As
you may already know, Data Privacy Day, also known in Europe as Data
Protection Day, is globally recognized each year on January 28th. Some have now
even extended this to a week long celebration. The
event's purpose is to raise awareness and promote privacy and data protection
best practices.
VMblog has spoken with industry experts from a number of companies, and they had a lot to say about this very timely and important topic.
--
Anthony Cusimano, technical director at immutable data backup company, Object First
"You have probably heard of (or lived in) a time when you didn't have to lock the doors to your home. Over the years, we learned that locks are essential security features for any building and help ensure safety and privacy for those inside. Today, many are realizing that putting ourselves on the internet with no "locks" or consideration for our security and privacy can be risky. There is a newfound interest in what our data is being used for and by whom, and taking back control of what's ours is a breath of fresh air.
This new movement is a monumental step in the right direction for us humans surviving in the digital age. However, many non-technical folks still need to take the time to understand the importance of their data and what first steps they can take to improve their security and privacy posture. To help get started, here are some easy checkboxes to begin on your privacy journey.
- Use Strong Passwords: You can use a password manager to create unique passwords and store them securely.
- Turn on Two-Factor Authentication: This step can help prevent unauthorized access even if your passwords are compromised.
- Limit Personal Information Online: Only provide necessary information and try to avoid oversharing on social media. There are also numerous easy-to-use VPN services that can encrypt your internet traffic and prevent hackers and snooping companies from intercepting your data.
- For extra credit: Look into which web browser focuses on securing and hiding your data vs. using or selling it. Your data is just that: yours!
This Data Privacy Day, I hope you can focus on ensuring it stays that way, and you can take every measure to lock the doors to your data."
++
Kurt Baumgartner, principal security researcher at Kaspersky
"A newer threat to privacy we should be talking about this Data Privacy Day is one posed by modern automotive technology and its ability to generate volumes of personal data that can then be sold to third parties. A recent Mozilla study found that most car manufacturers reserve the right to do this. And the kinds of data they can collect from in-car tech and from our paired phones can be a lot more personal than you might think. It’s not just the music you listen to in the car or the speed you drive – it can even be genetic characteristics or the sexual preferences of the driver and their passengers - anything that may be of value to advertisers or others. As drivers, we need to advocate for privacy safeguards and common sense ownership agreements that allow us to enjoy the convenience of connected cars without compromising our privacy to such a degree."
++
Margaret Hoagland, Vice President, Global Sales & Marketing, SIOS Technology
"For most organizations, ensuring that critical applications and databases are highly available — meaning accessible at least 99.99% of the time — isn’t just a luxury. That kind of availability is crucial to operational success. While many organizations have extensive security protocols in place to prevent bad actors from compromising operations — including offsite backups, requirements for complex passwords, encryption, monitoring, intrusion detection and prevention systems, and more — there are other factors, ranging from natural disasters to human error, that could prove equally disruptive to business and that security protocols are not designed to address. A disaster recovery (DR) plan, though, can complement an organization’s security protocols and ensure that critical systems and databases can be brought back online quickly and with minimal data loss. DR options for ensuring that operations can continue with minimal disruption even if the critical IT infrastructure is compromised is paramount."
++
Nagarajan Chandrasekaran, Vice President of Product Success, Vembu Technologies
"On this Data Privacy Day, let us strengthen our digital defenses in the face of evolving threats. Safeguarding sensitive information requires the implementation of a comprehensive strategy. Robust backup and disaster recovery protocols ensure the data resilience and business continuity. Stringent security measures play a pivotal role in countering the looming specter of data theft and ransomware attacks.
In this interconnected era, where the value of data is unparalleled, let us champion a culture of privacy and resilience. Through a collective commitment to cybersecurity best practices, we reinforce the barrier against malicious actors intent on unauthorized access. On this significant occasion, let us reaffirm our dedication to preserving the integrity of digital ecosystems. This commitment empowers organizations and individuals alike, instilling confidence and trust in the sanctity of their data."
++
Darren
Guccione, CEO and Co-Founder, Keeper Security
Attacks are changing, protecting yourself isn’t
"This
Data Privacy Day, industry experts may warn about the new and novel ways
attackers are violating your privacy and breaching your data. From the threats
that come with generative AI to the rise of attacks targeting genealogy
companies like 23andMe that hold highly sensitive personal information, it’s
certainly clear the tools in a cybercriminal’s arsenal are growing more
sophisticated. But the fundamental rules of protecting oneself in the digital
landscape remain as relevant as ever. Basic cybersecurity measures, such
as creating strong and unique passwords, enabling multi-factor authentication
and keeping software up to date, are frequently overlooked. A recent study by
Keeper found a quarter of IT leaders confessed that they even use their
pet’s name as a password!
