Millions of people are unaware of and uninformed about how their personal information is being used, collected or shared in our digital society. Data Privacy Week, an international effort to empower individuals and encourage businesses to respect privacy, safeguard data and enable trust, takes place January 21 - 27.  

Data Privacy Week aims to inspire dialogue and empower individuals and companies to take action.  You have the power to take charge of your data.  That's why this year, the theme for Data Privacy Week 2024 is: TAKE CONTROL OF YOUR DATA!

Ahead of the event, VMblog is kicking things off with various cybersecurity experts from around the industry.

+++

Andrea Malagodi, CIO, Sonar

"Data privacy today is turning into an old challenge with "new clothes" thanks to the AI-provided solutions now available to employees (the upload of data to websites). The reality is, mostly due to lack of education, that "Convenience beats Security" - malicious actors would typically rely on this to provide conversion websites (JSON to CSV as an example) and use these sites to collect data for possible attacks. The new AI sites also ask you to upload or grant access to content, which may even be worse, but not in that they service malicious intents. Any data that is shared is unlikely to have any privacy guarantees attached to them and data shared is likely to be part of new training, as the AI services have an ever-increasing hunger for data. 

Companies should develop a clear policy around Generative AI, educate employees, and ensure that the data classified at the highest tier stays safe from any sharing to AI services to help secure the data. Companies should also contract with providers that can create privacy protections around shared data. Gen AI is here to stay, so facing it fully and developing your strategy is key to the successful protection of your assets."

+++

Viktoria Ruubel, Managing Director of Digital Identity, Veriff

"As consumers and employees, we have all seen or experienced biometric technology in action. Fingerprints or "selfies" have replaced passwords, granting access to our smartphones and other devices. In business settings, face scans can enable entry into controlled access areas or even the office. However, while these tools have made identity verification easier and reduced some of the friction of identification and authentication, there's growing concern around bimetric data and privacy - biometric data is unique to each individual and permanent, making it one of the most personal forms of identification available.

As concerns mount and amid an escalation of regulatory action, users need greater transparency around collecting and using biometric data. Careful considerations are required to properly reflect the use of biometric data in public-facing policy and the approach to gathering and employing data around user consent and data security. 

Data Privacy Week is a time to facilitate open dialogue around these risks and how to address them to strike a better balance between protecting users' privacy and demystifying their experience with technologies like biometrics. Organizations must be ready to balance user experience with effective security controls to ensure the highest levels of data privacy in all transactions." 

+++

Theresa Lanowitz, Head of Evangelism at AT&T Cybersecurity

"Edge computing is the next generation of computing and is all about data. A characteristic of edge computing says that the applications, workloads, and hosting are closer to where data is being generated and consumed. And, edge computing is about a near-real-time and digital-first experience based upon the collection of, processing of, and use of that data.

This data needs to be free of corruption to assist with decisions being made or suggested to the user, which means the data needs to be protected, trusted, and usable. In response, strong data lifecycle governance and management will be a continued requirement for edge computing use cases. 

Such data security is something a security operations center (SOC) will begin to manage as part of its management of edge computing, while working to understand diverse and intentional endpoints, complete mapping of the attack surface, and ways to manage the fast-paced addition or subtraction of endpoints."

+++

Patrick Harding, Chief Product Architect, Ping Identity

"Privacy is really about choice, trust, and giving customers autonomy over how their data is managed. A disheartening 10% of consumers have full trust in organizations that manage their identity data - and it shouldn't be that way. It's up to organizations to ensure customers understand how data is collected and are given a clear opt-in or opt-out option to feel secure and respected. This transparency and accountability go a long way in instilling brand loyalty, long-term trust, and a positive customer experience. 

Ultimately, customers just want to know their data is being protected and not exploited. The majority (61%) of global consumers report that having privacy laws enacted to protect consumer data and knowing that the website vendor is complying with those regulations makes them feel more secure when sharing their information online.

Data Privacy Week serves as a great opportunity to underline the value of decentralized identity management, which improves data security and privacy, and empowers individuals with control of their data while reducing resource and compliance burdens for enterprises."

