In an era dominated by digital interactions, Data Privacy Day serves as a stark reminder of the vital need to safeguard critical information. As cyber threats escalate and data becomes the lifeblood of businesses, this exclusive feature by Tahawultech explores the significance of securing data, with experts throwing light on the pivotal role data privacy plays in maintaining enterprise and personal security.
Bernard Montel, EMEA Technical Director and Security Strategist, Tenable
Each year we talk about data privacy and each year the number of individuals who’ve had their data breached increases. While it’s important that individuals have a right to data privacy, if hackers are able to steal it, read it, publish it then there is no privacy. The reality is you can’t have privacy without safeguarding it.
According to figures published by IT Governance, there were 8,214,886,660 records exposed in 2023. While not every record will be unique, that’s still a lot of personal information in the wrong hands. And this week [January 23 2024] it was disclosed that over 26 billion personal records have been exposed, in what researchers believe to be the biggest-ever data leak. The issue is that threat actors know they can monetize their crimes by targeting valuable data with little fear of capture or punishment.
Threat actors can aggregate leaked data from numerous breaches into a single large database that can then be cross-referenced to launch further attacks. As illustration, the identity and password combination from one service can be used to breach another, referred to as ‘credential stuffing’; by combining high level information from different sources to completely profile an individual — such as passwords, PINs, social security number, place of birth, and more, they could have enough information to answer security questions used to protect and/or access bank accounts. The more data available to hackers, the greater the risk becomes.
We have to start addressing inadequate security to stop threat actors stealing data. We know threat actors’ attack methodology is not advanced or even unique but opportunistic. They see many ways in and multiple paths through environments to do damage and monetise their nefarious efforts. The widespread adoption of cloud computing introduces new levels of vulnerability and management complexity that can be targeted by bad actors.
Christopher Budd, Director Threat Research at Sophos
Remember the power of “no”.
Be smart about your passwords.
Remember the power of no: this means remembering that the best way to protect your data and information is to not give it away in the first place. Just because a site asks you for your birthday, for instance, doesn’t mean they need it or they’re entitled to it. If a site or service doesn’t have your information, they can’t lose it or accidently disclose it. While this may seem obvious, it’s important and we can all remember this, always.
Being smart about your passwords: this means that while we all hate passwords, we all know they’re a pain, they remain important. Even today we see major companies compromised because of bad password management by them or their people. Using unique passwords for every site (or at least every important site) is still one of the best things you can do to keep yourself secure. In addition to using unique passwords, using an multifactor authentication app like Google Authenticator or Microsoft Authenticator is an important step in making those really critical accounts even more secure.
In addition to these things, remembering to not click on links, to keep all your applications, apps and devices up-to-date, running security software and treating all unsolicited communications (email, phone calls) as suspicious also help make your security even better.
But if you remember and do just those two things, you’ll be a long way towards keeping yourself safer online.
Dave Russell, VP of Enterprise Strategy at Veeam
Cyber threats like ransomware play a critical role in organizations’ ability to keep their data safe. Knowing how public attacks have gotten and considering consumer demands for better transparency into business security measures, there’s generally more awareness around ransomware in 2024. New research supports the idea that ransomware continues to be a ‘when’ not ‘if’ scenario, with 76 percent of organizations attacked at least once in the past year, and 26 percent attacked at least four times during that time. Data recovery should be a key focus around Data Privacy Day 2024, knowing that it’s still a major concern as only 13 percent of organizations say they can successfully recover during a disaster recovery situation. In 2024, the overall mindfulness of cyber preparedness will take precedence.
Ezzeldin Hussein, Regional Director, Sales Engineering, META at SentinelOne
In an era dominated by digital connectivity, the significance of privacy has become paramount. As individuals navigate the sophisticated web of online interactions, it is crucial to recognize the profound impact that personal data can have on one’s life. The exponential growth of technology and the ubiquity of data-driven services underscore the need for heightened awareness about privacy. Every click, search, and interaction generates a trail of personal information, creating a digital footprint that can be exploited if not handled responsibly. To safeguard against potential threats, individuals must embrace best data protection practices, understand the value of their personal information and take proactive steps to secure it. This involves using robust passwords, enabling two-factor authentication, and staying informed about privacy settings across various online platforms.
