In relation to Data Privacy Protection Day next Thursday, cybersecurity experts have provided the below commentary around how businesses can improve their data privacy and remove sensitive data blind spots.
In relation to Data Privacy Protection Day next Thursday, cybersecurity experts have provided the below commentary around how businesses can improve their data privacy and remove sensitive data blind spots.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
32 Responses
<p style=\"font-weight: 400;\">In the wake of an investigation revealing a cache of personally identifiable information (PII) for sale on the dark web, Which? appropriately calls for both businesses and individuals to pay closer attention to cybersecurity. The reality is that effective technologies and best practices are readily available which can thwart incidents like this, preventing peoples’ highly sensitive data from being exposed and leveraged by threat actors.</p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">On this Data Privacy Day, businesses need to give serious and sober thought about how data-centric security, which protects the data itself rather than the borders and perimeters around it, can be a powerful tool in their cybersecurity arsenal. In the reported incident affecting customers of Tesco, Deliveroo, and McDonald’s, had this data been tokenized prior to being breached, any sensitive data within the data set would have been effectively obfuscated. Businesses cannot keep risking situations like this when the answer is abundantly clear—you can implement effective and cost-efficient data-centric security, but you must have the desire and incentive to start that journey toward comprehensive data protection.</p>
<p>There are many layers to data privacy, but one of them centers around a fundamental need for governments to re-think and more aggressively protect our rights as citizens to own our own data if we so choose.</p> <p> </p> <p>Major Tech has benefited and profited from the trust that consumers unknowingly placed in them to protect our data and hold it private, rather than commoditizing it.</p> <p> </p> <p>We’ve inherently accepted that they are allowed to collect our data for their purposes, without disclosing how that data is being used. Today, the major social media companies know so much more about their billions of subscribers than most realize. In fact, in terms of consumer rights and transparency they act a bit like they are their own personal governments and tend to set rules that most aren’t aware of and don’t understand.</p> <p> </p> <p>Documentaries such as “The Social Dilemma” are starting to peel back the layers of what’s involved in examining the current state of privacy rights and allowing consumers to reclaim ownership of their data. Europe’s “right to be forgotten” is a helpful model for what future US legislation could look like, but for the time being, social media’s unchecked data gathering has ballooned, prompting concerns such as about who is choosing the content that is being served to us, who has access to our data, and what they’re using it for.</p> <p> </p> <p>It comes down in the end to how much data harvesting that <em>We the People</em> will awaken to and continue to permit social platforms to conduct. Will the public remain passive or urge legislators to take strong actions? One good start would be shifting from “opt out” practices to “opt in” ones – where decisions about whether and how much personal data to allow a social platform to share begins with the consumer, not with a company whose “opt out” mechanisms may be muddy and hard to navigate.</p>
<p>Privacy management today is complex, siloed and inefficient. Current privacy policies and privacy-management approaches lack the continuous and predictive insights that drive business growth, costing companies tremendous amounts of time and money with the introduction of each new regulatory change. Companies are not only responsible for understanding the changes, but must also react and align larger business objectives accordingly. <br /><br />As the importance of data as a business enabler increases rapidly, organizations are realizing the impact of regulatory challenges far more than before and are beginning to see just how critical it is that information be compliant with current privacy regulations. However, it\’s simply not sustainable or scalable for privacy leaders to manually manage data privacy with regard to each new regulation or regulatory update. Today, the responsibility for implementing and maintaining a privacy program must extend beyond the privacy office to every department within an organization. Companies must implement data privacy programs that: <br /><br /></p> <ul> <li>Are easily scalable to meet each new privacy requirement</li> <li>Ensure ongoing compliance, regardless of how organizational data flows change.</li> </ul> <p>Developing these programs shows customers that the organization has taken the steps necessary to secure ongoing data privacy. This approach to data privacy acts as a commitment to customers, as well as as a differentiator, and business enabler.</p>
<p> </p> <p class=\"paragraph\"><span class=\"normaltextrun\">Companies across all industries have a responsibility to protect data and ensure privacy. We are all in this pandemic together, but organisations that demonstrate responsible and transparent practices in the handling and protection of customer, partner, and employee data can differentiate themselves from competitors and maintain a competitive advantage in the market, while creating a relationship of trust. </span><span class=\"eop\"> </span></p> <p class=\"paragraph\"><span class=\"normaltextrun\">BlackBerry operates based on four simple tenets. Employees of every company can learn to uphold these data protection values:</span><span class=\"eop\"> </span></p> <ul> <li class=\"paragraph\"><span class=\"normaltextrun\"><b>Know What Makes Data Personal</b></span><span class=\"normaltextrun\">. The definition of personal data is broad and applies to any information relating to an identified or identifiable natural person. It’s nearly impossible to protect personal data without knowing what it is.</span><span class=\"eop\"> </span></li> <li class=\"paragraph\"><span class=\"normaltextrun\"><b>Start with Why</b></span><span class=\"normaltextrun\">. There must be a clear and lawful business purpose for collecting personal data. If you can’t credibly answer the “why”, don’t collect it. Also, just because you may be able to access personal data, doesn’t mean you can use it for any purpose. The use of personal data needs to be limited to the original purpose for which it was collected—this is a fundamental pillar of creating and maintaining trust.</span><span class=\"eop\"> </span></li> <li class=\"paragraph\"><span class=\"normaltextrun\"><b>If You Collect it, Protect it.</b></span><span class=\"normaltextrun\"> If you collect personal data, it is imperative to ensure that appropriate security controls are implemented to keep it safe from inappropriate or unauthorised access.</span><span class=\"eop\"> </span></li> <li class=\"paragraph\"><span class=\"normaltextrun\"><b>Security ≠ Privacy</b></span><span class=\"normaltextrun\">. While it’s possible to have security without privacy, it’s impossible to have privacy without security. Privacy is about the ethical and responsible handling of personal data. This is why security is an integral part of ensuring that transparency of privacy practices can be achieved.</span><span class=\"eop\"> </span></li> </ul>
