January 28 is Data Privacy Day. Anita Joseph, Editor, Security Middle East, spoke to experts to find out why confidentiality of data is so important and what organizations must do to ensure that they have robust data management frameworks in place.
Data Management is, arguably, the biggest challenge facing business today as they accelerate their digital transformation goals and fast-track their growth momentum. This inevitably brings the question of data protection and security to the fore, as breaches and attacks become more complicated, sophisticated, unpredictable and serious. Data Privacy Day, observed every year on January 28, serves as a reminder to us to assess how our data is being used. It provides the perfect opportunity for companies to take stock of their security practices and understand the whole data ecosystem.
So, what is data privacy and why is it important?
With data becoming more voluminous and its users more dispersed, awareness about how information is being used, collected or shared is also scattered, with no proper security checks in place. Data Privacy Day signifies a global effort to reinforce the need to channelize critical data management practices and create culture of zero-tolerance to careless cyber hygiene and practices. Today, however, data privacy has become more than just an effort-it’s a crying need.
According to Brian Pinnock, Cybersecurity Specialist at Mimecast: “As more of our lives are digitised and the volume of personal and corporate data continues to grow, citizens and businesses face an uphill battle to protect their data and prevent threat actors from using it in the service of cybercrime and fraud. Personal data has become like gold to cybercriminals, who weaponize your own information against you to make their cyber scams more believable.”
“It is imperative that Data Protection solutions adopted by companies are reviewed regularly to ensure they have a well-tested and proven data recovery plan in place,” says Charles Smith, Consulting Solution Engineer – Data Protection, EMEA at Barracuda.
In other words, it’s vital to understand rather than just pay lip service to the regulatory language of the day or stand by and watch our privacy erode as we downplay its importance and become more and more desensitized by the minutiae of the latest breach.
Put it simply, data privacy should be taken more seriously than it is right now, particularly in today’s day and age, when the cyber threat and security landscape is highly volatile and complicated. But then, as Joseph Carson, Chief Security Scientist & Advisory CISO, ThycoticCentrify puts it: “The notion of real ‘privacy’ is perhaps something that no longer truly exists. Internet connected device usage has exploded in recent years, bringing huge changes to our society, but this has come with risks as we’re all tracked and monitored 24/7.”
This, however, means we need to act, and fast.
“It means we need to consider not just data privacy, but the safeguards that govern how data is collected and processed. Thanks to stricter regulations, the public now has greater say on how their data is used, but regulatory bodies need to continue to pressurise companies and governments to maintain good cyber security practice, incorporating the principle of least privilege to protect collected data and provide users with transparent access to such data,” he adds.
THE DATA LANDSCAPE
Unfortunately, data privacy remained shrouded in mystery and misunderstandings for a very long time. This was particularly so because many companies viewed data privacy purely as an IT issue, and only had it incorporated into their larger disaster recovery plans.
“Understanding the applicability and impact of data privacy laws and regulations is a crucial practice that organizations tend to put on the back burner,” opines . “This could potentially put operations at risk and result in liability to legal action, especially as data becomes a defining element around which many organizations build their business models.”
Rick Vanover, Sr. Director of Product Strategy at Veeam comes straight to the point when he says that should no longer be the case. “Privacy matters. Data Privacy continues to be more important than ever. From an awareness standpoint, Data Privacy doesn’t get the attention it needs. I see IT organizations constantly manage large amounts of data that really doesn’t matter any longer. ROT – Redundant, Obsolete or Trivial – Data should be moved out of its storage lifecycle. My practical advice on Data Privacy day is to assess what data is where and identify what needs to be removed. If it doesn’t need to be removed, then determine if selected data should be moved to a correct tier or policy. From a privacy perspective, where it exists is an important first step of the process.”
Today companies are waking up to the reality that cannot afford to skirt the issue any longer. They’ve come to the understanding that data privacy must no longer remain an afterthought, but be part of a comprehensive data management and awareness strategy.
“If the last few years have taught us something, it is the fact that digital security has an impact on both consumers and businesses, says Saket Modi, Co-founder & CEO of Safe Security. “Whether it is the leaked credentials of customers on the Twitch hack or the leak of Pandora papers, data protection and cybersecurity are on top of everyone’s agenda. There was a surge of cyberattacks than ever before throughout 2021, and according to data from Check Point Research corporate networks saw 50 percent more attacks per week when compared to the previous year, and yet businesses continue to depend on traditional methods of cyber risk management.”
Brian Pinnock concurs.
“The rapid digital transformation that most businesses have had to undergo in order to adapt to pandemic-related challenges and a new hybrid working world, has created additional opportunities for threat actors, who have stepped up their efforts to breach organisational defences and steal sensitive personal and professional data,” he observes.
Changing customer attitudes have also added to the increased focus on data privacy, says Saeed Ahmad, Managing Director, Middle East and North Africa, Callsign.
“Over the past few years, consumer attitudes and expectations around data privacy and security have shifted, influenced by the increased publicity about data breaches, Apple’s move to enable opting out of app tracking, Google’s move to block third party cookies and our increased life online.”
Therefore, he says, “businesses must understand what personal data they hold and its value – at the end of the day, it’s a person’s digital identity. Consumers also need to understand that their data is uniquely valuable to them as an identity and it’s not just about data collection for marketing purposes.”