+++

Doug Kersten, CISO, Appfire 

"In today's fast-paced, digital world, effectively sharing data between organizations is critical to business success, but there's a catch: You need to ensure that data adheres to privacy and compliance regulations. By complying with regulations such as GDPR and CCPA, organizations assure their users and other stakeholders that their privacy and data are adequately protected. This is critical to maintaining a high level of trust and transparency with customers, partners, and employees. But, remaining compliant has become increasingly complex for many enterprises especially since data privacy regulations have introduced more stringent requirements and regulations are constantly changing. Security reviews and audits are also becoming a necessity for enterprise SaaS companies to remain industry-compliant as the threat landscape evolves. AI has also had a significant impact on data privacy with regulators still working on what that impact means, so companies will need to make sure they are flexible, fast, and holistic in their response."

+++

Sophie Stalla-Bourdillon, Senior Privacy Counsel & Legal Engineer, Immuta

"Privacy is now a top concern for individuals, while organizations still struggle to implement effective data protection safeguards when engaging in data analytics and AI practices. We've seen US states such as California passing their own privacy laws and drafting detailed regulations on cybersecurity audits, risk assessments, and automated decision making privacy by design in practice a must-do to be able to effectively respond to the demands of augmented privacy regulatory frameworks. At the global level, it's becoming obvious that attempting to redirect data movements from one location to another to try to avoid data protection obligations is not a viable strategy for a variety of reasons. By reviving core, but often denigrated data protection principles, such as purpose limitation and data minimization, with the recent take-off of purpose-based access control, new paradigms such as zero trust architecture and data mesh will help data teams to enhance transparency and accountability when building data architectures and organizational processes and to produce quality insights."

+++

Kevin Breen, Director of Cyber Threat Research at Immersive Labs

"As sensitive data is increasingly pushed to the cloud and stored in global data centers, data sovereignty and data security remain key issues facing CISOs and security teams this year. With the top cause for cloud data breaches being human error, it's more important than ever to ensure that both security and DevSecOps teams continue to keep pace with the evolving threat landscape and continuously measure organizations' cyber capabilities and fill the skills gaps to better address such threats. This goes beyond knowing the tools and techniques threat actors are employing; it's equally critical to know how to deploy and secure customer and personal data. This applies to both the architects behind data security and employees themselves.

First, as third-party SaSS and PaSS platforms that hold organizations' data come under pressure to ensure information is properly stored and controlled, it's vital for architects and security professionals to work closer together to ensure a secure environment is designed from the outset. Security is paramount as ransomware continues to be a large data privacy factor as organizations are plagued with double extortion attempts. Just this past year, Caesars Entertainment paid $15 million to ransomware gangs specifically to avoid customer data being published online. 

Second, in 2023, Haveibeenpwned identified around 40 websites that suffered significant data breaches resulting in tens of millions of data records and PII being made available to threat actors around the globe. This should sound alarms for organizations to not only keep their own data secure, but also be aware of how staff and users are impacted by data breaches on other sites. Poor password hygiene is a common contributing factor in cyber incidents where credential stuffing and phishing attacks can expose corporate data as well as personal users."

+++

Erik Gaston, CIO, Tanium 

In an age when individuals produce almost 2MB of data every second, it is critical for companies to have proven, proactive and preventative security strategies in place to protect employee and customer data. It is also important to understand what data is coming in and out of the network and where it is being stored at all times.

Data breaches (both accidental and intentional), data mining, surveillance, and the potential misuse of personal data by corporations or governments all have the potential to expose personal information to unauthorized parties. To mitigate the risk, a few recommendations to achieve a proactive, preventative strategy - over one that solely relies on reactive data protection - include:

• Actively managing passwords, authentication, social media and installed software / settings on personal devices
• Choosing strong and unique passwords for all online accounts and updating them often
• Having multi-factor authentication as an extra layer of security
• Avoiding sharing ANY personal information online, especially on social media sites
• Keeping software up to date
• Understanding privacy settings on various devices and platforms and exercising your rights to control the collection and use of your data

+++

Pukar Hamal, CEO and founder, SecurityPal

"The landscape of data privacy is evolving rapidly, especially as AI technologies have magnified the value of data. Instances like the New York Times vs. OpenAI case underscore this transformation, illustrating how even news articles can be pivotal for training sophisticated AI models. Today, enterprises must prioritize not only protecting their data from malicious threats but also maintaining its integrity to preserve enterprise value. This requires a nuanced approach to data management, focusing on robust safeguards and a comprehensive understanding of data's evolving role. 