Take
the following steps to proactively protect yourself in the evolving digital
world:
- Use strong, unique passwords for every account
- Enable multi-factor authentication
- Regularly update software
- Employ strict privacy settings on apps and browsers
- Avoid oversharing on social media
- Back up your important data
Before
finding yourself overwhelmed by all the ways cybercriminals can attack you, sit
down and consider these basic cybersecurity measures and whether you are
following them. Number one is critical, but difficult to achieve using just
your memory, so consider using a password manager to safely and securely store
and manage passwords. By taking these proactive steps, you can significantly
strengthen your data privacy and reduce the risk of falling victim to both
current and evolving cyber threats."
++
Jeff Stewart, Vice President of Global Solutions Engineering, SolarWinds
"We are at a unique inflection point in our industry where the need for ever expanding data sets is coming head to head with an understanding that companies need to protect the privacy of customers and consumers. Thankfully, these two goals are not mutually exclusive. By leveraging Secure by Design software build approach and implementing robust data governance policies, companies are able to harness the power of data for informed decision-making while upholding a commitment to safeguarding the sensitive information entrusted to them."
++
Adam Ferrari, SVP, Engineering, Starburst
"There’s no universal solution for navigating this complex web of data privacy regulations. Every company’s risk exposure is a unique product of its consumer relationships, information architecture, geographic reach, and other factors. At the same time, companies must collect data to manage operations and innovate. In the data analytics and compliance world, data sovereignty is a concept that has our attention. We recommend that companies prioritize data localization strategies to align with the regulations of the regions they operate in. By storing data in local servers and adhering to specific regional laws, such as the GDPR in the EU, businesses can ensure better protection for consumer data. This approach not only mitigates the risk of non-compliance but also fosters trust among consumers, encouraging their confidence in data-driven innovations while safeguarding their personal information according to stringent data protection rules."
++
Michael Rinehart, Vice President of AI, Securiti
"Data Privacy Day serves as a crucial reminder highlighting the significance of safeguarding personal information, ensuring individuals retain control over their data collection, processing, and usage.
AI advancements, while revolutionary, introduce an added layer of complexity, emphasizing the urgency of safeguarding data. To navigate this landscape effectively, a holistic approach encompassing privacy, governance, and security becomes essential. Organizations can take concrete steps to fortify their data privacy measures:
- Integrated Policies and Procedures: Collaboratively developing tailored plans for security, privacy, compliance, and governance establishes a resilient foundation, optimizing operations and ensuring adaptability to changing regulations.
- Technology Integration: Investing in technology solutions that seamlessly merge privacy, governance, and security efforts streamlines procedures and bolsters resources, empowering organizations to tackle compliance and risks in their digital environments effectively.
- Utilizing AI Responsibly: Leveraging AI for innovation necessitates prioritizing data protection through guardrails, access controls, and robust AI Governance frameworks, ensuring transparency in how AI processes impact individuals' data privacy.
- Differentially-Private Synthetic Data: Embracing AI's potential to generate synthetic data that mirrors real data while preserving privacy rights offers a dual advantage—compliance assurance and unhindered exploration of innovative ideas."
++
Bjorn Andersson, Senior Director, Global Digital Innovation Marketing and Strategy of Hitachi Vantara
"Right now, technology is moving faster than regulations in many ways and across many regions globally. Governments are actually racing to keep up. For example, the European Union in December 2023 just reached a landmark agreement on its AI Act, but it’s not yet in effect. While the U.S. has laid out a risk framework in its October 2023 executive order on AI, there is no comprehensive law passed by Congress nor stringent regulation of the private sector on AI aside from critical infrastructure governance. As new compliance and regulation standards in the data management industry get codified, companies must ensure employees stay informed, adopt relevant policies, and deploy best-in-class security measures.
Global organizations navigating the nuances of diverse regulations across countries should seek guidance from legal experts. Teams can harness the power of generative AI and other kinds of AI tools to elevate organizational knowledge and awareness on data security and privacy and to implement the guardrails themselves."
