Cybersecurity Experts Weigh In On Jan. 28 Data Privacy Day

This coming Tuesday, January 28, marks International Data Privacy Day.  Powered by the National Cyber Security Alliance, Data Privacy Day “encourages consumers to own their privacy and businesses to improve their data privacy practices.”

Subscribe
Notify of
guest
27 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Colin Bastable
Colin Bastable , CEO
InfoSec Expert
January 24, 2020 11:32 am

While organized crime rings and governments (there is some overlap there!) get the most blame for data privacy breaches, the greatest loss of data privacy is self-inflicted. The best way for people to protect their data privacy is to go cold turkey and make January 28 a Zero Social Networking Day. No Facebook. No Tweeting. No LinkedIn. No Instagram. Nothing. For one day, forget being Carbon Neutral and go Zero Social.

Last edited 2 years ago by Colin Bastable
Felix Rosbach
Felix Rosbach , Product Manager
InfoSec Expert
January 24, 2020 11:33 am

Who needs an international data privacy day? In this perfect world we live in, businesses, governments, and other organizations are all honest and get cybersecurity right, have all the knowledge and resources on their side and take proper care of everyone’s data. NOT. Sarcasm aside, if we take a look at the facts, businesses actually do quite a bit in terms of cybersecurity. Statistics show that the average spend on cybersecurity is about 5.6% of overall budget. With regulations like GDPR, privacy and data protection became important topics at board level. Companies are well aware of the fact that they need to protect privacy and sensitive data of individuals.

Unfortunately, many organizations live from selling user data by offering “free services” in exchange for users’ personal information. Some of them are in a monopoly position that they can leverage to get users to agree, albeit reluctantly, that more and more of their data be collected, shared, and sold. While many people are either apathetic or blissfully unaware of what can happen to their data, the fact is that it’s their privacy, credit score, and even physical safety at stake. Keeping that in mind, the most important thing is to spread cybersecurity awareness. This is equally true for employees of a company as it is for us as private individuals. So, who needs a data privacy day? We all do. We need to be reminded of the risks facing our data and we have to understand our rights, and the best way to ensure data privacy is to educate people.

Last edited 2 years ago by Felix Rosbach
Ido Safruti
Ido Safruti , Co-founder and CTO
InfoSec Expert
January 24, 2020 11:41 am

This year, International Data Privacy Day follows one of the biggest data privacy events since EU’s General Data Protection Regulation (GDPR) – on January 1, 2020, the California Consumer Privacy Act (CCPA) went into effect. CCPA is the strongest consumer privacy legislation mandated at the state level, and it gives significantly more power to consumers to demand accountability and transparency for how their private data is handled. The CCPA also puts in place costly penalties against organizations that collect data and fail to protect it. CCPA is, in effect, a national and global law. It covers any security and data problems that happen in the state of California and impact companies conducting business in California. So, for example, a German company that does business in California could find itself liable for costly fines if its website is breached and California customers are affected.

The good news? If your organization already complies with GDPR, you are 95% of the way toward reaching CCPA compliance. A less-known but critically important piece of the CCPA is that liability for breaches extends to third-party services that web application publishers and operators use. This includes information security companies, payment processors, chatbot operators and any other provider of third-party services. Your organization may be responsible not only for security problems and breaches affecting your own code, but also for code that is not even operating on your site. This is true as long as that third-party code is included in your user experience or exposed to your users in the web application. Nearly all web applications (including web, mobile web and hybrid mobile applications) use third-party JavaScript libraries and services to add functionality and improve performance.

Now is a good time, to protect yourself from liability, to ask all third-party service providers for detailed answers to the following questions.

Do you capture any of our user data?
How, where and when? Please explain the mechanism.
If you do capture our user data, what is your own CCPA policy and database access structure?
Can you provide an easy mechanism for us to access any user data you collect and provide it to our end users as part of a comprehensive CCPA report?
What are you doing to monitor data privacy laws that other states are likely to enact?

In addition, demand certification information and make it a condition of ongoing business. For SaaS companies, SOC 2 Compliance and/or ISO 270001 is the gold standard. Next, ask them to run a simulated CCPA request process with you. This will help you assess their readiness. And, make sure your security stance for all your public-facing applications is audited and up to date with proper configurations. This will mean not only internal firewalls on databases and malware protection on every user’s device, but also technology specific to guarding web applications. Web application firewalls are table stakes. Make sure they are tuned appropriately.