Enterprises will develop more sophisticated methods to deploy AI, focusing on maintaining maximum control over their data and the technologies used. The growing abundance of AI solutions and the rapid democratization of this technology are shifting the market in favor of enterprises, offering them a range of choices to meet their specific privacy and operational needs. When selecting the solution and provider, enterprises should critically assess the provider's commitment to data security and their capability to sustain this commitment.

Data privacy is not a "set and forget" initiative. A proactive approach and constant re-evaluation of data protection strategies are necessary to keep organizations' and individuals' data private and secure - not just during Data Privacy Week, but year-round."

+++

Candice Frost, DOD Integrated Account Executive at Raytheon, an RTX business

"The challenges of protecting data from the digital footprints left on the floor of the internet landscape are concerning. The significant changes worldwide in data protection laws are creating an evolution, inviting challenges and opportunities to businesses operating in the digital realm.

When businesses prioritize the adaptation of privacy standards, this raises transparency and favorability by increasing requests for consent online. By collecting only essential data and designing with privacy in mind at every stage of development, users will be able to control more of their own data. Implications of customer-centric privacy policies are a significant differentiator in a crowded marketplace. Embracing the challenges of compliance provides a competitive advantage to those businesses demonstrating privacy as a bedrock of their business strategy.

While complete data protection may not be possible, there are steps businesses can take to proactively plan and create an established defense. First, evaluate what is exposed and where the location of risks to information is. The knowledge of what is at stake and where risks exist helps to mitigate vulnerabilities. Second, guard data through services that offer traffic monitoring, protection specific to the application or work at hand, and the ability to reach back to a response team fortifies data. Third, create a response strategy. Thinking through the identification, mitigation, and recovery coordinates in advance is the best path to recover from possible data loss. Fourth, share the game plan with trusted partners to assist in garnering the confidence of others in the handling of data. Lastly, learn from any data loss event to increase privacy in the future." 

+++

Geoffrey Mattson, CEO at Xage Security

Data Privacy Week serves as a reminder of the symbiotic relationship between data security and the safeguarding of critical infrastructure. The threat landscape continues to evolve, leaving critical infrastructure increasingly reliant on interconnected systems, all of which can be breached. When it comes to critical infrastructure, the implications of a data breach stretch far past the digital realm, instead impacting real-world, everyday operations such as water systems, emergency services, government facilities, transportation systems, and more. Consider the thousands of electricity, oil and natural gas facilities that provide energy to people every day, suddenly shut down. These aren't abstract scenarios-they directly impact the average citizen's quality of life. Protecting critical infrastructure is a responsibility with the potential to preserve and save lives daily. 

+++

Bhagwat Swaroop, President, Digital Security Solutions at Entrust

"Data Privacy Week is a great reminder for organizations that privacy is personal. The so-called conflict between "seamless user experience" and security is over -- the only answer is that security has to be welcomed as part of the experience. Breaches affect our livelihoods, reputations, and  families, so a little friction is a feature, not a bug.   

Challenges are rising. Even the most highly-trained security professionals may miss increasingly realistic AI-generated phishing scams. Phishing resistant MFA technology is critical because it requires more authentication than just a click or a compromised password to put you at risk. And phishing resistant MFA is a good foundation for implementing Zero Trust principles. Win-win solutions are here today so that organizations can offer the kind of user experiences people really want - fast, easy, and secure. "

+++

Eric Scwake, Director of CyberSecurity Strategy, Salt Security

"Data Privacy Week allows organizations of all sizes to reflect on their critical data and assess ways to ensure its safety and security. Customers and internal stakeholders trust organizations with their data, but the digital transformation has exposed it to more significant threats. As APIs are now touching this data more than ever, it's essential to understand how they utilize it and promptly identify any potential risks. When considering data privacy, it's crucial to consider the people, processes, and policies involved.