Promoting responsible data handling is not solely an individual responsibility; it extends to businesses, governments, and organizations that collect and process vast amounts of user data. Companies must prioritize transparent data practices, informing users about how their information is used and providing them with control over their own data. Governments play a crucial role in establishing and enforcing comprehensive data protection regulations that safeguard citizens’ privacy rights. By creating a culture of responsible data handling at all levels of society, we can collectively build a more secure and respectful digital landscape. It is imperative to recognize privacy not as a mere convenience but as a fundamental right that demands our vigilance and commitment to ethical data practices, ensuring a safer and more secure online environment for everyone.
Dr. Johannes Ullrich, SANS fellow and Dean of Research at SANS Technology Institute
On Data Privacy Day, we must emphasize the critical importance of data protection, as outlined in “Convention 108” and “Convention 108+”. These conventions aim to establish a uniform legal framework for data protection among signatory states, leading to robust policies like the GDPR in the European Union.
However, despite these frameworks, data security faces numerous threats. Our Internet Storm Center and SANS Institute monitoring has revealed significant vulnerabilities and attack methods that jeopardize data security.
One such threat is the vulnerability in Ivanti’s connect secure VPN solution, widely used to control personal data access. Recent severe vulnerabilities in this product have transformed it from a protective tool into a potential gateway for attackers, undermining organizational data controls.
Another prevalent threat is password spraying. A recent example includes a cyber attack on Microsoft, leading to data exposure from its executives and cybersecurity team. Through our honeypot investigations, we have gathered data on the common passwords used in these attacks, which can assist organizations in strengthening their internal password policies to prevent brute force or spraying attacks.
Joseph Carson, Chief Security Scientist & Advisory CISO, Delinea
The end of privacy as we know it might be closer than you think. The world is increasingly relying on more AI and machine learning technologies. This reliance could result in privacy becoming less and less of an option for individuals, as AI’s capabilities in surveillance and data processing become more sophisticated.
2023 marked a significant leap in the authenticity of deepfakes, blurring the lines between reality and digital fabrication, and that is not slowing down any time soon. Our digital identities, extending to digital versions of our DNA, can be replicated to create digital versions of ourselves, which can lead to questioning who actually owns the rights to our online personas.
Unfortunately, advancements in AI technologies are evolving more swiftly than current regulations can keep pace with. In 2024, we can expect stricter data protection requirements across more countries and regions. But until these regulations evolve and can keep pace, it is important to reduce our risk and protect our privacy however possible.
Mohammed Eissa, Regional Sales Director, MEA, Entrust
This year, Data Privacy Day serves as a stark reminder that safeguarding digital identities must take center stage in our increasingly interconnected world. The so-called conflict between “seamless user experience” and security is over — the only answer is that security has to be welcomed as part of the experience.
Over the past few years, data breaches and privacy scandals have become alarmingly commonplace, raising concerns about the security of our personal information. From large-scale corporate breaches to individual cases of identity theft, the threats to our digital privacy persist and continue to evolve.
As technology continues to advance at a rapid pace, so too do the tools and techniques employed by malicious actors. From sophisticated hacking attempts to more subtle forms of data mining, our personal information is constantly under siege. Even the most highly-trained security professionals may miss increasingly realistic AI-generated phishing scams, across text, voice, and video.
Governments and regulatory bodies across the Middle East continue strengthening the fight against an ever-evolving threat landscape. For instance, UAE’s Dubai International Financial Centre (DIFC) recently announced modifications to its current data protection laws, perhaps of the most important of which are the newly included AI clauses.
Morey Haber, Chief Security Officer, BeyondTrust
For Data Privacy Day this year, let’s explore the controversial topic of impact of age demographics on perceptions of data privacy. This is not a discussion on whether data privacy is important, nor that sensitive information needs to be protected, but rather based on age groups, social media, and the designator of being an “influencer”, data privacy means very different things.
As a matter of fact, younger generations, that have embraced social media as a primary vehicle for income or popularity, have decided personal data privacy is less important than older generations that prefer to keep even their own birthdays private. The reasons are not completely obtuse since younger generations are generally fearless, lack experience, and have embraced the idea that personal information, and the transparency of data privacy, can lead to quick wealth, social status, and can have no repercussions if exposed. For older generations, data privacy has different implications, based on world geopolitics, distant relationships, and even the desire to protect family and assets acquired through years of hard work or public service.