<p>Companies that require access to our data need to take responsibility and ensure they are putting all the relevant measures in place to secure this data as much as they possibly can. Apps often hold the most amount of data and they are tools everyone around the world uses every single day so we need to start at the beginning of this process and consider how we can ensure data privacy when handling applications.</p> <p> </p> <p>Any company that requires its customers to use an app needs to implement Agile development methodologies with a DevSecOps model, leading to system security with operational visibility, that can identify and thwart hackers from attacking and disrupting the privacy of the company’s data. Allowing the entire software development team to have a fully integrated view into the product development lifecycle and allowing them to have the understanding and knowledge of the importance of securing and testing a device will go a long way in helping organisations do their utmost to providing excellent data privacy. This will ensure the company are on track to achieving their business outcomes because consumer trust is intact and their customers are retained – with the proper security measures in place, the chance of a data breach is less likely and therefore, their data remains secure and private and the integrity of the company itself remains intact.</p>
<p>As businesses and their employees have adapted to the need to work from home, for many organisations the question on how to secure their networks and ensure the integrity and protection of their critical information and data is one that many may now believe they have solved through the implementation of a variety of tools and solutions such as SD-WAN, VPNs, 2FA and a myriad of other products. Yet, there is a threat that many won’t have considered and is, to a degree, slightly out of their hands – IoT and smart devices in the home that are all connected to the same WiFi.</p> <p> </p> <p>While a connected fridge, for example, may not seem like the most obvious threat to data and an individual’s privacy, these kinds of devices don’t tend to have a high-level of security built in from the outset. This means that once deployed and installed within a home, they aren’t held to account in the same way our computers and mobile devices are with regular patches and software updates automatically being pushed through.</p> <p> </p> <p>As a result, these devices are the equivalent of an open backdoor for even the lowest skilled hacker, providing them with the means to get onto the network and stealthily move laterally until they find the data they are seeking and a whole lot more. While some of the onus should be placed on manufacturers of smart devices to ensure security is a priority, it is also important for organisations to make their employees aware of the potential threat to their privacy and data. If employees are to host everything on the same home network, organisations must enforce stricter security policies and practices to ensure that the business network is sufficiently segmented and protected from threats.</p>
<p><span lang=\"EN-US\">With this Thursday being named as a day to recognise data privacy or data protection, it’s a great reminder that data protection should be something that should be a top priority for organisations every single day. And a big part of that should be stopping the spread of breaches to prevent access to PII. </span> <u></u><u></u></p> <p> <u></u><u></u></p> <p><span lang=\"EN-US\">Ransomware is in the news almost daily, and that’s only going to continue for the foreseeable future. Organisations need to take the more pragmatic approach of assuming breach and consequently maintain an ongoing focus on protecting the data they store. Privacy and consumer data is such a high-value currency that if an attacker knows what they have, they’ll exploit it for every last penny.</span> <u></u><u></u></p> <p> <u></u><u></u></p> <p><span lang=\"EN-US\">For organisations looking to secure PII, micro-segmentation as part of a Zero Trust approach is a critical control. Traditional segmentation of the network is no longer enough to prevent the kind of lateral-movement-based threats we see. Forward thinking enterprises need to be thinking about visibility, and micro-segmentation – where they can easily isolate high-value applications and environments, prevent lateral movement, enforce granular security policies, and apply the Zero-Trust posture of “never trust, always verify”.</span> <u></u><u></u></p> <p> <u></u><u></u></p> <p><span lang=\"EN-US\">Although we hope measures are already in place, today is a good reminder for organisations to pause, take stock and ensure they are protecting data to the best of their ability.</span></p>
<p><span lang=\"EN-US\">2020 was an incredibly impactful year for a number of reasons, one of which was data protection/data privacy. When I look at the work we’ve been conducting at Trustwave’s SpiderLabs, I see a specific emphasis on remote working solutions. While many organisations are being proactive with their assurance work, we’re seeing that this isn’t the case for all organisations. </span> <u></u><u></u></p> <p> <u></u><u></u></p> <p><span lang=\"EN-US\">When it comes to regulations, as we begin 2021, I believe that GDPR will still have an impact in the short term, regardless of Brexit. Coupled with the digital transformation we’re seeing with organisations moving to the cloud, there are plenty of areas for organisations to come un-stuck. Businesses must be sure to remember that the cloud has a ‘shared model of responsibility’, in that both parties must ensure the security and privacy of data.