal climate control. It should be impervious to EMPs, salt water, high temps, and altitudes. And, all archive solutions must have 100+ years of media life and be infinitely backward compatible, while still delivering a competitive TCO. But most importantly, the data storage must have the ability to be air-gapped as this is truly the only way to prevent unauthorized digital access."

Surya Varanasi, CTO, Nexsan

"Digital technology has revolutionized virtually every aspect of our lives. Work, education, shopping, entertainment, and travel are just a handful of the areas that have been transformed. Consequently, today, our data is like gravity - it's everywhere.

On Data Privacy Day, we are reminded of this fact, and the need to ensure our data's safety and security. Fortunately, there are laws and regulations that help to take some of the burden off of our shoulders; such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act (HIPAA).

However, some of the responsibility remains on our shoulders as well as those of the data management professionals we rely upon. Today, it would be extremely challenging to find an organization (or an individual for that matter) that isn't backing up their data. Unfortunately however, today that just isn't enough. Cyber criminals have become increasingly aggressive and sophisticated, along with their ransomware and other malware. And now, the threat isn't just that they will hold your data until payment, cyber criminals are now threatening to make personal and confidential data public, if not paid. It is therefore critical that cyber hygiene must include protecting backed up data by making it immutable and by eliminating any way that data can be deleted or corrupted.

This can be accomplished with an advanced Unbreakable Backup solution, which creates an immutable, object-locked format, and then takes it a step further by storing the admin keys in another location entirely for added protection. With an Unbreakable Backup solution that encompasses these capabilities, users can ease their worry about the protection and privacy of their data, and instead focus their expertise on activities that more directly impact the organization's bottom-line objectives."

Andrew Russell, Chief Revenue Officer, Nyriad

"Data Privacy Day serves as a great reminder of the value and power of data. In addition to your people, data is without question the most strategic asset of virtually any organization. Data and the ability to fully leverage, manage, store, share, and protect it, enables organizations to be successful across virtually every facet - from competitive advantage, to innovation, the employee experience, and customer satisfaction, to legal and regulations compliance competency.

Consequently, savvy data management professionals recognize that while a storage solution that is able to deliver unprecedented performance, resiliency, and efficiency with a low total cost of ownership is priority number one to fully optimize data and intelligence for business success; they likewise need to ensure they have the ability to protect against, detect, and restore data and operations in the event of a successful cyber-attack in order to protect their data, for business survival."

Brian Dunagan, Vice President of Engineering, Retrospect

"Every organization, regardless of size, faces the real possibility that they could be the next victim of a cyberattack. That is because today's ransomware, which is easier than ever for even the novice cybercriminal to obtain via ransomware as a service (RaaS), strikes repeatedly and randomly without even knowing whose system it is attacking. Ransomware now simply searches for that one crack, that one vulnerability, that will allow it entry to your network. Once inside it can lock-down, delete, and/or abscond with your data and demand payment should you wish to keep your data private and/or have it returned.

As an IT professional, it is therefore critical that beyond protection, steps be taken to detect ransomware as early as possible to stop the threat and ensure their ability to remediate and recover. A backup solution that includes anomaly detection to identify changes in an environment that warrants the attention of IT is a must. In order to ensure its benefit,, users must be able to tailor the backup solution's anomaly detection to their business's specific systems and workflows; with capabilities such as customizable filtering and thresholds for each of their backup policies. And, those anomalies must be immediately reported to management, as well as aggregated for future ML/analyzing purposes."

Tomer Shiran, CPO and co-founder, Dremio

"Data privacy is a fundamental human right and is becoming increasingly important in the digital age as more personal information is collected, stored, and shared online. Organizations have a responsibility to protect the data privacy of individuals and ensure that personal information is handled in a responsible and ethical manner. Data privacy laws, like GDPR in the European Union and California’s CCPA, have been put in place to give individuals more control and to hold organizations accountable for data breaches and mishandling of personal information, but data privacy is a constantly evolving field. A data lakehouse should be designed with privacy in mind, processing organizational data on the customer's premises and never storing it anywhere in the lakehouse’s infrastructure. This reduces data proliferation dramatically and helps organizations use their existing controls to safeguard their own data and their customers' data."

Sreedharan K S, Director of Compliance, ManageEngine (Zoho Corporation)

"The privacy environment has undergone significant upheaval worldwide, the watershed moment being the adoption of GDPR by European Union. Data is a valued resource for making crucial business decisions. However, regulators and data subjects are both demanding robust data privacy frameworks to prevent the misuse of personal information. The momentum in this rapidly evolving privacy landscape will continue to gain pace in 2023.