++
Theo Zafirakos, CISO, Fortra's Terranova Security
"According to the National Cybersecurity Alliance, securing personal data has become a necessity for companies who recognize it as a valuable asset, often targeted by cyber criminals. Awareness and training is required for employees to be able to recognize theirs and the organization’s obligations on protecting personal information and the threats that can affect its security."
++
Donnie MacColl, Senior Director of Technical Support and DPO at Fortra
"Tips for keeping your data secure on Data Protection Day (or during Data Protection Week). Set aside an hour, grab a coffee, sit down, and complete the following:
- Change your passwords on all your banking and shopping apps, work systems, and so on – keep them safe in a password manager app
- Set up multi-factor authentication on everything that lets you
- Sign up to review your credit score (using ClearScore or similar, which is free)
- Review your bank account and end any direct debits, standing orders, or recurring payments that are no longer needed
Remember, the smaller your personal data footprint, the lower the chance of fraud."
++
Chris Hickman, Chief Security Officer at Keyfactor
"Data privacy and security go hand in hand, and both require a foundation of digital trust. Trust is built in part by having the confidence that all things have an identity and that the proper steps are taken to vet, manage and continuously monitor those identities from both people and devices.
The foundation for device identity continues to be PKI. From the corporate network to smart devices in the home, PKI establishes the identity of those devices, authenticates them, keeps rogue software from being installed and makes sure the transmission of data, including personal data, is encrypted.
Increasingly and all too often, weak identity, poor management of keys, and lack of policy adherence lead to breaches that compromises data privacy. Fortunately, both emerging and established data privacy protections take the management of identity to prevent breach into account and impose greater penalties to companies that violate or mismanage these important assets."
++
Carolyn Duby, Field
CTO & Cybersecurity Lead, Cloudera
"In the excitement of new generative AI capabilities, we must not
neglect the trust, privacy and safety of our customers. Organizations
should review their data strategy and governance programs to make sure
they are ready for AI. What data is used to train large language
models? How to prevent customer data from leaking to LLMs? How to
provide reliable and accurate results from LLMs?"
++
Mandy Andress, CISO, Elastic
"As privacy-and the control of data-continue to become growing
areas of focus, protecting personal data while adapting to new technologies and
data processing methods should be a top priority. Data protection regulations
have existed in places like Europe and the UK for a while now, and they are
rapidly expanding globally as well. The same is true in security: there's an
increasing importance of privacy and meeting compliance requirements to ensure
data remains secure.
Adhering to data protection regulations begins with understanding
your data flows and keeping inventories up to date, especially as modern
environments grow increasingly complex and decentralized. This also extends to
third-party risk management. Organizations must work with their vendors to
ensure that they are both approaching data security the same way as
partnerships and integrations become more ubiquitous.
Additionally, data sovereignty is an increasingly important aspect
of data privacy and introduces new challenges for teams to maintain holistic
visibility and analysis while retaining data in its geographic origin. As
threats are more global and data is more local, we need to find novel ways to
balance these contradictory perspectives. At Elastic, this means providing
users with the foundational architecture that enables them to have full
jurisdictional control over their data in the country where it lives, while
extending analytics across all their data globally."
++
Shailesh Rao, President of Cortex,
Palo Alto Networks
"As organizations increasingly rely on vast amounts of data for
decision making and operations, safeguarding the privacy of information becomes
increasingly critical. This has become more difficult with the growing scale
and magnitude of cyberattacks. According to Palo Alto Networks 2023 Unit 42 Ransomware and Extortion Report, in 53%
of Unit 42's ransomware negotiation incidents, ransomware groups have
threatened to leak data stolen from victims. Organizations around the world
face a massive challenge in dealing with the scale of these attacks. A breach
of data security not only jeopardizes sensitive information but also infringes
upon the privacy rights of businesses. As an illustration, Palo Alto Networks
collects 750M new and unique security events, stopping 1.5 million net new
attacks for our customers daily. An organization's security operations play an
equally crucial role, as they must protect data from unauthorized access,
breaches, and cyber threats. Integration of data privacy and security
operations is indispensable for maintaining information confidentiality,
integrity, and availability."