</span> <u></u><u></u></p> <p> <u></u><u></u></p> <p><span lang=\"EN-US\">Moving forward this year, if the strategy for privacy fell under my remit within my organisation, with my penetration test hat on, I’d focus on looking to ensure that appropriate security and privacy training is given to all staff. Given that many organisations are now working from home potentially using equipment that isn’t specifically work-related, and with threats and vulnerabilities abound, being able to identify these threats is imperative. Secondly, I’d <wbr />focus on the data itself. Data is always valuable to the bad guys and ensuring that data is managed correctly should also be a focus. Having appropriate policy and procedures for data given the recent home working trend should be updated, with appropriate training and technical controls.</span> <u></u><u></u></p> <p> <u></u><u></u></p> <p><span lang=\"EN-US\">To round off, at a high level there are several broad security practices that can help with data privacy and protection however the two I’d prioritise are: </span> <u></u><u></u></p> <p> <u></u><u></u></p> <p><u></u>a. <u></u><span lang=\"EN-US\">Enable multi factor authentication on services, especially those that you value, email being a good example of this, and I’d also consider using a password manager. </span> <u></u><u></u></p> <p> </p> <p><u></u>b. <u></u><span lang=\"EN-US\">Always update software and operating systems to the latest versions available to prevent against the ever-growing threat of ransomware.</span> </p>
<p>Data privacy will, and already is, evolving into a Data Rights Management issue. <u></u><u></u></p> <p> </p> <p>Citizens’ privacy will continue to be under the spotlight in 2021. The end of privacy as we know it is closer than you may think. Privacy definitions are very different between nation states and cultures, however, one thing that is common is that privacy is becoming less and less of an option for most citizens. In public and online, almost everyone is being watched and monitored 24/7 with thousands of cameras using your expressions, fashion, walk, directions, interactions, and speech to determine what you need, what you might be thinking, who you are going to meet, who is nearby, and even algorithms that determine what your next action might be. <u></u><u></u></p> <p> </p> <p>Regulations will continue to put pressure on companies to provide adequate cyber security measures and follow the principle of least privilege to protect the data they have been entitled to collect or process. <u></u><u></u></p> <p> </p> <p>I believe the big question, when it comes to data privacy, is “How is citizens’ data being used, collected and processed?” Ultimately data privacy will evolve into Data Rights Management which means rather than giving up personal data for so called free use of internet services, citizens should and can get paid for allowing their personal data to be used for marketing purposes. It will become more about how the personal data will be used, and what monetization is resulting from the data. In the future everyone will become an influencer this difference is how much is it worth.</p>
<p>Faced with a constantly evolving threat landscape, made even more complex by a rising number of cyber-attacks amid the global pandemic, organisations are under more pressure than ever before to keep their data safe and comply with regulations such as the GDPR.</p> <p> </p> <p>The mass move to remote working last year led to a number of significant challenges for businesses, from procuring the right hardware for employees to enabling remote access via the cloud. While this acceleration to a digital-first approach should be looked at positively, the resulting distributed infrastructure has created new attack vectors for cybercriminals – and, in turn, a greater potential for damaging data breaches.</p> <p> </p> <p>Within this new reality, becoming cyber resilient is a business necessity. Organisations should make extensive plans to effectively prepare for, respond to and recover from cyber threats. This involves implementing advanced analytics tools and frameworks to help teams identify emerging threat vectors and attack patterns. It also means critically evaluating established security concepts. Traditional perimeter-based approaches are no longer holding up, so factoring in application security and identity governance processes and tools is crucial for safeguarding sensitive information regardless of where it‘s stored.</p> <p> </p> <p>By remaining vigilant and using next generation security technology, organisations can ensure they are in the best position to protect their entire IT ecosystem against data breaches. Ultimately, building a roadmap to cyber resiliency is vital for long term success.</p>
<p>I can\’t stress enough the importance of parents teaching their kids about online safety and security. While parents may teach their offspring about offline safety – like telling them to never talk to strangers and to look both ways before crossing a street – many don\’t take the same care when it comes to online safety and security.</p> <p> </p> <p>Teach your children to know that whatever is posted online is forever, this includes personal information, photos, videos, and more. Kids need to understand that personal information is the most valuable currency on the internet today. Teach them to never share personal info like photos, addresses (both physical and email), phone numbers, and other identifying information.</p> <p> </p> <p>Kids should be taught why protecting their information is important. Show them how to control the exposure of their personal information in their favourite apps, games, and social platforms. Make sure identifying features such as location tracking are turned off, both in the social and gaming apps and in other apps, such as the camera app, which can include location info in photo metadata.</p> <p> </p> <p>Don\’t simply hand a child an electronic device to keep them occupied and out of your hair. Spend time with your offspring, show them how to safely use apps and social networks, discuss how to report online predators or if they\’re the victim of online bullying.</p>
<p>Today is Global Data Protection/Privacy Day. It\’s a good opportunity to remind yourself of the data privacy and data protection principles that keep us all safe. Many people think data privacy just focuses on PII data and associated regulations such as GDPR and CCPA but it is significantly wider than that. In summary, it\’s all about only using the data for the business purpose that it is collected for. There is no doubt that Personally identifiable information (PII) is a core data set to privacy. Having an appropriate access control framework in place supports not only adhering to data privacy regulatory requirements, but enables your business to operate to best practices for data privacy. This framework should incorporate strong authentication using multi-factor authentication, enhanced multi-factor authentication for authorisation where appropriate, and accountability via monitoring/alerting.</p>
