Data Privacy Day 2021: Aftermath - Part 3
Data privacy has drastically changed in the past year. Massive regulation fines were served and privacy culture rapidly evolved during the COVID-19 pandemic. We asked cybersecurity and data privacy experts for their take on the state of data privacy and what we should expect in the year ahead in this expert insights series.
Ramsés Gallego, International Chief Technology Officer, Cybersecurity, Micro Focus:
“Faced with a constantly evolving threat landscape, made even more complex by a rising number of cyber-attacks amid the global pandemic, organisations are under more pressure than ever before to keep their data safe and comply with regulations such as the GDPR.
The mass move to remote working last year led to a number of significant challenges for businesses, from procuring the right hardware for employees to enabling remote access via the cloud. While this acceleration to a digital-first approach should be looked at positively, the resulting distributed infrastructure has created new attack vectors for cybercriminals – and, in turn, a greater potential for damaging data breaches.
Within this new reality, becoming cyber resilient is a business necessity. Organizations should make extensive plans to effectively prepare for, respond to and recover from cyber threats. This involves implementing advanced analytics tools and frameworks to help teams identify emerging threat vectors and attack patterns. It also means critically evaluating established security concepts. Traditional perimeter-based approaches are no longer holding up, so factoring in application security and identity governance processes and tools is crucial for safeguarding sensitive information regardless of where it‘s stored.
By remaining vigilant and using next generation security technology, organizations can ensure they are in the best position to protect their entire IT ecosystem against data breaches. Ultimately, building a roadmap to cyber resiliency is vital for long term success.”
Dr. Mohamed Lazzouni, Chief Technology Officer, Aware Inc:
“This past year, we've witnessed an explosive growth in the amount of data sharing and collection as the world accelerated their digital transformation process to accommodate global shifts to remote environments. This revealed that collectively, we still need to work harder to ensure there is a wider set of regulations and security measures to effectively secure and protect the privacy of citizens, businesses, and consumers alike. While we have seen encouraging strides in the development of robust programs and regulations to protect privacy, International Data Protection Day gives our community the opportunity to reflect on how data privacy has been managed over the course of the year. It’s a chance to openly reevaluate what’s needed in the year ahead to further tighten regulations and security efforts and provide assurances to the public that their concerns are being addressed.
This year, businesses need to be more committed than ever to approach security as an integral operational solution allowing users to interact safely and securely. There needs to be a comprehensive security toolbox that combines best-of-breed solutions with ease of use and flexibility, so that businesses remain compliant and secure while giving consumers the trust they’re looking for—without forcing them to adopt overly complex security practices. To this end, biometric security is a powerful tool to secure access to data and transactions through continuous authentication of digital interactions.
It’s likely this conversation will continue to evolve as organizations look to prioritize data privacy solutions. It’s important to remember that today’s technology advances make it easy, secure, and economical to capture, process and manage biometric data without compromising the needs of users and citizens alike. By combining the use of a unique and intuitive process of digitizing something that is part of the user—their face, fingerprint, voice or iris—securely, we will find a world of benefits not only for protecting data, transactions, and valuable assets, but also for solving crimes, protecting communities and enabling commerce.”
Nir Chako, Security Research Team Leader, CyberArk:
“With all the new ways we are working, collaborating, and consuming goods and services today data privacy and security are more intertwined than ever. The proliferation of remote work in particular has created new opportunities for attackers to compromise personal data and the data we interact with as part of doing our jobs. While data privacy obviously needs to be collective effort between all involved, there are steps individuals can take to safeguard themselves this Data Privacy Day.
Updating your home router, checking that your laptop security is active and up-to-date, are simple steps to help improve data privacy. However an often overlooked threat is the malicious use of User Access Control (UAC). UAC manifests itself as pop-up tool window that asks the user if they do indeed want to change something on their computer. Anytime this permission is granted, what you are doing is allowing the piece of software to have more access to more of your computer – giving more power over it. This is valuable to an attacker and they will often spoof the pop-up in a bid to either install malware or steal credentials. While those pop-ups often seem innocuous, it’s important to only interact with - and grant privileges to - UAC pop-ups when updates are expected.”
James Carder, CSO of LogRhythm:
“In the wake of COVID-19 remote work cybersecurity concerns and the high-profile SolarWinds hack, we’ve seen security elevate in importance and the protection of sensitive data has become more of a shared responsibility across the company. Organizations are realizing that IT and security teams aren’t the only ones with something to lose in the event of a breach; the whole business is at stake. The board doesn’t want to risk a security breach or be found negligent based on a lack of investment in security.
With more and more companies experiencing breaches and people’s personal information being shared with so many businesses, Data Privacy Day serves as an important reminder for organization leaders to acknowledge their shared responsibility for cybersecurity and effective data protection across the entire business. For companies that aren’t currently operating in this way, it is a time for them to take a step back and make a plan to prioritize it in 2021.