CCPA adherence enforces good basic security hygiene and best practices — and that will result in better protection for your users, your infrastructure and your bottom line.

Last edited 2 years ago by Ido Safruti
Jonathan Deveaux
Jonathan Deveaux , Head of Enterprise Data Protection
InfoSec Expert
January 24, 2020 11:44 am

Here are some actions you can take, starting today, which can help reduce the possibility of digital security incidents from effecting your life, as these are things within our control.

Use a password manager application and vault. Let 2020 be the decade you finally stop using yellow sticky notes to store passwords and user IDs.

Always use a VPN. You probably use one for your work activity, so why not use one for your personal activity? Using a VPN is especially important when you connect to the Starbucks wi-fi, or airport wif-fi, etc. Don’t be the subject of wi-fi attacks – use a VPN to keep your data private

Use encryption for mail, calendars, Messaging. The range of protection for email messages and calendars can vary. Gmail, for example encrypts messages from your PC to the Google mail servers. Proton Mail, on the other hand, is an end-to-end encrypted mail service that claims to be so secure, one of their data centers is located in an ex-military bunker under a 1000 meters of granite rock. WhatsApp and Viber both claim to deploy end-to-end encryption for personal messaging. Find a service that provides you with the security peace of mind you need.

Other general security hygiene actions to consider include only accessing with “HTTPS://” URLs; using a spam filter for email messages; and limiting the amount and type of personal information you give out – use aliases if you have to. The next time you go to Starbucks, and they ask for your name, tell them “Patrick Mahomes” (unless you are Patrick Mahomes)!

Last edited 2 years ago by Jonathan Deveaux
Anis Uzzaman
Anis Uzzaman , CEO
InfoSec Expert
January 24, 2020 11:45 am

Data is a new currency that individuals and organizations are mining and monetizing around the world. Some of the biggest technology companies in the world such as Facebook, Google, and Amazon use data they collect on their platforms for targeted advertisements, which is a main driver for their monopolistic profits. While many admire these companies as American pioneers, they should also realize that we are entrusting them with our personal data, which is a large responsibility. On Data Privacy Day, it’s important to remember that sensitive information needs safeguarding more than ever before. Some information that particularly needs to be protected by companies includes personal health data as this is very sensitive information that most people don’t want to be shared or used against them for future decisions they may want to make. Some startups are pioneering new ways to make sense and drive productivity through data analytics and mining such as App Annie and Tamr. We anticipate investments in this space will only continue to grow alongside the growth of global data.

Last edited 2 years ago by Anis Uzzaman
Patrick Lastennet
Patrick Lastennet , Director of Business Development, Enterprise
InfoSec Expert
January 24, 2020 11:50 am

In today’s sophisticated threat landscape, customers expect that the enterprises they’re doing business with are protecting their data and privacy, no matter where in the world they are located. These expectations are shifting how businesses must now operate, especially considering they also need to adhere to an ever-widening set of data privacy regulations, including GDPR. While meeting these compliance regulations is complex and challenging, they cannot be ignored. A key part of this will be for businesses to plan their infrastructure, and data handling and storing processes accordingly.

Most enterprises managing customer data are likely leveraging at least one form of cloud – which becomes increasingly complicated when different service providers have their own processes for remaining compliant. Enterprises can’t count on their providers’ compliance alone – they must ensure their own forms of protection as well. In order to still reap the benefits of cloud, enterprises seeking to uphold the highest standard of data privacy will increasingly turn to encryption to protect their critical information. As such, securing encryption keys becomes a necessary layer of added security.

Key encryption management services secure encryption keys in a Hardware Security Module (HSM) that is kept separate but in close proximity to the cloud environment in which their applications reside, allowing for high performance, low latency integration with cloud apps without compromising on security or compliance. Since most enterprises don’t have the necessary resources to do this on their own, turning to a managed service within a colocated data center provides the perfect solution for key encryption management. Not only will this help enterprises adhere to strict data privacy regulations, but it will also help them win in the ever-scrutinizing eyes of consumers looking to hold businesses to a higher standard in the wake of high-profile data privacy scandals.