Data privacy laws give customers more control over their data, requiring organisations to get customer consent before using their personal information and provide transparency on how data will be processed, and it's vital for organisations to comply with these legal requirements. With data privacy regulations gaining prominence following the implementation of the GDPR, privacy laws have been implemented in many regions. This has led to greater awareness among individuals about their data privacy rights, and organisations are facing more legal scrutiny when processing personal data.

This is why businesses need to ensure they are in compliance with their respective data privacy laws and are protecting the rights of data subjects. However, the data protection laws which are territorial in nature face unique challenges when data moves across boundaries. This has resulted in governments coming up with enhancements related to transfer of data to the existing data protection laws. Data protection laws will continue to be adopted by more countries and will evolve to better protect individuals' rights. Privacy laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) regulate data storage, sharing, and disclosure practices for consumer data in today’s digital economy, and are disrupting business models and the way data transfer works."

Hayley-Jayne Cone, VP Customer, Snowplow

"In 2022, discussion of data protection laws has increased on a global scale, such as with the General Data Protection Regulation (GDPR). Specifically, many countries are seeking clarity on how and when data may be used so that technology companies can remain compliant. This issue has resurfaced in 2022 after Google Analytics was found to be not in compliance with GDPR in several countries, such as Austria, France, Italy and Denmark. Many organizations find themselves looking for alternative analytics options for their tracking.

We’re also seeing more focus on data privacy in the U.S. at the state level in California, New York, Virginia, and Colorado. Many more states are considering drafting privacy laws. It's a real struggle for businesses to navigate these new legislations, especially when new laws are being enacted at the state level rather than the national level every year. In 2023, we will see more organizations reckoning with how to effectively comply with the new data privacy regulations while continuing to provide the best possible customer experience."

Chris Lubasch, Chief Data Officer (CDO) & RVP DACH, Snowplow

"One of the hot topics in Europe and beyond will continue to be data privacy and compliance. Whether it’s because customers are increasingly aware of how brands use their data, or regulatory bodies are significantly increasing scrutiny and de-facto banning Google Analytics in some countries, it’s never been more important for organizations to consider how data compliance and ongoing data management form a critical part of their business and data strategy.

Privacy regulations are here to stay, no matter how they look in detail. Instead of continuing to exploit datasets to the maximum, often without proper knowledge, consent or understanding of their customers, organizations need to embrace this unique opportunity before their competition. It’s a chance and necessity to enter into a new relationship with users and customers, one that is guided by getting something back in return for sharing private data. It will continue to play an essential role in learning what works and what doesn’t, or data-empowering decisions made across the board. But the days to exhaust all data points possible are finally over. Less is more, deliberately creating and using what you need will become the new status quo down the road."

Meggie Giancola, Senior Vice President of Sales Solutions & Strategy, Vericast

"Data privacy is evolving as a balancing act between personalization and privacy, and companies will need to stay on top of the rapid pace of regulatory and subsequent ecosystem changes in this area. In terms of the bridge between adtech and martech, while consumers want to have their brand engagement personalized to them, they also want personal privacy and security of their information. To keep up with the paradox of personalization without sacrificing privacy, advertisers need to focus on creating direct engagement with consumers and gain their consent in order to safely capture their information and deliver customized messaging in accordance with legislative and regulatory changes. It is increasingly becoming an opt-in world vs. an opt-out world."

Lance Hayden, Vice President, Chief Information Security Strategist, Vericast

"Cybersecurity and privacy are rapidly converging as organizational challenges are to be met. Where they were separate disciplines, often managed by different teams with unique tools, today's data-centric society is demanding more coordinated solutions. Growing awareness among businesses, governments, and the public about the risks to our technologies and information has resulted in new expectations and requirements for data protection. This includes new laws and regulations that focus on privacy principles and information security best practices.

As even more of our daily lives are conducted online through networked technologies, and our individual personal data becomes an important commodity of immense value to organizations of all kinds, we must ensure that data is used appropriately and securely. And emerging technologies like big data, artificial intelligence, and blockchains/cryptocurrencies bring with them completely new opportunities and challenges regarding managing and controlling information. Fortunately, partnerships between privacy and security teams are increasingly apparent across organizations of all kinds. These experts will need to continue to work together, adopting holistic approaches to their respective disciplines and creating converged strategies to address mutual threats and risks across this new landscape."