<p>In an ideal world, we wouldn\’t need to be reminded of the importance of protecting customer data. Unfortunately, we all know too well that things can go wrong and, all too often, the security of user data comes as an afterthought for organisations. For this reason, it\’s still important to have conversations about how companies handle their customers\’ data, as well as to try and steer big tech to be more protective with the information they collect. Since a lot of their revenue originates from advertisers, they are always going to be incentivised to favour their clients and offer them detailed user data wherever possible – regulators need to maintain a balance here and prioritise user privacy.</p> <p> </p> <p>It would be good to see more proactive steps being taken, rather than retrospective fines. Users need to be proactive as well – instead of mindlessly clicking through cookie warnings, there is often value in taking some extra time to select the minimum required cookies for a functional experience.</p>
<p>Consumers and businesses need to pay close attention to fraud techniques that have become increasingly common and Data Privacy Day is a good reminder to review these. Fraudsters likely need some amount of personal data on victims to carry out the bulk of their tactics to dupe users for their financial gain. And there are a lot of compromised accounts out there, with entire databases of stolen credentials for sale on the Dark Web.</p> <p> </p> <p>This almost ubiquitous availability of compromised accounts credentials means the industry needs to really think about the long-term threat that this ubiquity presents – and how they can address it through real time response and insights to stop fraudsters in their tracks. It’s likely this will become mandatory in the coming years, particularly for banks and organisations that deal with high amounts of transactions. Those that choose to take stock now and address these issues will be the winners in the long run, both from a compliance and regulatory standpoint and winning trust from consumers.</p>
<p><span lang=\"EN-US\">2020 was a very tumultuous year and, in privacy, some good things happened, and some bad things happened. On the good side, we had the NIST Privacy Framework 1.0, and on the bad side, breach after breach, let alone things that aren’t directly privacy related. The problem with privacy programs is there is too much that comes under the category of privacy, and a lot of people don’t understand what that means. 2021 is a year starting with hope: privacy professionals finally have some simple tools.</span></p> <p><span lang=\"EN-US\"><br /><br />When building privacy programs it’s imperative to utilize the new tools, like the NIST Framework to build a privacy program, and build strong cybersecurity programs around privileged accounts, control data access, and implementing least privilege management tools. While doing this, remember this is part of the privacy program too. With good things on the horizon and the tools available to make understanding privacy easier, 2021 starts as a year of hope. With the NIST Framework privacy programs, privacy professionals and people who are interested in privacy now have a checklist. This is something we’ve never had at this level before, which makes the future look clear for the first time since privacy programs began.</span></p>
<p>And here are some of the worst offenders:</p> <p>1. In the excitement of receiving a credit card, this Twitter user shared an image of their new card and accidentally revealed their account number, full name, card expiration date and CVV number.</p> <p> </p> <p>2. The World Cup’s security center’s Wi-Fi SSID and password were printed across the front page of national newspapers in 2014 after the Head of International Cooperation was photographed in Brazil’s federal police headquarters with an image of the Wi-Fi details in the background.</p> <p> </p> <p>3. A photo of an Operations Officer from Hawaii’s Emergency Management Agency standing next to his desk was shared across the Associated Press with a post-it note visible exposing a sensitive password, providing an example of the ease of which hackers can target even government departments.</p> <p> </p> <p>4. The French TV network TV5Monde exposed their Youtube, Instagram and Twitter passwords in a TV interview with a news presenter standing in front of a reporter’s desk that carried several post-it notes with passwords written on them.</p> <p> </p> <p>5. Even Prince William has accidentally overshared when an image of him sitting in a Defense Ministry office revealed a sensitive password posted on a wall behind him.</p> <p> </p> <p>Although it is easy to overshare sensitive information on social media, it is also easy to prevent it. Chris Sedgwick, Security Operations Director at SY4 Security outlines his do’s and don’ts for oversharing on social media:</p> <p>Do:</p> <p>· Turn on privacy settings</p> <p>· Turn off location settings</p> <p>· Keep personal and business accounts separate</p> <p>· Reject unsolicited friend requests</p> <p>· Consider who might read your posts</p> <p>Don’t:</p> <p>· Avoid clicking on shortened URLs</p> <p>· Don’t post sensitive information</p> <p>· Don’t reuse the same password across platforms</p> <p>· Don’t use the same profile avatar across platforms</p> <p>· Don’t post about upcoming or ongoing trips</p>
<p>Data privacy gets a lot of attention these days, and rightfully so. From GDPR to CCPA, regulatory frameworks have made it impossible for businesses to ignore the importance of protecting customer data. Whilst these regulations set out the basic requirements for organisations when it comes to data protection, they don’t necessarily address the root cause of the problem – that many breaches occur due to vulnerable code. </p> <p> </p> <p>This Data Privacy Day is one like no other. Organisations have faced unprecedented levels of cybercrime in the past year, from attacks targeting highly valuable vaccine data to taking advantage of the increased vulnerabilities brought on by remote-working. For many organisations, budgets are tight but risk levels are growing exponentially, so it’s important they focus on preventing security risk from the outset. </p> <p> </p> <p>A 2019 study found out of 32 web applications, 82% of vulnerabilities were located in the application code itself. That’s a lot of risk that can be mitigated by creating secure code in the first place. This is why teaching developers how to code securely from the outset is crucial in the fight to protect customer data. </p> <p> </p> <p>The most successful way to do this is through hyper-relevant and developer centric learning platforms, which are integrated into developers’ day-to-day tasks. This helps not just fix existing problems but gives them the skills to code securely in the future, creating a more robust data security posture customers and society at large.</p>