Last edited 2 years ago by Patrick Lastennet
Ray Overby
Ray Overby , CTO and Co-Founder
InfoSec Expert
January 24, 2020 11:54 am

Data Privacy Day is all about raising awareness of how organizations put the vast amount of sensitive data they store at risk and encouraging everyone to take action to better protect this data. One major risk to data privacy is excessive access, which simply means that there are individuals, either internally or externally, who have unnecessary access to information on the mainframe. The more people with access to information, the more likely your data will be compromised. These issues can crop up inadvertently and go undetected for years, so organizations need to include excessive access checking in ongoing security processes.

To mitigate this risk, excessive access checking should be included in an organizations security policy and done periodically to maintain a proper security posture. However, this is an arduous process that can uncover hundreds of thousands of findings, which the organization then must address. The good news is, automation can speed up excessive access checking and helps organizations drill down to the user level, to get a detailed report of who has access to what.

Another tip for organizations to improve data privacy practices is to accurately inventory, classify, and define data ownership. For organizations beginning the data discovery and classification journey, visibility into the movement and usage of your firm’s most sensitive data can help uplift security programs significantly. When you know what you have, where it is, and who has access to it, you can develop the right policies around ownership and also target your strongest security controls such as encryption of that data.

Last edited 2 years ago by Ray Overby
Dr. Steele Arbeeny
InfoSec Expert
January 24, 2020 11:58 am

As we are mindful of Data Privacy Day this January, we are reminded even more of how companies and their clients or customers need to stay hyper aware of ensuring that their data is safe and protected. This rings especially true when it comes to digital transformation and data migration as the complexity of these processes leaves important data vulnerable and opened to the risk of getting lost or hacked. When companies make the move to new application systems, it is essential to ensure a smooth transition by implementing best practices such as conducting thorough inventory to determine no personal data is being collected, adequately backing it up, and properly protecting it with appropriate security platforms.

Last edited 2 years ago by Dr. Steele Arbeeny
Chad McDonald
Chad McDonald , CISO
InfoSec Expert
January 27, 2020 11:38 am

In order to create awareness around the importance of data privacy, we need to consider what businesses and consumers alike can do to better their privacy and avoid their data being leaked. With the news reporting data breaches from different organisations daily, it’s important consumers take measures to ensure they are doing all they can to avoid the same thing happening to their data. Consumers should be more aware than ever, and businesses need to understand that once they gain the trust from their customers to store their data correctly, measures should be put in place to ensure this data is protected.

The first thing consumers need to do is treat their personal information as currency, because the bad guys certainly do. This is not understood by many people but personal information has monetary value so they need to protect it as they would their wallet. Not all organisations are trustworthy so it’s important not to trust that every business will keep data safe or assume that information is encrypted. Clear text storage of data whether personal or not is alive and well. It’s cheap and easy and will be a pervasive problem so it’s always good to validate how information is stored.

Consumers need to know their rights. They own their information so it’s therefore their responsibility to know who they share it with and how they use it. It should never be assumed that personal data won’t be sold. Many vendors with whom we share data have downstream data sharing and sale agreements with other data aggregators. The further someone get from their initial share, the harder it is for them to maintain control of their personal information. Read privacy statements and be wary of those who will share personal data. If there’s the option of refusing to share data, choose it. With that said, it is important not to leave a trail of breadcrumbs. Consumers should request deletion of old accounts, of personal information and anything that may be leveraged to piece together someone’s digital identity. Innocuous pieces of information can in many cases be aggregated to provide some scary details.

Last edited 2 years ago by Chad McDonald
Nigel Hawthorn
Nigel Hawthorn , Data Privacy Expert
InfoSec Expert
January 27, 2020 11:46 am

Over a year after the EU’s General Data Protection Regulation (GDPR) came into force, the regulatory bodies are changing their focus from guidance to full enforcement. The GDPR framework serves as a driver for organisations to revisit their current processes and take full responsibility for how they process and store personal data. As the UK leaves the EU, this legal responsibility doesn’t go away. The UK government passed the Data Protection Act 2018 to provide an equivalent law to GDPR. As we’re stepping into a new decade, we are seeing the rise of more regulations which put internet users first and a rise in the data stored in the cloud.