Mark Guntrip, senior director of cybersecurity strategy at Menlo Security

"Data privacy has never been more difficult than it is in today's threat landscape. We live in a world where it's no longer enough for companies to implement security measures in hopes of keeping their employee or users' data safeguarded. Instead, increasingly sophisticated and personalized threats have resulted in need for better education around data privacy and the role consumers and end users can play in keeping their personal data protected.

The added complexity around ensuring data privacy and security is that applications now reside anywhere around the world, in data centers, private clouds and public clouds. The days where data security could be put in place to prevent sensitive data from leaving the walls of the company are gone. Today, policy and security needs to be able to not only detect private or personal data, but also understand where that data is being moved to, and if that application and infrastructure is secure for the level of private data.

Menlo Security ran a survey that found 77% of consumers are confident in their ability to identify and report malicious cyber activity but at the same time consumers fail to utilize even the most basic best practices when it comes to data protection. Our findings revealed only 20% use a password manager and only 28% don't repeat passwords, placing their data at risk.

Despite the confidence people have in their abilities to protect their data, there's a misalignment between this and the actions being taken. We're seeing a knowledge gap between the reality of data privacy and how people hold themselves accountable in securing personal data, causing a need for more conversations around data privacy and how individuals should take a more proactive role in data privacy."

Fiona Campbell-Webster, Chief Privacy Officer at MediaMath

"The latest in data privacy is usually reactive in response to legislation, so this Data Privacy Day it's important to prepare for potential new policy. As more states introduce privacy laws, organizations must be aware of, and able to manage, the varying provisions which can make cross-state compliance complicated.

Regarding global privacy controls, it is important for marketers to continue to monitor developments on opt-out preference signals, which are addressed in greater detail in the CPPA's draft regulations. The first step in data privacy is to ensure your technology team fully recognizes the new opt-out requirements. The "frictionless" opt-out approach (recognizing opt-out signal preferences) may have challenges, and companies should take time to understand how the business can practically implement this approach or the alternative approach of including links to allow consumers to opt-out.

With the focus on privacy policies, privacy notices and cookie policies, it is incredibly important that companies start reviewing and updating disclosure documents on their sites and digital properties, as the new US State privacy laws and rules will require many changes, such as what are the categories of data disclosed to third parties."

Lesley O'Neill, Chief Compliance Officer, Prove

"In a world where identity theft is no longer an "if," but a "when," privacy professionals are faced with the challenge of protecting consumers while simultaneously supporting organizations that conduct fraud analytics on behalf of clients. Additionally, data protection laws have largely not addressed the friction between these two interests. As a privacy professional, explaining this conflict of interest to product and data analytics teams, such as setting short data retention policies to comply with GDPR or preventing the further processing of personal information due to lack of consumer consent, is a challenge, to say the least.

While data protection laws continue to evolve alongside technology and real-world threats, the key to addressing this challenge is education. In the cases where I know a policy will not be popular, I make it a goal to not just simply set policies and demand compliance, but to explain why it exists. I also work to partner with other parts of my organization and help them to achieve their goals (i.e., developing the best fraud products in the market) while I simultaneously work to achieve mine (i.e., protect consumer privacy and comply with data protection laws)."

Song Pang, SVP of Engineering at NetBrain

"Organizations looking to better protect customer data should consider how well they can validate their security policies, controls and configurations. Even the best security hardware and software develop vulnerabilities over time, usually as the unintended consequence of other IT activities. And with the larger attack surfaces created through cloud-based services, the need to continuously verify that security profiles are intact is essential.

Security teams should look for ways of greatly expanding their capacity to more frequently verify their security footprint without the use of human-centric and manual period reviews. Without a new proactive approach, most organizations will continue to comprehensively test their security attributes only AFTER a breach happens and data and reputation is lost. To really protect user data, organizations need not only a set of strong security controls in place, but they need a scalable means to verify that those controls are doing the job they were designed to do."

Corey Nachreiner, Chief Security Officer, WatchGuard Technologies

"Data Privacy Day provides a yearly reminder that data privacy and data security are inextricably linked. Even as laws around the world increasingly recognize the rights of individuals to control how information about them is collected, used and stored, they are also putting greater responsibility on companies for being good stewards of that data and holding them accountable when they aren’t. But protecting data from malicious actors is everyone’s responsibility. Organizations need the strongest possible cybersecurity defenses. At the same time, individuals need to understand the threats and how to avoid falling victim to them while also taking personal responsibility for, and understanding the impact of, willingly sharing data with services like social networks. If a service seems "free," you should realize you and your data are the product, so act accordingly. Data will not stay private if we don’t all do our part."