<p>Data privacy has changed dramatically over the last few years. Starting with the implementation of GDPR in 2018, new regulations have codified the responsibility of companies to provide adequate protection to their customers. Data privacy is now a human issue and losing customers’ trust and loyalty can result in significant damage to organisations. </p> <p> </p> <p>Where things really got interesting was the overnight shift towards remote-working in 2020. This new requirement forced the network perimeter to expand as it accommodated for the explosion of devices connecting to a corporate network. With this comes significant security issues, from Shadow IT to staff using vulnerable home Wi-Fi networks, that open up the drawbridge for attackers to do anything from stealing sensitive data to taking down hospital networks.</p> <p> </p> <p>As we approach Data Privacy Day after what has been an unprecedented 12 months in the cybersecurity realm, companies need to be considering how they can leverage their existing technology to increase their security posture. With solutions such as DDI (DNS, DHCP and IPAM), companies can use a technology they already implemented (for devices to communicate with each other) to glean enhanced insight into network activities, and ultimately provide a much stronger data privacy offering”</p> <p> </p> <p>We also remind ourselves of the work that IT and security teams do every day to help protect companies and individuals from attackers. Investing in sound security solutions will be key in helping these teams to continue better protect us all.</p>
<p>In our new digital economy, people around the world are becoming acutely aware of how their information is being collected, stored, and used. The GDPR ushered in a new paradigm that elevated awareness about the importance of privacy and the exploitation of data. Some of the largest countries around the world have responded by enacting or augmenting their privacy protections to closely mirror the GDPR. We see this in Brazil and recently in California through the recent passage of California Privacy Rights Act (CPRA). Other countries are on their way too. Steps are being taken in Canada, China, and India to potentially modernize and augment their data privacy rights and protections. <u></u><u></u></p> <p> </p> <p>With stricter data privacy enforcement and consumers empowered to act on their rights, companies must be prepared to deploy technology and aggressively operationalize their data privacy programs to meet the most stringent standards. Beyond potential fines, any organisation that fails to comply with data privacy laws risks breaking trust with their customers. By investing in comprehensive privacy management capabilities underpinned by information governance and automation, organisations can achieve data protection by design and default – satisfying regulatory requirements, avoiding non-compliance penalties and more importantly, maintaining customer trust.</p>
<p>Data protection takes on new challenges in 2021 with the rapid adoption of new technologies such as containers, microservices, and serverless functions. These technologies offer major business benefits in terms of automation, cost and scale, as well as rendering the logic to build and configure infrastructure as code (IaC). As IaC becomes the norm, infrastructure becomes immutable, paving the way for greater consistency, reliability and predictability. <u></u><u></u></p> <p> <u></u><u></u></p> <p>While IaC makes it easier to develop apps, businesses need to be wary of potential security risks associated with IaC and not assume these new technologies are secured as standard by the vendors that provide them. To ensure data is protected, businesses must prioritise application security regardless of the infrastructure on which their apps are built. Since the introduction of GDPR in 2018, a reported total of €272m has been levied in fines by European data protection authorities. These fines have the potential to increase as the number of ways to violate the data protection rules multiply, so employing secure coding best practices from the outset is paramount.</p>
<p>This Data Privacy Day, there are a few clear themes we are compelled to consider: the effects of a remote work environment on system and data security, and how to provide a secure work environment while respecting the constraints of the pandemic.<u></u><u></u></p> <p> </p> <p>As a result of the abrupt shift to remote working over the past twelve months, sensitive data now exists outside of offices – specifically, in workers’ homes and on their personal devices, traversing untrusted networks and unsanctioned, or at least untrusted, cloud services. Yet unfortunately, most enterprise policies are designed to protect data and apply physical and technical safeguards within the enterprise, not the minimum-security environment of workers’ homes.</p> <p> </p> <p>To address the problem, organisations must evolve their capabilities beyond the current model of controlling sensitive data distribution, which is heavily dependent on access rights, workers’ actions (or inactions), and flagging compliance-impacting events after they’ve happened. And with IoT and analytics expanding our concept of sensitive data – by type, volume, depth and meaning – the need for a more encompassing approach is more urgent than ever.</p> <p> </p> <p>By applying risk-based protection and security analytics, organsations can tailor access to different files and systems based on where somebody is and how they’re working. This should, as always, be coupled with focus on the basics, including minimising collection, minimising data where possible, and managing user personas and credentials. In adapting their policies to accommodate a remote work model – which likely isn’t going away anytime soon – security and privacy leaders can help to secure the enterprise and ensure their systems, personal and other data, and workforce remain safe.</p>