1. Understand your APIs: Have processes in place to understand APIs used in your environment, including what data they access. Knowing this will allow you to apply policy governance rules to API’s across your organization.
2. Embrace Access Control: Implement strong authentication and authorization protocols to ensure only authorized applications and users can access data. Use multi-factor authentication, API keys, and granular access controls.
3. Encryption is Everything: Encrypt data at rest and in transit, rendering it useless to any unauthorized eyes that might intercept it.
4. Vulnerability Vigilance: Regularly scan your APIs for vulnerabilities and patch them promptly. Proactive monitoring is vital to staying ahead of evolving threats.
5. Transparency Matters: Open communication is vital. Clearly document your API usage policies and data privacy practices. Let users know what data you collect, why, and how they can control its use.

These steps allow organizations to build a robust data privacy ecosystem where APIs become guardians, not vulnerabilities. Commit to securing these digital gateways and ensuring data travels safely in the online world this Data Privacy Week."

+++

Philip George, Executive Technical Strategist, Merlin Cyber

"Year after year, Data Privacy Week invokes calls for better data protection practices, regulations and standards, and encourages individuals to be more conscious of how they share and protect their own personal data online. These are all important parts of the data privacy conversation, but this year a much stronger emphasis needs to be placed on post-quantum cryptography (PQC) and what organizations must be doing now in order to ensure data remains protected in the post-quantum future. Today’s data encryption standards will be ineffective against advanced decryption techniques fueled by cryptographically relevant quantum computers. Although commercial quantum computers exist today, they have yet to achieve the projected computational scale necessary for cryptographically relevancy. However, this reality may change quickly, considering the continued investment by nation states and private sector alike. Coupled with the growing application of ML/AI in the areas of research and development, the potential for more breakthrough developments in quantum computing remains high. Which means the chances for any of the aforementioned entities reaching quantum cryptographic relevancy are improving day-by-day.

NIST is expected to publish its first set of PQC standards this year, which will serve as an important step toward providing organizations with quantum resistant cryptography solutions. Security leaders and data-owners should follow NIST’s guidance and begin their internal preparations today. Primarily, this should entail establishing an integrated quantum planning and implementation team and mapping out cryptographic dependencies by conducting a full system cryptographic inventory. After conducting this inventory, security teams can then implement a risk-driven modernization plan that starts with business-critical and protected data (by law) systems.

These activities must happen in 2024, because threat actors are in fact already targeting encrypted data, by taking a “steal and store now to decrypt later” approach. Quantum computing-based attacks will become a reality in the near future, and we cannot wait until cryptographic relevancy is achieved to begin what may become the largest cryptographic migration in modern history/the history of computing."

++

Dave Parks, Vice President, Marketing at Contract Logix

"Research shows that 91% of people consent to legal terms and services conditions without ever reading them, and even as a B2B company whose job is to help customers minimize risk and complexity in contracts, some of us (or most of us) are guilty of doing this too. This Data Privacy Week, we hope that both individuals and businesses take a moment to fully understand and track the terms and conditions that they agree to in legal documents. While you can't entirely protect yourself, use best practices like reviewing and updating privacy settings across any social media and financial accounts and and any devices. Also look at life insurance and beneficiaries, and put new limits on the amount of data external companies collect about you, including using privacy- protecting browser extensions, updating browser’s privacy settings, and using more private browsers. Words like “subject to the following terms” or “arbitration” or indemnify” can be confusing so understand what mean in the context of which you are signing."

++

Gal Ringel, CEO and Co-Founder of Mine

"With a new wave of AI set to revolutionize how we live and work, data privacy has never been more important than it is today. Ensuring companies use data to train and develop AI systems safely and transparently is reliant on all of us emphasizing how much we collectively value individual data rights and could very well be the defining question of whether society builds a healthy, trusting relationship with AI innovation.