Almog Apirion, CEO and Co-Founder of Cyolo

"Data Privacy Day aims to increase awareness over the need to protect employee and customer data while adhering to regulatory laws such as GDPR or CCPA. Even if newer regulations are highlighting today's major need for data protection, this is not something new - in fact, the first legally binding international privacy and data protection treaty, Convention 108, was signed well before today’s regulations in 1981. Because of our greater reliance on digital technology to govern most of both individual and organization facets, it is important to reconsider what, when and where as well as with whom it is shared with others. Data Privacy Day is a component of the worldwide "STOP. THINK. CONNECT." campaign for online privacy, security and safety.

Strong data privacy is more critical than ever — particularly in response to the recent growth of cyberattacks and the expansion of data perimeters due to hybrid work. One way of mitigating today's vulnerabilities is to provide rigorous identity-based access control. To safeguard themselves, enterprises' collaboration and communications tools require a robust zero-trust framework to protect all forms of user data. Identity-based access control enables businesses to strengthen their security posture while also gaining visibility and control over their most critical systems. The reality is that hackers today don’t break in, they log in. Enterprises can get complete control and visibility of their entire IT infrastructure while mitigating against advanced threats by implementing a modern zero-trust solution and adopting stringent authentication requirements. As more risks emerge, organizations will be more prepared than ever to counter threats and safeguard data and business-critical infrastructure."

Grayson Milbourne, Security Intelligence Director at OpenText Cybersecurity

"Data privacy week is intended to serve as a reminder for organizations to safeguard data and maintain compliance. It is also an ideal time to check response plans in the event the bad guys get in.

Despite a businesses’ best efforts, it’s impossible to guarantee a breach won’t happen. Having a documented plan to detect, contain and respond to attacks can greatly minimize the time it takes to recover critical data and maintain operations. Identifying a businesses’ most valuable data assets and ensuring these assets are secured is an essential starting point. Access control is the biggest business vulnerability for most companies, therefore, following a zero-trust mentality and limiting access to only those employees that need it greatly minimizes damage in the event an employee is breached. Recovery plans should be specific and rehearsed periodically as during a ransomware attack, time is money. Attackers will increase the ransom amount the longer it takes to pay.

Because even carefully built backup-and-recovery plans can be compromised in an attack, additional safeguards are important. Keep multiple copies of backups in different domains (e.g., local and cloud). Likewise, consider backup solutions that do not allow an attacker to rewrite, encrypt, or modify previous backups. Lastly, keep a history of restored points and backups that cannot be compromised, this will allow access and restore from a good copy of an earlier snapshot.

Most importantly, implement ongoing security awareness training. Education goes a long way in preventing an employee from making a costly mistake."

Amitabh Sinha, Co-Founder and CEO of Workspot

"Today’s attack surface has expanded exponentially. With cybercrime positioned as the fastest-growing crime in the U.S., attacks are increasing in number, scope, and sophistication. Data Privacy Day serves as a reminder that security posture is paramount for every organization, and a zero-trust security model is a critical line of defense. In this context, a multi-layer approach is needed. Cloud PCs bring an extra level of security to help ensure no one is trusted without verification, either inside or outside the organization.

Many Cloud PC solutions have integrated control and data planes, which can expose customer data. A true zero-trust architecture can be a gamechanger for company security, as it requires separation between control and data planes, which isolates and secures company data from the control elements of the Cloud PC platform. After all, zero trust means trusting no one with your corporate data, not even your Cloud PC vendor!

As we look beyond Data Privacy Day, enterprises need to implement future-proof end user computing solutions that also fortify security policy. Cloud-native Cloud PCs are the modern way to achieve the agility and security enterprises need today. When evaluating Cloud PC solutions, IT leaders should consider the following:

Where will my data live? Who will be able to see it? How is it protected?
How will my cloud desktop architecture impact information security?
Where will my Active Directory run?
What systems will be shared between users?
What are the regulatory and compliance implications of the solution?
How quickly can I add Cloud PCs?
How can I deliver the best performance to my end users?"

Cindi Howson, Chief Data Strategy Officer at ThoughtSpot

"In a digital economy, we are creating, capturing, and sharing more personal data than ever before. Companies rely on customer data more than ever to create actionable insights to personalize services, operate more efficiently and drive business growth. We’re living in the “decade of data” – and with this comes, of course, the decade of data privacy.