With the increasing reliance on the cloud, businesses need to be rest assured that they have complete visibility and control over data regardless of where it is. According to our latest research, 40% of large UK businesses expect to be cloud-only by 2021. What we’re going to see in 2020 is even more data and applications shifting to the cloud – and where they migrate, cybercriminals will follow.

Today, we should recognise that the age of the cloud is here. Whether businesses are cloud-only or shifting towards a cloud-first approach, the key is to make sure it isn’t an easy target for cybercriminals.

Last edited 2 years ago by Nigel Hawthorn
Zachary Jarvinen
Zachary Jarvinen , Head of Product Marketing, AI and Analytics
InfoSec Expert
January 27, 2020 11:52 am

The rest of the data privacy iceberg will begin to emerge

As we welcome in another Data Privacy Day, this date – and what it represents – has never been more relevant or more important.

It’s clear that 2020 will be the year that the rest of the data privacy iceberg begins to emerge. While regulations like Europe’s GDPR and the California Consumer Privacy Act (CCPA) have already been established, new regulatory developments surrounding data privacy are continually coming to light.

Although these regulations have their inherent differences, the general scope of data privacy laws is to give consumers the right to know how and what type of personally identifiable information (PII) is collected, and the option to take legal action in the event that they should incur damages from bias or data security breaches. In 2019, 53% of consumers stated that they would cancel a transaction if they didn’t like something in the privacy policy – more must be done this year to make sure data privacy and protection is a top priority for companies.

Until now, most organisations have focused their efforts on structured information, but they must also be able to understand what PII is located in textual documents. Archived data, in particular, is an especially pressing concern for most enterprises. AI-powered solutions will be instrumental in locating sensitive data and managing it through automated workflows. Today, organisations will also need to establish internal data governance practices to determine who is accountable for data security and enterprise-wide policy, which may include creating teams that blend technical and regulatory expertise.

It’s also a great time to get started with a career in the industry. Over the past four years there has been a 75% increase in jobs with “privacy” in the title. Privacy is hot. And, finally data protection is at the table for new initiatives and technology decisions.

Last edited 2 years ago by Zachary Jarvinen
Simon Wood
Simon Wood , CEO
InfoSec Expert
January 27, 2020 11:57 am

The topic of data privacy could not be more relevant in the current cybersecurity landscape. Last year, for example, a number of headline-hitting data breaches were revealed to be a result of misplaced security design choices – demonstrating the damaging consequences of underestimating security requirements.

A large cause for concern here is when it comes to businesses building identity management functionality in-house. No matter how big the development team some companies may have, a lack of experience and resources in cybersecurity areas like identity management means that building such features internally comes with increased risk. Faced by tight deadlines and pressure to get applications to market as fast as possible, teams are challenged to build functionality that properly adheres to privacy by design and proven security methodology. Often, we see the impact of not doing so through the breaches that take advantage of weak authentication policies and a failure to keep data privacy central to the whole design process.

One way for tech leaders to solve this problem is to deploy Identity-as-a-Service (IDaaS) solutions – cloud based authentication and identity software or APIs already proven and in use in the market. Such solutions allow teams to integrate identity features into applications as securely and as seamlessly as possible, without reinventing the wheel each time. Ultimately, this on-demand expertise reduces the risk of data breaches caused by employee-led error and places data privacy at the forefront of the development process.

Last edited 2 years ago by Simon Wood
Gijs Roeffen
Gijs Roeffen , Director IT & Security
InfoSec Expert
January 27, 2020 12:02 pm

As data breaches continue to hit the headlines, businesses and consumers alike are becoming more and more aware of the need to protect their data. Here are a couple of simple tips to help keep your personal information secure:

Swap PIN codes for biometrics

When it comes to passwords and PIN codes, people are creatures of habit. People not only use the same password across multiple online accounts, they will also happily use the same PIN code for their debit card and their phone, or a generic PIN number. In fact, cybersecurity specialist Tarah Wheeler recently shared the most common PINs used by smartphone users to secure their devices, and shockingly, the most common PIN number was 1234.

Passcodes and PIN numbers can easily be captured from a glance over someone’s shoulder, or can be photographed or filmed from another mobile device. Biometrics, however, such as facial recognition or fingerprints, are unique to the user and can’t be obtained in either of these ways, making them a much safer option than passwords and PINs.