Tim Mackey, Principal Security Strategist, Synopsys CyRC:
“End to end encryption conversations are growing and users are correct to be concerned about their privacy. But, users cannot simply assume that their data is fully encrypted by following the best practices used in websites of the past. With browser-level encryption using HTTPS, SSL, or TLS, the threat being mitigated is only in the network connection. Or, more precisely, the browser level encryption limits the ability of someone else on the network to access communication traffic between the user and the website. Such access is made harder with modern encryption techniques, and over the years these techniques have increased in sophistication. Most end users likely didn’t notice the improvements because the complexity was hidden away by browser vendors. While firewall vendors are also adding increased sophistication to their systems, the reality is that attackers really care about data and, as such, they attack applications and employees, not firewalls. This reality means that the weakest point in the data lifecycle isn’t the network, but the application and any employees with access to the data. Solving for this requires that data be encrypted at all points where the data owner isn’t accessing it. End to end encryption is a security technique which ensures that user data is always encrypted, even when stored by a service provider.”
Ashish Gupta, CEO and president, Bugcrowd:
“The pandemic has made transformation nothing less than an existential imperative, and most developers and engineers are in a rush to get their products to market as quickly as possible to gain a competitive advantage. Yet, most fail to realize that speed is the natural enemy of security, and this process can put consumer data in peril. As such, engineers and developers must have a system of checks and balances in place as they seek to digitally transform to ensure that any vulnerabilities are proactively identified and secured before attackers can exploit them.
Data Privacy Day serves as a crucial reminder for businesses to ensure they are implementing data protection best practices to protect their customers’ privacy. It is a great time for companies to consider merging the software development lifecycle (SDLC) with the security lifecycle to ensure consumer data privacy is secured at every level of innovation. This is where a crowdsourced approach to cybersecurity can help. Not only will the collective intelligence of technology and human ingenuity allow engineers and developers to continue to innovate at their own pace, but it will also allow outside researchers to uncover and report any vulnerabilities in a product’s code. The theme for Data Privacy Day 2021 is “Own Your Privacy,” and having insight into critical issues before they become breaches gives companies the security awareness needed to maintain data privacy.
Crowdsourced cybersecurity is a security approach that uses ethical hackers - or simply, security researchers - to uncover vulnerabilities in business applications, devices, and networks. Crowdsourced cybersecurity can also help fill gaps within an organization’s internal security team, as many companies still struggle with the lack of available security talent. This approach eliminates the imbalance between the creativity and motivations of attackers with those of enterprise security teams. For example, Bugcrowd matches customers with a global network of highly-skilled and fully vetted researchers that specialize in all industries, technology stacks, and targets. These researchers can be leveraged, on-demand, to probe targets, including mobile applications, internet-connected cars, corporate networks, and more to detect potential vulnerabilities. By enlisting a crowd of ethical hackers, organizations can augment their existing team and security tools to uncover previously unknown vulnerabilities or blind spots. This approach offers customers measurable confidence that investing in a crowdsourced vulnerability disclosure program (VDP), bug bounty, or pen testing program will yield a positive return - helping to protect companies from constantly evolving cybersecurity threats.”
Frederick Mennes, Director of Security Products, OneSpan:
“Data Privacy Day provides everyone, from businesses to individuals, with an excellent opportunity to assess whether they are doing enough to protect themselves or their customers in our increasingly digital world.
Globally, businesses are harnessing the potential of digital channels, such as mobile, to stay connected with their customers more than ever before. The pandemic accelerated the shift to these channels, which have become a necessity for many in lockdown or socially distancing. The increased use of digital channels has provided a variety of benefits to businesses and consumers alike; however, it’s crucial that they are aware of the inherent risks.
First, individuals must be aware of how to protect their privacy and their online safety. The volume of phishing attacks, ransomware and malware have risen in tandem with the shift towards digital, along with data being sold to third parties. To minimize the potential impact of a hack, there are a few simple steps consumers can take, like enabling multi-factor authentication for their online services and ensuring that their passwords are strong. In addition, people must always ensure that they read the small print and are comfortable with how a company will use their data.
Secondly, one of the greatest challenges facing businesses is adapting to digital transformation while maintaining high levels of protection from data breaches. The growing number of companies that collect personal customer information continues to be targeted by cyber criminals seeking to steal that data. These businesses will have to place investing in security and adopting the right protocols at the top of their priorities to ensure that their customers are protected. Equally, organizations that collect personal data must ensure that they are transparent and upfront about how they intend to use customer data so that anyone signing up can make an informed decision about whether they want to share their personal information.”
Sai Venkataraman, CEO, SecurityAdvisor:
“It’s easy to envision an evil company aggregating, analyzing, and selling this personal data but the reality is that most people compromise themselves through their own actions. An average person signs up for tens, or even hundreds, of apps and grants permissions for each of these apps to read their personal data. These users also consent to user agreements that compromise their privacy. Compromising on privacy can also result in compromised cyber security as personal data can be used to access sensitive users’ business data.