Privacy now extends far beyond protecting ourselves physically and encompasses everything we do or interact with digitally: our online footprint, often referred to as our digital twin. We’ve seen a raft of high-profile data breaches in the spotlight this past year which has fueled public concern around data privacy. As companies become more data dependent, customers become even more reluctant to share data while citizens remain woefully ignorant about data collected on them. It is this tension and misalignment that needs to be properly addressed in order to unlock data’s full potential.

Those working with customer data within any business need to be vigilant about how personal data is collected, stored, and used, as well as the implications of failing to handle this data correctly. Behind this data are real people, many of whom will not hesitate to take their business elsewhere should their data be lost or exposed. Ensuring data privacy is not just a technology issue, it’s also about company culture, process, and controls. And with analysts now able to extract increasing amounts of data from even more internal and external sources, ensuring data privacy must be part of an organization’s DNA. Dumping data from analytics tools to spreadsheets remains a weak link.

Nowadays, laws and regulations such as GDPR and CCPA place stricter requirements on organizations, while giving individuals more access and rights around their data. Data Privacy Day, and the extended Data Privacy Week, is our opportunity, as businesses and data leaders, to bring awareness to those persistent knowledge gaps, take a closer look at best practices around data, and open up the conversation around data privacy and protection."

Peter Kreslins, CTO, Digibee

"When reviewing data privacy and cybersecurity, it’s important to consider integrations and create an enterprise integration strategy including data privacy and security procedures and technologies, which are critical requirements for governance, compliance and customer trust. An integration platform solution such as an enterprise integration platform as a service (eiPaaS) includes a dashboard enabling transparent and comprehensive monitoring and reporting of the data privacy and security of every integration, rather than laborious and time-consuming review of log files. You also can encrypt all data passing through the integrations and the platform so that data cannot be breached to expose personally identifiable information."

++

George Waller, co-founder and EVP of Zerify

"The most valuable commodity today is data. With data, you have identities, corporate information and proprietary health care details, and 2023 will only lead to an explosion of more data as more companies rely on video conferencing. Video conferencing now plays a critical role in how businesses interact with their employees, customers, clients, vendors, attorneys and many others. Organizations use video conferencing to discuss M&A, legal, military, healthcare, intellectual property and other topics, and even corporate strategies. Almost all of that data falls under one of the compliance regulators because it’s considered sensitive, confidential or even classified. A loss of data like that could be catastrophic for a company, its employees, its clients and its customers. According to the latest IBM breach report, the average size of a data breach in the U.S. is now $9.44 million, and 60% of small businesses go out of business within six months of a data breach."

Dan LeBlanc, CEO of Daasity

"Consumer brands collect mountains of consumer data. Not only are data leaks and data theft major issues, but hackers gaining access to operational or business intelligence tools is a risk as well.

When a consumer brand takes orders directly from customers, data is collected at multiple stages—during ordering, fulfillment, and servicing of accounts. This data can live across several platforms, and it’s typically ingested and stored in a central database for analytics. Each of these platforms poses a risk that someone can steal login information or a password and export customer data. This isn’t some sophisticated hack but a simple, “I got your password and was able to login."

To prevent this, companies must ensure that all their systems have some two-factor or multi-factor authentication (TFA/MFA) turned on, that access controls are in place to restrict unauthorized individuals from certain internal tools and data, and that sensitive data is masked via anonymization or tokenization. With several layers of defense in place, make it harder for a hacker to export all your customer information into an excel spreadsheet."

Yossi Appleboum, CEO, Sepio

"Corporations will need to be aware of the risk level that assets pose and handle them by ascribing an "asset risk factor score" to each device on the network. Hardware assets – i.e., wireless combo keyboards and mice, which are known to be vulnerable — can easily be used to sniff out and capture sensitive data. There are multiple data leakage options using hardware assets that bypass existing security solutions (i.e., capturing a user screen by running an HID scripting tool and exfiltrating the information through public comments to video platforms).”

Wendy Mei, Head of Product and Strategy, Playsee

"Developing an engineering team to enhance social-media AI technology and scan for spammer activity or illegal content is an important data-privacy undertaking. But you can’t leave it all to the algorithms. Building and improving a real, human team to constantly monitor and review content will assist users in reporting what makes them uncomfortable – to an actual person who has feelings, too."

"Having to answer, ‘What is your birthday?’ may seem intrusive but is vital for platforms to provide a safer environment and experience for younger users. And that’s just the first step. Going further, deep and deliberate development of AI and a dedicated content review system will ensure that all posts follow strict guidelines. Content moderation, especially on social media, will continue to innovate its tech stack to better protect children."