Safeguard your SMS messages

While it is possible to intercept SMS messages over the air, it requires multiple factors to be aligned to be successful. Attacks on SMS are often very targeted, since intercepting SMS codes requires specialist knowledge and hardware.

“Using a two-factor authentication, however, is an effective means of defence against account takeover, so be sure to check your SMS is protected. Alternatively, look into using an encrypted messaging service. Encryption jumbles the content of a message into random data until it is received on the other end, so if a hacker intercepts the message, they won’t be able to view it in full. Apple’s iMessage service uses encryption, as does WhatsApp, which works across both Android and iPhone devices.

Last edited 2 years ago by Gijs Roeffen
Ashley Bill
Ashley Bill , Enterprise Data Consultant
InfoSec Expert
January 27, 2020 12:07 pm

Fortunately, life after the General Data Protection Regulation (GDPR) has seen organisations begin to change how they think about data privacy. While avoiding regulatory fines and reputational damage is often top of mind, savvy business leaders may also see the business benefits that effective compliance can bring: the ability to generate high quality, streamlined data that can be monetised through applying predictive analytics.

By investing in optimised data management driven by compliance, organisations can effectively increase the value of their data. It not only saves them pouring significant amounts of time into making sense of exploding datasets, but also creates an environment where teams can effectively deploy predictive analytics to make informed decisions. Using insights gleaned from quality data, companies can better predict the preferences and behaviour of their target audiences to inform and maximise the potential of marketing, advertising and product development. Ultimately, accurately predicting what customers want and remaining a step ahead of competitors is the ‘holy grail’ of business success.

If predictive analytics is essential for boosting business outcomes, data privacy compliance is a fundamental component. And looking ahead, it will be a major driving force behind the development of modern, ethical, data-driven organisations.

Last edited 2 years ago by Ashley Bill
Chris Greenwood
Chris Greenwood , Senior Director and General Manager UK&I
InfoSec Expert
January 27, 2020 12:13 pm

Data privacy has moved beyond protection and is now a question of trust.

We, as consumers, trust organisations to handle our data in a secure, standardised and accountable way. But with 60% of UK businesses planning to migrate apps and data to the cloud within the next year, the risks are high. Combine this with the rise of 5G, edge computing and AI bringing about entirely new and disruptive ways to use data, organisations must ensure suitable safeguards are in place, tested and updated as we begin to unravel these various possibilities.

75% of IT leaders anticipate that security will have the largest impact on their data strategy over the next 12 months. In order for privacy to succeed, it is the duty of companies and organisations to not only understand how and why data is being used, but also have the capabilities to remedy any ethical concerns which may naturally arise as new lines are drawn on what ‘is’ versus what ‘was’ acceptable as technology becomes ever more powerful.

This can only be achieved by being able to see, access and conscientiously use data from any and every environment whilst affording the end user the means to control how and what data is there in the first place. Only then can user privacy truly succeed.

Last edited 2 years ago by Chris Greenwood
Malcolm Murphy
Malcolm Murphy , Systems Engineering Director, EMEA
InfoSec Expert
January 27, 2020 12:17 pm

You hear a lot of people in the industry talking about Zero Trust. Whist it is certainly a core element of improving data protection standards, we need to be more realistic about its wide-scale implementation.

Despite the hype, no one is actually doing ‘Zero Trust’ yet. Putting the infrastructure in place to enable organisations to verify anything and everything trying to connect to its systems before granting access is a really hard thing to do, as we can’t easily layer it onto existing technology at scale.

As it stands, we’re nowhere near being able to implement the Zero Trust concept at a cost-effective level, and this is unlikely to change in 2020 – and our data privacy may suffer because of it.

This approach will remain difficult, expensive and inconvenient. I think it will take a catastrophic event or new regulation to make organisations invest in Zero Trust, it won’t happen on its own.

Last edited 2 years ago by Malcolm Murphy
Paul Farrington
Paul Farrington , Chief Product Officer
InfoSec Expert
January 27, 2020 12:21 pm

Many businesses today are software-driven and they are conscious of the role software security plays in keeping data protected. There is a greater need to ensure security is a core part of the software development process going forward. As a new data-driven decade commences, businesses should empower developers by training them on best practices in secure coding and providing the tools to enable them to find and fix vulnerabilities in their software.