Over the past few years, the enthusiasm so many companies have had for data privacy software has grown immeasurably. There is still work to be done in spreading that enthusiasm to every company that handles personal identifiable information (PII), but it’s heartening to see data rights receiving the love and attention they deserve as the role data plays in business continues to soar."

++

Michael Wood, CMO, Aliro Quantum

"Many of Data Privacy Week's tips focus on how individuals can better protect how data is collected online, but it’s also a good time to remind organizations, governments, network operators and other institutions that quantum computing’s ability to begin cracking existing math-based encryption algorithms (those that we currently rely on to protect our data, infrastructure, and networks today) is much closer than we think. "Q-day," the  day when quantum computers will be able to defeat the Internet’s current security mechanisms, will be possible no later than 2030. Defensive military, intellectual property, financial, medical, and even infrastructural information are all at risk. "Harvest Now, Decrypt Later" attacks, incidents where an adversary steals encrypted data that they can't currently decrypt, also pose a more immediate and understandable threat.

Because upgrading all of these systems is incredibly complex, organizations need to be taking steps to get ready for this looming threat to existing networks and communications encryption, exploring options like entanglement-based quantum networking for unhackable communications. At the individual level, we should continue doing everything we can to take control of our data online and practice good security hygiene."

++

Will LaSala, Field CTO at OneSpan

"In today's online world, more data is being shared by users than ever before and has expanded to include intricate connections between individuals, organizations, and the vast web of the internet. Many users are not aware of how this data will be used.
 
Technological advancements, such as AI, have led to freely available data that not only trains software but also becomes vulnerable to attackers exploiting application and security service vulnerabilities. Generative AI further complicates data security by generating content that closely mimics the original, often relying on common solutions based on private data. While AI can also serve as a tool to catch fraudulent data and secure it before it gets attacked, there needs to be more comprehensive measures to protect data from being readily available for AI to use.
 
There is a shift towards individual management of data privacy, which has introduced a new era of distributed identity. Digital wallets, for example, allow users to control data access and duration in user-friendly ways. Organizations benefit from this by gaining insights into data ownership changes and building trust to offer enhanced services based on reliable data.
 
This Data Privacy Week, responsible data handling is crucial. Navigating this expansive sea of data poses a constant challenge that has prompted regulations to encourage banks and other organizations to take data privacy seriously. Everyone has a responsibility to practice safe data handling."

++

Shivajee Samdarshi, Chief Product Officer at Venafi

"Artificial intelligence is democratizing coding to a whole new level. Everyone can be a developer now, but this opens up a massive opportunity for malicious actors to take advantage of unauthorized code and use it as an attack vector within unaware organizations. This is fundamentally altering how we protect privacy and ensure the systems our lives depend upon are secure. The attack surface is expanding day by day, but organizations are often not adapting in real time.  

This Data Privacy Week, it’s critical for organizations to bear in mind the detrimental impacts of unauthorized code. To combat this risk and reduce the attack surface, know what code your organization is using and deploying. Secure the code signing process and use trusted code signing certificates. The best offense is a good defense, especially when it comes to your code."

++

Tim Wade, Deputy CTO, Vectra AI

"Customers and consumers alike are sharing more data than ever with organizations. This comes at a time when enterprises are shifting more applications, workloads, and data to hybrid and multi-cloud environments, and threat detection and response has become increasingly siloed and complex. Together, this underscores the crucial responsibility organizations have in safeguarding sensitive information and serves as a poignant reminder of the challenges involved in maintaining data privacy.

We’ve seen steady improvement on the part of the end user towards keeping their personal information secure and private. They deploy multi-factor authentication solutions, only use secure networks or VPNs, and are much more selective about which information they share with organizations, but exposure incidents still happen. As we strive to make the world a safer and fairer place, companies have a responsibility to their customers, partners, and end users to implement the right practices that will ensure their privacy and data are protected. In the upcoming year, businesses will face heightened expectations to demonstrate their commitment to implementing comprehensive measures aimed at safeguarding data."

##