Jeff Sizemore, chief governance officer at Egnyte

"Data Privacy Day reminds us that personal privacy is being viewed more and more as a global human right—by 2024, it’s predicted that 75% of the world’s population will be protected under modern data privacy regulations. We will continue to see data privacy gain significant traction across industries and business disciplines, such as with personal financial data rights. Company trust will increasingly have a larger impact on customers’ buying decisions as well.

In the U.S., five states (California, Virginia, Colorado, Connecticut and Utah) have already enacted or plan to enact data privacy legislation this year. And the movement toward a federal law is only a matter of time, as we have seen positive momentum with the American Data Privacy and Protection Act (ADPPA).

Without a doubt, as government entities and regulatory bodies show increased interest in data privacy, we can anticipate stronger enforcement mechanisms. Enforcement of regulations will become more strict, with fines and litigation for noncompliance expected to increase.

There’s no time like the present to prepare for these business-impacting regulations, especially with more on the horizon. Organizations can take proactive steps like keeping data privacy policies up-to-date and gaining visibility into structured and unstructured data. Ultimately, companies that respect data privacy and understand the short- and long-term benefits of compliance will be well-positioned for the future."

Alec Nuñez, Director of Business Compliance at Poll Everywhere

"Data Privacy Day (January 28) commemorates the 1981 signing of Convention 108, the first international, legally binding treaty focused on privacy and data protection. This day is celebrated all over the world—and for very important reasons. The speed at which technology has, and will continue to, advance has inherently increased the importance of focusing on data privacy for any organization; protecting both company and customer data has always been a top priority, and while many companies continue to deploy new solutions to safeguard data, malicious actors still find new ways to access and steal sensitive data. Protecting this data is more important now than ever.

The number one issue when it comes to data privacy is the lack of education and guidance for an organization’s team. Human error has been and will continue to be the number one cause of data security issues; there is no competition. Companies can significantly minimize the impact of it by crafting best practices and creating training programs for the handling of data with the intent that it become second nature for all. The principle of least privilege is a substantial foundation all companies can establish when it comes to mitigating data security risks. This concept states that a user or entity should only have access to the data, resources, and applications required to execute a task. In other words, only provide individuals access to what they actually need. This is a basic idea to implement, but it will have a huge impact, permeating your organization's system."

Clar Rosso, CEO of (ISC)2

"The intersection of security and privacy has been evident for years – and in the end, you can’t have one without the other. As we continue to interact, process and consume data at an exponential rate, there needs to be a clear understanding of where data is located, managed and accessed to avoid getting into the wrong hands. With privacy and cybersecurity functions becoming increasingly synergistic, privacy and cybersecurity professionals must work collaboratively to ensure strong and effective data stewardship. Not only will it improve security and privacy postures, but the collaboration will help alleviate resource challenges."

Jon France, CISO of (ISC)2

"Anything that highlights the importance of privacy in the public's mind is a good thing, of course, but it should be a year-round concern. As society doubles down on protecting privacy in 2023, I'm sure we'll see more high-profile cases of breaches and increased focus by regulators with accompanying fines that will likely be larger than last year. All data should be secured even though not all data is private – security is a fundamental foundation of privacy, and we can all do more to secure and protect citizens' data."

Chris Vaughan, VP, Technical Account Management at Tanium

“Data Privacy Day is an opportunity to consider the impact that data breaches are having and how measures can be put in place by organizations to make data more secure. All too often we hear concerning details of customer data being accessed by attackers and the type of credentials that were stolen. These breaches can have profound implications for victims because of the personal nature of the data stored, not to mention the numerous regulatory issues that this causes for organizations.

There are examples of recent data breaches that have had severe impacts, with some threatening the possible disclosure of sensitive information such as health records. It is vital that organizations have full visibility over the data they hold as well as an understanding of where it is located to reduce the possibility of costly breaches occurring - or, if they do occur, to minimize potential damage.

It is also essential that IT teams have a clear strategy that they adhere to on the location of data and how it is secured, whether they are using a cloud or on-premise environment, so that any weak points and vulnerable devices can be identified and fixed before an incident takes place. Detecting unusual activity and unauthorized access to a company’s systems is only possible with a high level of visibility and control.

In a world where people are very often working from home using their personal devices, every organization now needs a comprehensive zero trust model that assumes all new devices and users are considered suspicious until proven otherwise. However, this alone is not enough. Organizations often think that creating a zero-trust framework is a ‘one-and-done’ process. In reality, it is an interactive journey that must be reassessed at every step of the way. Cloud solutions often have a tool set that can continuously check the state of endpoints and attest to them much more readily, as long as they are switched on.