We know that unresolved vulnerabilities that pile up over time, also known as security debt, can leave organisations exposed to data breaches. Hackers will continue to look for weak points at the application layer, which is still the predominant threat vector. By shifting security left, developers are able to fix vulnerabilities faster and more effectively, improving an organisation’s overall security and ultimately better protecting sensitive data. Across Europe, more businesses are learning that they are able to adopt application security without stifling innovation.

Last edited 2 years ago by Paul Farrington
Elodie Dowling
Elodie Dowling , EMEA General Counsel
InfoSec Expert
January 27, 2020 2:02 pm

Elodie Dowling, EMEA General Counsel, BMC Software

With an increasing number of data protection laws around the world, data privacy remains a very pressing topic, and businesses such as cloud service providers continue to face an array of complex and logistical challenges to adhere to across their multi-cloud infrastructure, to ensure their customers’ data remains protected.

Over the course of the last year, there have been a large volume of data breaches being reported. Data Privacy day comes as a very timely reminder for customers and their service providers to continue to work towards updating their existing privacy standards to a compliant level, while ensuring robust security is in place to protect customer data. Most recently, European regulators have imposed £97m in data breach fines, and businesses who operate within the cloud must remain vigilant to avoid similar penalties.

It’s important once a business starts using a variety of cloud-based services and infrastructure to regularly carry out audits to ensure that systems and services being used remain compliant with data privacy laws. Under GDPR, personal data may not be stored longer than needed for the predefined purpose. Therefore, it’s important businesses implement retention periods, whilst having the ability to delete data effectively when retention periods have expired – both for data locally stored and in the cloud.

Companies are able to achieve better data protection in today’s IT ecosystem through four critical measures.

1. Visibility – IT needs the tools to know where sensitive customer data resides, how it is being processed, and by whom.
2. DevOps – teams must be aligned to maintain security and compliance.
3. Integrity – IT must validate structured and unstructured data automatically, and ensure that stored data is intact.
4. Recovery – Organisations must ensure data is recoverable in a timely manner in the event of any physical or technical incidents.

Last edited 2 years ago by Elodie Dowling
Joe Petro
Joe Petro , Chief Technology Officer
InfoSec Expert
January 27, 2020 2:17 pm

Consumers are hyperaware of the value placed upon their information, and Data Privacy Day serves as a reminder for all organisations to realise how important it is to act as stewards of the data entrusted to them, especially in the age of AI. Consumer trust matters more now than ever with repeated data breaches, reports of unauthorised data use, and increased regulatory scrutiny, and it needs to be top of mind.

AI is a promising and powerful technology that is poised to positively change industries from healthcare to financial services and beyond. But that requires access to huge amounts of data to train algorithms that deliver the high levels of performance needed to be impactful. To realise AI’s potential benefits, organisations often must grant access to data and be able to trust their AI partners. This trust is built upon an ingrained sense of data stewardship that respects consumer privacy and treats their data as a precious resource, not a market commodity. The success of AI depends on establishing and maintaining consumer trust with ingrained sense of stewardship that treats data privacy as a business requirement.

Last edited 2 years ago by Joe Petro
Adenike Cosgrove
Adenike Cosgrove , Cyber Security Strategist, International
InfoSec Expert
January 27, 2020 3:44 pm

Data Privacy Day provides an important opportunity for organisations to take a step back and consider whether they really are doing enough to keep their customers’ data secure in the face of today’s threats. While data protection regulations such as the EU GDPR have helped start conversations and forced organisations to think differently about how to keep data secure, this is just the starting point. Just because a business complies with a regulation, that does not necessarily mean it is doing everything it can to protect its customers’ personal data. For example, under the GDPR, the integrity and confidentiality principle states that organisations must implement ‘adequate security controls’ to safeguard personal data. Critically however, the regulation does not define what ‘adequate’ really means.