++
Omri Weinberg, Co-Founder and CRO at DoControl
"An often-overlooked aspect of data security, especially in SaaS environments, is the insider threat posed by employees. Collaboration through these platforms, while boosting productivity, can inadvertently lead to the exposure of sensitive information. It's crucial for organizations to educate their teams on the risks of data sharing and implement robust controls to mitigate accidental breaches. Ensuring data privacy is a collective effort, where every employee's awareness and vigilance are key."
++
Gopi Ramamoorthy, Senior Director of Security and GRC Engineering at Symmetry Systems
"For individuals, data privacy should start with Zero trust. It is highly recommended not to share the personally identifiable data (PII) with any organization or any website unless required. If you are providing PI to a required site, always use caution to ensure the website that you are on is correct, legitimate and secure. There are many fake sites that collect personal data. Additionally, posting on social media and reacting to social media posts should be done with no sharing of personal information including sensitive information like home address, travel, family plans and related information.
For organizations, GDPR articles 4,5 and 6 can be referred for guidance to make decisions on what personal data to collect and why. These three articles define the means and purpose of collection data and processing principles. Other privacy regulations have similar articles that provide the guidance on the basis of PII data collection. Once data collection and purpose is decided, adequate data security needs to be carefully planned. Securing PII starts with Privacy By Design (PbD). The core principle of Privacy By Design is based on least privilege and need to know basis. Organizations should have clearly defined and strict access controls around PII data based on regulations, policies and procedures. Also, organizations should implement adequate logging and monitoring controls. For many tasks such as data discovery, data classification, data access controls, etc., the latest technologies can be used for effective security, automation and scaling."
++
Patrick Harr, CEO of SlashNext
"One of the biggest gaps in security postures today is how personal and corporate data is protected in the age of the hybrid and remote workforce. These blind spots are becoming more readily apparent as organizations and individuals adopt new channels for personal messaging, communications, and collaboration. Targeted phishing attacks in collaboration tools are becoming more common because the likelihood of success is higher than email phishing attacks. Users are not expecting phishing attacks in Teams or Sharepoint, and these attacks are often too sophisticated for a user to determine the communication is malicious. It’s also far less common for organizations to have security protections in place around these types of tools compared to email security solutions. And when a phishing attack succeeds, the cybercriminals capture private data, personal information, company data, or they may even install malware directly onto the device to facilitate ongoing attacks.
In 2023 especially, the introduction of Generative AI technologies like ChatGPT has been a game changer for cybercriminals, particularly in relation to cyberattacks launched through common messaging apps including email and SMS text messaging. These new AI tools have helped attackers to deliver fast moving cyber threats, and have ultimately rendered email security that relies on threat feeds, URL rewriting and block lists ineffective, putting organizations’ private data at high risk. In fact, SlashNext’s latest State of Phishing report revealed a 1,265% increase in phishing emails since the launch of ChatGPT in November 2022.
The best defense for an organization to protect against phishing and ensure the safety of both its corporate data as well as employees’ personal data is to always be one step ahead of the attackers. It’s crucial for cyber security protection to leverage AI to successfully battle cyber threats that use AI technology. You have to fight AI with AI."
++
Krishna Vishnubhotla, VP of Product Strategy – Zimperium
"The biggest risk to our private data lies in the mobile devices we use everyday and the applications that are on them. In fact, the Zimperium 2023 Global Mobile Threat Report showed that 80% of phishing sites now either specifically target mobile devices or are built to function on both mobile devices and desktops, and that the average user is 6-10 times more likely to fall for an SMS phishing attack than an email-based one. As we know in today’s workplace, particularly following COVID, many of us are working from home (or working from anywhere). We have clearly seen employees working on personal mobile devices that are accessing all the same data that they were previously accessing via corporate devices. It’s the organization’s duty to protect the data that’s being accessed at all times, while at the same time ensuring privacy for the user on the personal device. Organizations must ensure that the device accessing its data is safe; the network it’s connecting from is safe and trusted; and the applications on the device are not hostile."
++
Dan Benjamin, Sr. Director of Product Management, Prisma Cloud, Palo Alto Networks
"Over the past year, AI has pushed into the mainstream as organizations determine how to leverage the technology to improve operations and the customer experience. Cybersecurity is no exception. However, with the use of AI, enterprises must contend with securing the data used for training and grounding AI, model deployments, and inference data. Many of these attack vectors are completely new, such as data source poisoning and extraction attacks. In fact, data management and data security are the top challenges for respondents to a S&P Global AI Trends survey. As we navigate this “AI era”, enterprises will expend significant effort to understand the implications of new data privacy regulations and enact effective compliance policies. Answering this challenge will require close collaboration between compliance, security, data, and engineering teams."