Through a zero-trust approach and the use of effective tools to gain visibility of IT environments, organizations will give themselves the best chance of avoiding costly breaches in 2023."

Jonathan Knudsen, Head of Global Research, Synopsys Cybersecurity Research Center (CyRC)

"Privacy can only happen when the confidentiality and integrity of data are protected. In software, the only way to effectively protect data is by making security part of every phase of development, from design through implementation, testing, and deployment—thus, building trust directly into the software they build, rely on, and offer to customers.

For consumers, making informed decisions about privacy can be daunting. It’s nearly impossible to know if the creator of a particular piece of software was careful about privacy when they were designing and building the software. Furthermore, a software vendor’s desire to monetize user data might mean that user expectations around privacy will far exceed what’s laid out in the terms and conditions.

One of the best ways consumers can protect themselves is by adjusting their expectations. For many applications, especially social media and other “free” services, users should not assume any level of privacy. When services are free, consumers are the product, and any data they enter into such a service is likely to be used and monetized as much as the terms and conditions allow.

When circumstances call for a higher assurance of privacy, consumers will need to conduct their own research to assess the risks of different vendors."

Jamie Boote, Associate Principal Security Consultant, Synopsys Software Integrity Group

"We should all take this Data Privacy Day to reflect on what data we are disclosing and to who. In this age where hacks and data leaks make headlines every week, it’s important to be aware of what data we trust with third parties. The best way to not suffer data loss when third parties get breached is to not share it in the first place. If you do have to share your data, ensure that the company or website you are sharing it with absolutely has to have it to provide services to you. It’s also important to limit what applications you install on your phone as the latest face morphing app or free game will make more money selling your data than it does selling services to you. As always, enable 2FA wherever possible, don’t reuse passwords, and be mindful of what can happen on the internet."

Nick Hogg, Director of Technical Training, Fortra

"With the rise of remote working, sharing sensitive files is now taken for granted. Therefore, awareness days and weeks, like Data Privacy Week, are a great way to remind organizations and their stakeholders of the importance of storing and handling data properly.

It’s essential for organizations to re-evaluate their security awareness and compliance training programs to move away from the traditional once-a-year, ‘box-ticking’ exercises that have proven to be less effective. The goal is to deliver ongoing training that keeps data security and compliance concerns front and center in employees’ minds, allowing them to better identify phishing and ransomware risks, as well as reducing user error when handling sensitive data.

They will also need to use digital transformation and ongoing cloud migration initiatives to re-evaluate their existing data loss prevention and compliance policies. The goal is to ensure stronger protection of their sensitive data and meet compliance requirements, while replacing complex infrastructure and policies to reduce the management overhead and interruptions to legitimate business processes."

Michael Orozco, Managing Director, Cybersecurity Advisory Services Leader, MorganFranklin Consulting

General threats to data privacy

"The abundance of personal data that is available on social media and collected by commonly used applications provide a very attractive cache for cyber criminals to pursue. More and more data is being collected by social media platforms as well as corporate service applications that, when breached, can compromise personal data privacy leading to the sale of this data with broad-reaching implications."

How businesses can protect data

"To bolster data privacy protections, businesses must first start by adhering to the established data privacy regulations such as GDPR and CPRA (California Privacy Rights Act)."

"Businesses need to implement processes and controls that meet the increasing demands from consumers for transparency about how their data is being used. This must also be collaborative with their customers; notices, cookies, consent management, and subject rights requests should be made available to consumers via self-service portals."

Patrick Harr, CEO at SlashNext

"The biggest gaps in security postures come from the personal data of employees in the newly hybrid workforce. These blind spots are becoming more readily apparent as organizations adopt new channels for personal messaging, communications, and collaboration. Attackers are targeting employees through less protected personal communication channels, like WhatsApp, Signal, Gmail, Facebook Messenger to perpetrate an attack.

In a phishing attack, the bad guys use emails, social media posts, or direct messages to trick people into clicking on a bad link or downloading a malicious attachment. When a phishing attack succeeds, the cybercriminals capture private data and personal information, or they may even install malware directly onto the device to facilitate ongoing attacks.
New technologies, such as ChatGTP and other generative AI technologies, enable threat actors to supercharge their attacks. They can modify the attacks in millions of different ways in minutes and with automation, delivering these attacks quickly to improve compromise success.