An organisation could argue that their implementation of basic anti-virus protection and once-yearly data protection training for staff is ‘adequate’ – this may technically be regulatorily compliant, but is it really enough to keep consumers’ personal data safe from malicious attacks and data breaches? Today’s cyber threat landscape has changed dramatically, with malicious actors favouring sophisticated, targeted attacks which rely on social engineering to capitalise on human vulnerabilities. ‘Adequate’ security simply isn’t enough. Defending against such threats requires an equally sophisticated strategy for the ongoing security of people, processes and technology.

Regulatory compliance is often viewed as a check-box exercise and can be open to interpretation, so becoming compliant with regulations such as the GDPR should not be a primary driver of security. Compliance is an important step in the process as it can help an organisation discover critical gaps in its current security, but it should only be viewed as a starting point on the journey to true data protection and information security. Beyond the compliance check box, organisations need to implement industry best practices, understand their individual risk profile, and implement people-centric security strategies.

Last edited 2 years ago by Adenike Cosgrove
Joseph Carson
Joseph Carson , Thycotic
InfoSec Expert
January 28, 2020 11:28 am

It can be argued that the end of privacy as we know it is closer than you may think. In essence, privacy allows citizens to be free and when you take away or constrain privacy, you take away citizens freedom.

The reality today is that almost everyone is being tracked and monitored 24/7 with thousands of cameras recording your expressions, fashion, interactions and speech to determine what you need, what you might be thinking and who you are meeting. Algorithms can even determine what your next action might be.

Privacy should be universal. However, we tend to have different definitions of privacy in the digital world as opposed to physical world. EU GDPR has been a ground-breaking change that set new regulations around digital privacy, empowering citizens with clear cut rights around consent and transparency of their personal information online. It was a step in the right direction and has drawn a line in the sand into what’s acceptable and what’s not acceptable in terms of data privacy, collection and processing.

Some governments are looking to abolish privacy from their citizens altogether – citing terrorism as the reason. Ironically, these same governments have also stated the need for end to end encryption to protect against new risks; with Huawei’s involvement with 5G being a prime example. Encryption is a citizen’s right to have digital privacy just as we do in the physical world.

Privacy, security and trust must come as a package; they are all related and needed in order to build a cyber resilient society. If you sacrifice privacy you are also sacrificing security and ultimately ends in a lack of trust.

We hear the term ‘data is the new oil’ however I disagree with this. Humans are the new oil – we are the ‘product’ and data is the commodity which is transacted to create value, so it stands to reason that technology companies are data hungry and want as much of this information as possible.

Last edited 2 years ago by Joseph Carson
Matt Lock
Matt Lock , Technical Director
InfoSec Expert
January 28, 2020 11:30 am

Businesses should use data privacy day as a prompt to ensure that their cloud networks are properly configured. Last year Capital One had more than 100 million records breached due to misconfigurations in the cloud. And with the Varonis Data Risk Report finding that 53 percent of companies had 1,000 sensitive files open to every employee, there are likely to be more businesses suffering similar breaches in the weeks and months ahead.

Making sure your cloud estate is in good order not only prevents data breaches, but it also enables authorised personnel to find data faster in the event of a data subject access request under the GDPR.

One of the top actions an organisation can take is to employ the principle of least privilege, where users can only access the information needed for their jobs. This must be enforced by securing critical information – at any time, you should be able to understand what data is being accessed, who can access it, and who actually is accessing it.

Last edited 2 years ago by Matt Lock
Carolyn Crandall
Carolyn Crandall , Chief Deception Officer
InfoSec Expert
January 28, 2020 11:38 am

Protecting data privacy should be a board level priority for all organizations. Understanding both legal and operational requirements should not be passed over quickly as the devil is in the details on these matters. Companies should post privacy statements and consumers should read them to determine if the company’s policies are sufficient to protect their information and rights. Noting, this goes well beyond just reading a cookies banner. If these statements are not clear or complete, it may be wise to seek out suppliers that maintain proper levels of security and rights administration.

Last edited 2 years ago by Carolyn Crandall
Charles Southwood
Charles Southwood , Regional Vice President, Northern Europe and MEA
InfoSec Expert
January 28, 2020 12:00 pm

In our current climate, protecting personal data has never been more important or more challenging. The annual celebration of Data Privacy Day provides us not only with a chance to reflect on how far we’ve come, but also to look forward to how we can improve in the future.