<p>After a year when digital services have played a more crucial role in our daily lives than ever, Data Privacy Day is a timely reminder that online service providers have a responsibility to keep their users safe, as well as connected and productive. There is room to improve how data is handled: although it\’s been more than two years since its implementation, fines levied under the GDPR increased by 40% last year as companies work to meet its principles of responsibility and transparency. As users look more closely at the behaviour and policies of services they have started using – or started using more – over the last year, it is on companies to implement and clearly communicate systems which guarantee users\’ privacy. While the regulatory risks are growing, the potential reputational damage as a result of a privacy breach may be even more significant: many companies will be relying on retaining the customer base they have built up recently, and a breach can make that impossible. Over the next year, we should expect to see a consolidation of focus among online businesses and a reprioritisation of user privacy and safety. Using automated systems which provide a backstop defence of users’ privacy – such as warning people when sharing Personally Identifiable Information – can clearly signal that safety is a key consideration in the company’s attitude. Businesses should also take great care to ensure that their partners and vendors have both appropriate policies in place and the technological capability to fulfil those policies. While expertise on privacy can be outsourced, ultimate responsibility for it cannot.</p>
<p>Over the last year, every business – regardless of size or sector – has faced challenges and needed to adapt in order to survive. With more interactions than ever before currently taking place digitally and the threat landscape continuing to grow, protecting personal data has never been more important or more challenging. This year’s Data Privacy Day, provides us not only with a chance to reflect on how far we’ve come, but also to look forward to how we can improve in the future. <u></u><u></u></p> <p> <u></u><u></u></p> <p>Since the introduction of the EU’s General Data Protection Regulation (GDPR) in 2018, we have seen many organisations continue to struggle to ensure the simple and transparent management of personal data. One of the main hurdles they face is that this data is usually distributed in different and separated repositories throughout an organisation. </p> <p> <u></u><u></u></p> <p>This is where modern technologies – like data virtualisation – can help. By providing easy and complete access to all repositories, through a single information layer, data virtualisation ensures that data can be traced and audited in real time, no matter where it is stored and without the need for duplication. It facilitates compliance with current legislation whilst enabling organisations to protect their most valuable asset; their data.</p>
<p>Data Protection Day is particularly notable for the mobile advertising industry this year, falling amid calls for more stringent consumer data privacy regulations and pending changes to advertising platforms, including Apple’s new IDFA rules. The iOS 14 update will have a significant impact on the industry, as its new App Tracking Transparency (ATT) framework will prompt users to opt-in or, more likely, out of data sharing. In doing so, it threatens to weaken the targeted advertising models that advertisers have come to rely on. <u></u><u></u></p> <p> <u></u><u></u></p> <p>“In 2021, protecting consumers’ privacy and ensuring they have full control and ownership over their data that is collected and shared must be a priority. The latest developments will help to build trust and transparency between users, marketers and advertising platforms, if advertisers also adapt to a rapidly changing mobile ecosystem that increasingly prioritises data protection over reporting and sharing data. It’s imperative for marketers to ensure they adopt app solutions that comply with iOS end user privacy requirements while taking proactive steps to achieve continued success in mobile advertising.</p>
<p>Our previous research found that 40% of large UK businesses expect to be cloud-only by the end of this year. This number is expected to accelerate because of the pandemic, which significantly increased the number of people working from home and as a result, the adoption of the cloud. With an increasing reliance on the cloud, companies need to ensure that they have complete visibility and control over data regardless of where it is, even when employees are using the same devices and services for both their business and personal lives.<u></u><u></u></p> <p> <u></u><u></u></p> <p>“Businesses must also recognise that cybersecurity and data privacy compliance is not a cost – it’s an investment to not only protect against attacks but also enable greater innovation, resiliency and business growth. Recent <a href=\"https://www.dlapiper.com/en/uk/news/2020/01/114-million-in-fines-have-been-imposed-by-european-authorities-under-gdpr\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=https://www.dlapiper.com/en/uk/news/2020/01/114-million-in-fines-have-been-imposed-by-european-authorities-under-gdpr&source=gmail&ust=1611909645694000&usg=AFQjCNHGaOxeO6ExtIZV5MGu7qW7u7MCow\">statistics</a> show that a total of €272m has been levied in fines by European data protection authorities since the introduction of the GDPR in 2018, with the majority of these fines issued in the last 12 months. Across the EU, the GDPR framework serves as a driver for organisations to revisit their current processes and take full responsibility for processing and storing personal data. Now the UK has left the European Union, it is important to remember that their legal responsibility around data privacy doesn’t go away. The UK government passed the Data Protection Act 2018 to provide an equivalent law to GDPR. As we step into the new year, we will continue to see a rise in the amount of data stored in the cloud and a clear focus on regulations which put internet users – and their data – first.</p>
<p>Data Privacy Day acts as a reminder to businesses and consumers alike that cyber security solutions and fraud prevention tools are no longer optional, especially during this time of crisis. In fact, with the current, necessary shift towards remote working – it has never been more important to look to experienced security and fraud solutions providers that demonstrate a strong track record of protection against cyber threats to security.<u></u><u></u></p> <p> </p> <p>The sad truth is that fraudsters don’t stop their crimes because of a pandemic. In fact, they often seize the immense change that comes with an event like this to ramp up their activity – targeting individuals and businesses whilst they are at their most vulnerable and least protected in order to manipulate their data and steal their personal information. <u></u><u></u></p> <p> </p> <p>Whilst there is not and never will be one single silver bullet for fighting fraud, biometrics is a proven, effective authentication factor and fraud prevention tool. By layering it into a data protection strategy, businesses are able to identify whether a person really is who they say they are. <u></u><u></u></p> <p> </p> <p>With voice biometrics able to leverage more than 1000 unique speech characteristics- from pronunciation to size and shape of your nasal passage- and behavioural biometrics measuring minute details- such as how a person holds their phone or even how they pause once they finish a task- systems that incorporate them are considerably less susceptible to hacking. <u></u><u></u></p> <p> </p> <p>When it comes to fraud, prevention is always better than a cure. In today\’s landscape consumers are more aware than ever of the importance to protect their own information, and they will hold accountable the organisations that don’t do enough to protect the information they share with them. Without question, businesses need to be one step ahead and education around the most effective security solutions- like biometrics- is key.</p>