So, while we can all agree data privacy is important, it does not mean the same thing to everyone and age can play a significant role in determining what an individual considers private or not.
Ramzi Itani, Regional Director at Veritas Technologies
Data Privacy Day serves as an important reminder for IT leaders in all organisations across the Middle East region of the scale of growing cyber threats to their data, as well as the business risks presented by non-compliance with the rapidly evolving regulatory landscape, designed to keep data safeguarded. In line with this year’s theme of ‘Taking Control of your Data,’ the role of Artificial Intelligence, and its relationship to our data protection cannot be overlooked.
While the transformative impact of Artificial Intelligence (AI) on the way we manage our data is evident, AI’s swift evolution has given rise to new challenges, notably seen in the surge of autonomous ransomware attacks.
Veritas’ Data Risk Management report revealed that 73% of UAE organisations fell victim to ransomware attacks in the last two years. AI not only enhances threat detection but also empowers cybercriminals to execute sophisticated attacks.
The evolution of AI is also making data privacy compliance more complex, and regional and national regulatory must continue to develop legislative guardrails for public-facing large language models (LLMs) and Generative AI (GenAI). For example, The DIFC recently announced amendments to its existing data protection regulations, with newly added AI provisions being some of the most significant changes.
As the Middle East tightens its data protection frameworks in response to these challenges, it is clear that vigilance and adaptability are not merely optional but essential and are also recognised as critical by individuals. Veritas research on the use of generative AI technologies in professional environments showed that 44% of employees questioned in the UAE understood that using public generative AI tools did introduce greater risks of sensitive information being leaked.
K S Sreedharan, Director of Compliance, ManageEngine, Zoho Corporation
Safeguarding data is a priority for business as well as for individuals. With every new technology, the risk profile changes, and with it, fresh challenges arise. The widespread use of AI and ML technology has pushed the boundaries of the amount of personal data that can be collected and analyzed. This has led to the possibility of algorithms learning the behavior of a person and making decisions that impact the individual’s rights. Large-scale data collection increases the risk of surveillance. Therefore, regulators in various geographies have developed mandates for the responsible use of AI and ML technologies. It is in the best interest of businesses to follow these mandates, as compliance violations can not only result in penalties but also the loss of trust in customers.
Another risk is that of decisions made by AI and ML technologies based on models trained on specific types of data in the form of images, videos, text, and numbers that pertain to the model. Such data, though carefully curated for training purposes, will still likely carry inaccurate information. There should always be a process requiring a human to review the automated decisions made by technology so corrective actions can be taken if needed.
There have also been instances where employees using AI technologies to simplify tasks for their jobs have inadvertently leaked sensitive company information. Organizations should educate employees about these risks and build controls to avoid them. Organizations that intend to use customer data for training AI models to improve their quality of service should develop a clear and transparent policy, and communicate it with employees. Furthermore, there should be controls on the use of this collected data so that the purpose for processing it does not violate the published mandate. The processing of this data should be beneficial in terms of improving productivity but should absolutely not infringe on an individual’s rights.
Tim Wade, Deputy Chief Technology Officer, Vectra AI
Customers and consumers alike are sharing more data than ever with organizations. This comes at a time when enterprises are shifting more applications, workloads, and data to hybrid and multi-cloud environments, and threat detection and response has become increasingly siloed and complex. Together, this underscores the crucial responsibility organizations have in safeguarding sensitive information and serves as a poignant reminder of the challenges involved in maintaining data privacy.
We’ve seen steady improvement on the part of the end user towards keeping their personal information secure and private. They deploy multi-factor authentication solutions, only use secure networks or VPNs, and are much more selective about which information they share with organizations, but exposure incidents still happen. As we strive to make the world a safer and fairer place, companies have a responsibility to their customers, partners, and end users to implement the right practices that will ensure their privacy and data are protected. In the upcoming year, businesses will face heightened expectations to demonstrate their commitment to implementing comprehensive measures aimed at safeguarding data.