++
Gal Golan, CTO and Co-Founder of Mine
"Phrases like 'privacy isn't a checkbox, it's a mindset' have become commonplace in the industry. But, as privacy professionals, we need to embed those values into every step of the product development process. That means evangelizing the business community to embrace things like data minimization, transparency, and data encryption and anonymization.
Data privacy is going to undergo a significant transformation as it expands to cover AI governance. 2024 will be the first year of many where engineers and the tech community finally need to pay full attention to privacy issues, and the innovation that comes out of that will be all the better for it."
++
Raju Vegesna, Chief Evangelist at Zoho
"In 2024, I expect businesses will begin implementing GenAI now that the hype has subsided and tangible use cases are coming to the forefront. Therefore, it is even more crucial for companies to remain vigilant about data privacy. Given the numerous breaches that have occurred recently and the inconsistent privacy policies worldwide, companies must be cautious. Governance will not save them, as most of the legislation is behind the technology's rate of evolution. Modern cyber attacks spare none; they are entirely random, targeting businesses of any size through vulnerabilities in their systems. These attacks have become so advanced that password protection is no longer sufficient.
An attack can disable systems, steal or compromise data, and even use a breached computer to target others, meaning that just because a particular company might have unusable data doesn’t mean their partners are safe.
A previous Zoho survey revealed that 62% of businesses in the US and Canada fail to inform customers about the collection of their data by third-party Ad trackers. Hence it is critical for businesses to find a vendor who offers full transparency and focuses on longevity over the hottest new trend. At Zoho,we have a strict customer privacy first policy and don't have an ad-revenue model in any aspect of its business. Zoho's Ulaa browser, with a privacy-first approach, aims to offer a safe browsing experience by incorporating ad blockers, end-to-end encryption, and features that safeguard data privacy."
++
Mike Loukides, vice president of emerging technology content, O'Reilly
"How do you protect your data from AI? After all, people type all sorts of things into their ChatGPT prompts. What happens after they hit "send"?
It's very hard to say. While criminals haven't yet taken a significant interest in stealing data through AI, the important word is "yet." Cybercriminals have certainly noticed that AI is becoming more and more entrenched in our corporate landscapes. AI models have huge vulnerabilities, and those vulnerabilities are very difficult (perhaps impossible) to fix. If you upload your business plan or your company financials to ChatGPT to work on a report, is there a chance that they will "escape" to a hostile attacker? Unfortunately, yes. That chance isn't large, but it's not zero.
So here are a few quick guidelines to be safe:
- Read the fine print of your AI provider's policies. OpenAI claims that they will not use enterprise customers' data to train their models. That doesn't protect you from hostile attacks that might leak your data, but it's a big step forward. Other providers will eventually be forced to offer similar protections.
- Don't say anything to an AI that you wouldn't want leaked. In the early days of the Internet, we said "don't say anything online that you wouldn't say in public." That rule still applies on the Web, and it definitely applies to AI.
- Understand that there are alternatives to the big AI-as-a-service providers (OpenAI, Microsoft, Google, and a few others). It's possible to run several open source models entirely on your laptop; no cloud, no Internet required once you've downloaded the software. The performance of these models isn't quite the equal of the latest GPT, but it's impressive. Llamafile is the easiest way to run a model locally. Give it a try.
I'm not suggesting that anyone refrain from using AI. So far, the chances of your private data escaping are small. But it is a risk. Understand the risk, and act accordingly."
++
Bryan Harris, Executive Vice President and Chief Technology Officer, SAS
"We are in an era of having everything we need at our fingertips thanks to great advances in technology. However, this convenience also comes with risks to privacy, especially in a world where humanity collectively creates 2.5 quintillion bytes of data daily. At SAS, we are committed to balancing privacy, security and safety and, most importantly, protecting our customers’ sensitive data.
To maintain this balance, human talent is essential. While generative AI experiences have lowered the barriers to human interaction with data and systems, generative AI is not a “get out of jail free card” for poor data management and data governance. If organizations have neglected the quality of data in the enterprise or have not defined a proper data management strategy – which includes data privacy – the promised value of generative AI will not be realized.
As innovation rapidly accelerates, there are two constants that will always serve as the foundation: good data management and strong data privacy."
##