<p>Many “hacks” exploit known vulnerabilities for which patches are available, so basic security hygiene is a must. Organisations should be vigilant making sure all software is updated and backed-up regularly. Tracking all applications that are being accessed should also be part of the cybersecurity program, as many threat actors target unattended apps.</p> <p> </p> <p>Attackers can easily compromise shared information so organisations should be limiting information on shared channels. When sharing logins or passwords, call co-workers rather than writing it down, or utilise a secure password-sharing application that requires additional verification of a user’s identity before granting access. Using enterprise password management and single-sign-on technologies will not only help reduce potential unauthorised login risks but also provide the IT team with further visibility into who has access to specific resources. Moreover, organisations are able to integrate their domain, SaaS applications, and even customer applications, ensuring every entry point is secured. </p> <p> </p> <p>Additionally, virtual meetings can listen in on, so, always mandate passwords when setting up new meetings and share passwords separately from the invite itself. Most major videoconferencing providers now also offer end-to-end encryption for meetings, and utilising this feature adds another layer of security, making it more difficult for anyone outside the meeting to access the conversation.</p> <p> </p> <p>Developing a security-aware culture within your organisation is an essential component as it can often be the human element that is the weakest link in security. Keep your employees educated on what is confidential and sensitive data, and the steps they can take to protect both their own and their customer’s information. Creating a stronger “cyber smart” security culture takes time and lots of education but is critical to data security.</p>
<p style=\"font-weight: 400;\">Here are three top data privacy opportunities for businesses that my SailPoint colleagues and I have seen in the wider industry over the past year. <strong><em><br /></em></strong></p> <ul style=\"font-weight: 400;\"> <li>Sharing passwords and devices at work and at home (yes, still an issue!)</li> <li>Neglecting identity as a key attack vector and why focusing on firewalls is no longer enough</li> <li>Ignoring the widening compliance gap in the post-Brexit and mid-Covid chaos</li> </ul>
<p>Data Privacy Day acts as a reminder to businesses and consumers alike that cyber security solutions and fraud prevention tools are no longer optional, especially during this time of crisis. In fact, with the current, necessary shift towards remote working – it has never been more important to look to experienced security and fraud solutions providers that demonstrate a strong track record of protection against cyber threats to security.<u></u><u></u></p> <p> </p> <p>The sad truth is that fraudsters don’t stop their crimes because of a pandemic. In fact, they often seize the immense change that comes with an event like this to ramp up their activity – targeting individuals and businesses whilst they are at their most vulnerable and least protected in order to manipulate their data and steal their personal information. </p> <p> </p> <p>Whilst there is not and never will be one single silver bullet for fighting fraud, biometrics is a proven, effective authentication factor and fraud prevention tool. By layering it into a data protection strategy, businesses are able to identify whether a person really is who they say they are. <u></u><u></u></p> <p> </p> <p>With voice biometrics able to leverage more than 1000 unique speech characteristics- from pronunciation to size and shape of your nasal passage- and behavioural biometrics measuring minute details- such as how a person holds their phone or even how they pause once they finish a task- systems that incorporate them are considerably less susceptible to hacking. <u></u><u></u></p> <p> </p> <p>When it comes to fraud, prevention is always better than a cure. In today\’s landscape consumers are more aware than ever of the importance to protect their own information, and they will hold accountable the organisations that don’t do enough to protect the information they share with them. Without question, businesses need to be one step ahead and education around the most effective security solutions- like biometrics- is key.</p>
<p style=\"font-weight: 400;\">User privacy has been crumbling for years. Each new security breach and data dump further chips away at what little privacy does remain. Adding to the challenge is the fact that connected devices are far more intertwined in our lives than ever before. We rely heavily on digital assistants such as Alexa or Siri, smart home management products, wearables, and more. While these technologies do make our lives easier, the privacy and security risks are undeniable.</p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">Corporations use advanced machine learning algorithms to correlate the data that smart devices collect and amass troves of information about us. These algorithms help them quantify and analyze our behavior and even influence our actions through advertisements and personalized social media feeds. Worse yet, they often sell our data to third parties behind the scenes. Cybercriminals present further risks. Attackers can leverage user data stolen from corporations, or collected from any number of public-facing pages on the internet, to mount effective spear-phishing campaigns against us, crack our passwords, and more.</p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">The risks are high and growing more so with each passing year. But society has realized that giving companies so much insight into our lives is neither healthy nor safe, and is beginning to turn the tide. GDPR and the CCPA are perfect examples of countries and states putting more pressure on businesses to protect users’ data and privacy. To expedite an even broader commitment to privacy, we believe users will finally revolt en masse and forced into existence new privacy regulations for social media services, connected devices, and more. In the meantime, everyday users should continue to acknowledge that privacy is a significant issue, restrict the type of information they share online or with smart devices, and keep an eye out for attacks that might leverage their own personal data.</p>