The introduction of the EU’s General Data Protection Regulation (GDPR) in 2018 presented a tough challenge for some companies. Since then, we have seen many organizations continue to struggle to ensure the simple and transparent management of personal data, mainly due to the fact it is distributed in different and separated repositories.

Data virtualization provides a solution for the data privacy challenge. It enables easy and complete access to all repositories, through a single information layer. This means that data can be traced and audited in real-time, no matter where it is stored.

Data virtualization facilitates compliance with current legislation whilst enabling organizations to protect their most valuable asset; their data.

Last edited 2 years ago by Charles Southwood
Barry Cook
Barry Cook , Privacy and Group Data Protection Officer
InfoSec Expert
January 28, 2020 12:21 pm

The amount of data produced in the world each day is incredible. Over 2.5 quintillion bytes of storable information is developed every 24 hours — and the pace, and value, of this will only increase with the rise of automation and digitalised technologies.

Although we may not appreciate it, personal information has become a prime commodity in our global economy. It provides a snapshot of our day-to-day lives, and can be used by organisations for targeted advertising and for determining the future behaviours of consumers.

So, ensuring it is sufficiently protected, and shielded from potential misuse, is key.

For us, at VFS Global, a company that handles millions of visa applications each year, employing the highest possible standard of data protection is not just the right thing to do – it’s imperative to our business model. We are trusted with highly sensitive information, including fingerprints and other biometric data, which could cause significant harm to the individual if it fell into the wrong hands. So, ensuring we have the most robust practices, safeguards, and continued confidence of our customers as “good custodians” of their data, is vital.

Key dates, then, such as Data Privacy Day, are important for businesses and consumers alike. For the former, they provide an opportunity to reflect on operational practices, while, for the latter, they remind us of the significance of our personal information in the world today.

Last edited 2 years ago by Barry Cook
Jitesh Ghai
Jitesh Ghai , SVP and General Manager, Data Governance and Privacy
InfoSec Expert
January 28, 2020 12:31 pm

The way the world sees and manages data privacy has been subject to a massive shake up in the past two years. And while data privacy has always been on the agenda of truly customer-focused organisations, it’s heartening to see that data privacy is now a boardroom priority for every business.

Privacy isn’t just a compliance concern; it has broader implications for the business. It’s data that drives competitive differentiation and companies that take privacy seriously are five times more likely to have their customers entrust their data to them, which in turn helps drive key strategic business initiatives, such as customer experience, supply chain optimisation, new product and services innovation.

While data protection has become more engrained into corporate culture, due in part to regulation, it’s frustrating to see many businesses put data privacy governance on the back burner, as they consider it a ‘nice to have’, rather than a necessity.

Businesses are failing to appreciate that data governance is the bedrock for data privacy. Focusing on data privacy governance aligns an organisation to drive business value, by providing best practices for discovering data, who’s using it, who it belongs to; understanding risks for prioritising remediation; and protecting personal data exposure as the key to building trust with consumers.

In reality, data governance enables greater data democratisation while supporting data privacy. By putting de-sensitised data insights into the hands of data-driven leaders and subject matter experts from across the lines of business and IT, as opposed to just one data scientist, businesses can empower employees to utilise data-led insights to collaborate and deliver successful outcomes that build trust and improve customer experience.

Those businesses for which data privacy governance is already a well-understood and organisational competency are gaining the edge in their market. They’re the ones that can comply with regulations, rely on accurate analytics, power customer experience initiatives, migrate to public cloud safely, and optimise business processes for greater efficiencies.

Last edited 2 years ago by Jitesh Ghai
Stephen Manley
Stephen Manley , Chief Technologist
InfoSec Expert
January 29, 2020 11:25 am

An unspoken part of the data privacy challenge is that people distrust large corporations, government and law enforcement agencies to manage their privacy. (Even while they send their private information to the most transparent phishing operations – go figure.) In theory, we want privacy. In reality, people will not trade off user experience and safety for digital privacy that they do not believe in.

Data privacy will not be solved just by passing sweeping legislation or a single magical product. Instead, there’s a journey to follow. That journey begins with cloud. The power of cloud has made it easier to put people’s privacy at risk. The same power can help centrally track and manage private data – including all the copies.

Last edited 2 years ago by Stephen Manley
Information Security Buzz
27
0
Would love your thoughts, please comment.x
()
x