Gregg Ostrowski, Executive CTO at Cisco AppDynamics holds the view that in this post-pandemic era, a strong security posture means organisations have the necessary processes in place to protect their applications and their business from vulnerabilities and threats. “In a world where sensitive data is constantly at risk of being compromised by malicious actors, they must be prepared and strengthen their security posture, enabling them to predict, prevent and respond to threats,” he adds.
However, despite all the increased attention, it was popularly ‘misunderstood’ that data privacy centered around sensitive data within files and databases. “However, the written word is not the only concern,” points out Morey Haber, Chief Security Officer at BeyondTrust. “Audio, video, and biometrics are also governed by data privacy regulations and should have appropriate controls to identify content and protect them accordingly. As an example, this includes cameras in home and offices and audio recordings from a call center that may be used for training purposes.”
THE APPROACH
As vast an area as data privacy is, it needs to be seen in perspective. Perhaps, the best way to think about the privacy issues is to imagine the world using Tinkertoy as an analogy, says Sam Curry, Chief Security Officer, Cybereason. “Tinkertoy sets are used to build structures made up of hubs and connecting rods. This is analogous to us all with the hubs or “nodes” being people, objects, computers and data and the rods or “edges” being the relationship among us like “child of,” “owned by” or “used by.” This massive structure could be taken to a ridiculous extreme and could, theoretically, represent the entire world in a shifting, powerful construct. We have a branch of mathematics ideal to this sort of mapping called Graph Theory; and this is exactly what data aggregators like Google, LinkedIn and Facebook do — they mine the metadata about the structure and sell it for money.”
Understanding data privacy also means taking the time to learn what privacy controls are available in all the apps and online services that companies and their employees use. “Unfortunately, every app and every social network seems to do things differently, with privacy and security options often scattered liberally across numerous “settings” pages,” points out Paul Ducklin, Principal Security Researcher at Sophos. “But don’t be afraid to dig through all the options, and don’t just rely on the default settings. Start by turning off as many data sharing options off as you can, and only turn them back on if you decide you really want and need them. If a service demands you to share more than you are willing to hand over – your address, phone number or birthday, for example – or asks for data that you just don’t think is relevant for what you are getting in return, ask yourself, “Do I really need to sign up for this, or should I find somewhere else that isn’t so nosy?”
2022-A Turning Point?
It’s clear by now that much like 2021, data privacy will continue to hold considerable sway among businesses that seek to grow and accelerate their digital transformation journey, this year as well.
In the words of Gal Ekstein, General Manager EMEA & LATAM, AppsFlyer: “In 2022, we’ll see marketers continue to adapt to the move away from user-level data towards aggregated data. Privacy-preserving data collaboration within the ecosystem based on Data Clean Room technologies, will offer a neutral, safe space for 1st-party user data to be leveraged collaboratively. In addition, predictive measurement will also play a greater role, both of which will be crucial in gaining meaningful marketing insights in a privacy- complicit way. Ultimately, marketers that are able to balance privacy considerations with a positive user experience will win out in 2022.”
In order for data privacy to be effectively implemented, visibility must become top priority for organizations, says Nicolai Solling.
“As most organizations shift their data to the cloud, some can’t keep track of where their data is stored, or who can access it and in what capacity. This issue is especially pertinent as more companies collect huge databases containing personal information about their customers. Companies must work with their IT teams to build visibility into their data and who has access to it, as this is a critical step that will enable them to make better security decisions that will enhance data privacy, and subsequently improve regulatory compliance. This should then be followed by the implementation of a Zero Trust data security model and privileged access management,” he affirms.
Rajesh Ganesan, Vice President, Middle East & Africa at Manage Engine is of the opinion that educating employees must take centrestage.
“Data protection is only successful when all components within the infrastructure—including all employees—are prepared to handle it. To do this efficiently, data protection must be built right from the design stages of all services and operations. Moreover, data protection should be present as a strong, invisible layer; it shouldn’t hamper operations, nor should it require big changes or specialized training. It is best to educate people on the do’s and don’ts of data protection in a way that is contextually integrated into their work, as opposed to relying solely on periodic trainings. To do this, leaders should implement alerts in the system that pop up and inform users about any violations to data protection policies the users’ actions are causing. Such alerts help employees learn contextually, and ultimately, this training results in fewer data management errors.”
Aaron Louks, Security operations Engineer at ThreatQuotient says that a security tool is only as good as the intelligence sources backing it. “Staying up-to-date with the current threat landscape through multiple intelligence feeds is paramount for identifying intrusion events and providing data protection for your organization. I’d like to emphasize that it’s advisable to diversify your intelligence data because no single feed is going to have a complete picture of the threat landscape. It’s important to have a layered approach so the probability of identifying and blocking malicious activity is improved,” he adds.
Sandra El Hattab, Cybersecurity Consultant at Axon Technologies agrees. She sums it up best when she says: “By understanding its business context, an organization should identify the data types it handles, assess the regulatory environment it operates in, establish a data privacy policy that matches business practices and complies with laws and regulations, create a suitable data classification scheme, and implement data handling controls and procedures. The approach should also take into consideration how data flows to third parties and other external touchpoints.”
“A great aspect of data privacy revolves around people. Investing in awareness programs that educate employees is crucial. Ultimately, security is as strong as its weakest link,” she points out.