<p><strong>How do you think the area of data privacy and protection has changed in 2020 (due to the pandemic, shift to remote work or just generally)?</strong></p> <p><em>Changes to regulations are generally slow burning processes that lack the agility to react to fast changing situations such as those we have witnessed through 2020. If we split the two disciplines described into their constituent parts and focus on protection, then the IT landscape is a very different place to this time last year. A lot of attention has been placed upon the pressures of a workforce suddenly forced to work from home or remote locations, and the IT function has had to adapt and accelerate programs for enabling this immediate requirement.</em></p> <p><em>“We have seen an unbelievable amount of change within the IT landscape, emergency budget decisions, adoption of new enabling technologies and working practices within 2020 – A rate of change I don’t believe has ever been witnessed before, and all this change equals opportunities for threat actors, meaning data protection has never been more important or challenging than it is now. Remote working and communication has thrown open the doors of risk to organisational data, with endpoint protection significantly weakened, shadow IT growing, employees having to find new ways of completing tasks whilst being distracted with home education and the challenge of finding food (or toilet rolls) for the family. All of this change and distraction makes it easier for the bad guys to make off with the life blood of your business – Be that the personal information of your customers, or the intellectual property that is the future of your company.</em></p> <p> </p> <p> <strong>GDPR, CCPA/CPRA, and other data privacy and protection regulations have started to really take hold. Now that we’re seeing these regulations across the globe, should we expect additional protections? And will we see any major movement around enforcement for these regulations now that we’re in 2021?</strong></p> <p>I strongly believe that we will see a continued ‘domino effect’ of adoption of regulations that match the ‘gold standard’ of GDPR across the globe. But as stated above, this is not likely to have been due to the pandemic in 2020, but more to do with the demands of the population refusing to continue to accept the reckless behaviors that are negatively affecting their futures – Do not underestimate the personal anguish involved in having to clean up the mess left behind when someone has stolen your identity and trashed your life – Finances, reputation, place to live, passports and freedom to travel to name just a few.</p> <p> </p> <p> <strong>Also, we saw developments last year around those organizations that had been given huge GDPR fines like <a href=\"https://74n5c4m7.r.eu-west-1.awstrack.me/L0/https:eur01.safelinks.protection.outlook.comurl=https3A2F2Fwww.bankinfosecurity.com2Fblogs2Fmarriott-bas-reduced-privacy-fines-gdpr-realpolitik-p-2963data=047C017Cciri.haugh40snowsoftware.com7Cd03f93b42728414bfd6708d8bc9f2d107Cd76c28a10b62484998fd8cf2516370ce7C07C07C6374667391307230527CUnknown7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn03D7C1000sdata=aqn9EcXOIELYWzMyCpKyvvlA471nouuaCoIdBNdypCs3Dreserved=0/1/010201773a461a9d-a38f6bf5-96bd-476e-bfb8-f71cdb5a4549-000000/HeSZay4PLEIGt5aI64u5TgfMFJg=198\">British Airways and Marriott</a> negotiate their fines down significantly? Is this going to be a trend and if so, is there still a point to regulations like GDPR? Or are these negotiations more reasonable given the amount of investment these companies will be putting towards remediation and/or additional protections in the future?</strong></p> <p>I’m not sure we can describe the ‘fine reductions’ in this way given that the figures published where related to the ‘notice of intent’ and not the final findings. I think the original figures were based on ‘worst case’ and published by the offending parties (maybe just making their own boards and investors aware, and giving them a shake-up). Indeed, there has been a significant increase in actions being taken by the regional commissioners offices around the EU, with many more organisations and individuals being bought to prosecution under the legislations – So things will continue to get worse for the reckless.</p> <p> </p> <p> <strong>Are there any best practices that you would recommend or like to remind organizations about on this day in particular? Or anything that maybe organizations made a lower priority as they have been managing remote working environments?</strong></p> <p>Don’t lose sight of fundamentals of solid IT practice – Ensure the minimum level of access to perform the required function, keep an accurate inventory (software and hardware) and keep everything up to date – Including awareness training for ALL employees.</p>
<p style=\"font-weight: 400;\">Much of the focus around data protection involves securing large, database-driven systems. However, it’s still common for organisations to have what I call ‘sensitive data blind spots’. This is where important data & intellectual property is stored on ‘weak links’ in security like remote computing devices connected to the company network (endpoints).</p> <p> </p> <p style=\"font-weight: 400;\">With this in mind, organisations need to remember that data is likely to end up in places they don’t want or expect it to, so they need to have visibility across endpoints to ensure that sensitive data is fully tracked across what are often complex IT environments.</p> <p> </p> <p style=\"font-weight: 400;\">Technology now exists which uses pattern matching to identify sensitive data, such as financial payment information, based on the unique format each type of data is stored in. This helps organisations understand where their valuable data assets are held across the IT estate, providing an additional safety net in addition to staff manually classifying documents that hold sensitive data. This is traditionally the method organisations have used to prevent sensitive data loss. Whatever the method, the most important thing is that organisations ensure they identify sensitive, high-value data across their entire network to ensure it’s secure, private, and compliant with regulations – and that issues can be quickly remediated if something does go wrong.</p>