The best defense to protect against phishing is to be one step ahead of the attackers. New AI- based platforms use generative AI technology to auto-generate new variants of threats to predict millions of variations of new attacks that might enter the organization."

Paul Trulove, CEO of SecureAuth

"Credential attacks are still a leading cyberattack method across all industries, even after years of warnings and shifting defenses. To prevent identity threat and refresh organizational data privacy hygiene this Data Privacy Day and beyond, there are five actionable steps organizations can take:

Strengthen your organization’s identity controls. Recent attacks on GitHub where identities were compromised and hackers accessed source code is one example of the ways threat actors are relentless in their pursuit of identity attacks.
Ensure your organization’s identity security provider delivers strong identity and access protections. This can be achieved through the use of strong multi-factor authentication (MFA) options, such as FIDO key support, as well as analysis of behavior and technical controls that can be used for further checks to ensure it is not an attacker attempting to use credentials.
Reduce potential entry points. Surface attacks involve multiple entry points. The less replicated data across the solutions stack, the less likelihood of an attack.
Leverage existing authentication infrastructure. To maximize security, an organization utilizing next-generation authentication must leverage existing authentication infrastructure (such as Active Directory) that is located within its own environment and thus does not require users to synchronize access to data, apps and systems. This includes not storing any personally identifiable information (PII) that is not necessary for the secure authentication flow.
Go Passwordless. Passwords can be stolen, replicated and hacked. Cybercriminals harvest credentials or use credentials from previous compromises from different vendors and companies to get into systems and escalate privileges. Instead, go passwordless and replace passwords in the authentication process with an AI/ML driven identity management solution. Using continuous authentication prevents vulnerabilities of passwords and other binary authentications from being exploited, ensuring the protection of credentials and the organization."

Terry Storrar, Managing Director, Leaseweb UK

"As more and more businesses turn to the cloud, the priority for 2023 should be ensuring that the data held within - and transferred between - these platforms is secure. However, with the IDC cloud security survey recently revealing that 98% of all companies experienced a cloud data breach within the past 18 months, there is clearly much more work to be done to protect data stored in the cloud.

Although these stats may appear bleak, there are many things businesses can do to help prevent attacks and recover impacted data if a breach does occur. For example, by choosing a trusted hosting provider, customers can gain access to 24/7 security-related support services, standard security training for all employees, and robust disaster recovery solutions.

Data Privacy Day is a great opportunity to take stock of how secure your data really is. And, for those who have entrusted their data to a cloud hosting provider, the day should serve as a reminder to choose carefully and ensure your provider is willing to go the extra mile to secure your data."

Rehan Jalil, President & CEO at Securiti

"As cyberattacks continue to evolve – in number, scope and sophistication – Data Privacy Day serves as a reminder to organizations to shore up their security strategies and ensure appropriate privacy controls are in place. To ensure the valuable data that organizations store in their internal ecosystems is properly protected, they must implement a thorough and effective approach to privacy. This starts with an accurate understanding of what personal data is stored across the various data systems within an organization. Next is understanding the privacy laws that apply to their employees and customers in any given region. It is further critical that organizations implement formal policies and procedures to properly govern this sensitive data and honor privacy rights of individuals.

As we reflect on this year’s Data Privacy Day motto - ‘STOP. THINK. CONNECT.’ – organizations must pay special attention to their current cybersecurity controls and ensure their security teams have the tools they need to be successful. Robust platforms that offer sensitive data intelligence, data security posture management, data access governance, data breach management, data subject rights and a full suite of PrivacyOps capabilities are any organization’s best bet for a holistic and unified approach to comply with regulatory requirements."

Chris Lehman, CEO, Safeguard Cyber

"SafeGuard Cyber believes the steps that users should take to reclaim their privacy and their data on this Data Privacy Day are:

Double down on transparency: Enterprise teams need to prioritize clarity in articulating their plans for monitoring business communications on apps like WhatsApp and Telegram. Where possible, employees should be involved as stakeholders in the planning process. Some companies and employees may agree on managed corporate devices, while smaller, more nimble teams may decide personal devices are fine.
Establish clear guardrails: From the planning and buy-in stages, companies need to set clear policies on what can and should be communicated on mobile messaging channels. This should also include clear guidance on what will be monitored and how. Will the information be archived? If so, for how long.
Give employees the choice to opt IN. Transparency is the foundation of trust. After articulating the plan, after negotiating the terms, finally employees must be given a choice."

Published Friday, January 27, 2023 7:30 AM by David Marshall