Further, remote work blurs the lines between our personal and private lives so employees can compromise not just their own privacy, but also that of their organization and their co-workers. Organizations previously relied on annual security awareness training seminars to educate employees on data privacy processes and teach them how to identify and remediate cyberattacks, but that’s no longer an option. Enterprises need to match cybercriminals' ingenuity with customized cybersecurity and privacy training to empower workers to protect themselves and critical business data.”
Howard Taylor, CISO, Radware:
“The growth of the digital economy, accelerated by the pandemic, has forced the world to provide more and more personal information online. With the interruption of face to face communication, customers, businesses, and governments must adjust to effectively manage personal relationships in the digital world. In short, these three bodies must work in harmony to develop a balanced, practical approach, enabling the beneficial flow of personal information, while stemming problematic or illegal activities. I like to think of it as Zen and the art of Data Privacy. Here are few observations of my observations and recommendations on how to achieve this balance:
The Customer – Must understand the privacy rights as defined by its government. This includes procedures to make “data subject rights” requests and how to raise formal complaints. Next, customers must read and understand the privacy policies posted by the companies and services they share their information with. It may be hard, but be prepared to “walk away” if you are uncomfortable with their policies.
The Business – The marketing and sales teams have two major challenges, the drastic reduction in in-person sales and the ever-tightening laws and regulations limiting reaching out to prospective clients. Companies have to recognize the risk and avoid questionable ways to bypass these regulations. They must provide clear and accurate privacy statements suited to their customer base (eliminate the legalese). When they capture personal information, only the minimum should be stored securely. This includes the use of encryption, controlled access, and deletion when it is no longer necessary. Companies must also be careful that if this information is to be shared, it is only be shared with the appropriate partners that maintain similar privacy policies.
The Government – Evaluate the costs and benefits of the current data privacy laws and regulations. Are they providing the intended level of data subject protection or are they ineffective? Governments and regulators must ensure that they facilitate desired, Digital Interaction while maintaining the data privacy of their constituents. With harmony will come creative solutions!”
Cyrus Wadia, General Counsel, Yugabyte:
“When suggesting that people take precautions around protecting their data, the common responses I hear are ‘I don’t care,’ ‘I don’t have much that’s secret,’ and ‘I don’t have a choice.’ These are all learned responses from years of giving away our data as a price for obtaining access to goods and services.
There is a different way to look at this issue: think of your data as your valuable personal property. How do you feel about your valuable personal property - what meaning does it have to you? What steps do you take to protect valuable personal property - store it in a safe, bank, etc.? What do you do when you loan out valuable personal property to others?
There is an increasing recognition that privacy should be treated as a fundamental human right that underlies other key values like freedom of association and freedom of speech. Privacy of data is an extension of that right, and international privacy regulations such as the EU’s General Data Protection Regulation and others are heavily regulating data privacy as a result.
I always tell people to start with the basics:
Do a data inventory - think of what information you’ve given to which companies - banks, healthcare, online services, etc..
Do an equipment check - is your computer up to date with all the latest security patches? Is your network secure at home? Are you locking your devices?
Practice data minimization - think about limiting what information you provide to companies so your attack vector/online data footprint is smaller. Just don’t share as much.
Use strong and different passwords for each online service, and use password managers to keep track of them all.
Use two factor authentication wherever possible.
Be vigilant about your phone and app privacy settings, don’t just say yes to every request to access/share your data (e.g., location services). Think about whether every grant of access to a third party service provider is necessary.
Establish identity monitoring.”
Dr. Rolf Lindemann, Vice President of Product, Nok Nok Labs:
"The California Consumer Privacy Act (CCPA) has been in effect since the beginning of 2020, but organizations nationwide are still struggling to understand the provisions focused on data collection, as well as the necessary security requirements. Since the CCPA takes a broader view of what constitutes private data, the challenge for security is then to locate and secure that private data.
As consumers increasingly prioritize their privacy, and as new laws and regulations are adopted, organizations will be under greater pressure to take privacy even more seriously.
More specifically man companies have room to improve their internal procedures and technologies in three different areas:
to protect customer data from being accessed by attackers breaking corporate authentication credentials
to ensure the systems having access to such data are well maintained with all security fixes applied outdated technology stacks being replaced or removed.
Ensure that when customers exercise their right to access personal information you have collected, you authenticate them strongly.
At least for areas 1 and 3, you will often need to adopt more secure authentication methods to ensure greater compliance and trust. Usernames + passwords, and even OTPs are no longer the best practices for security. State-of-the-art technology like biometrics can seamlessly verify a customer’s identity while reducing the reliance on passwords and keeping private information protected. As other states begin to adopt similar regulations, the need for these advanced authentication methods and subsequent privacy safeguards will rise."
Dr. David Brumley, co-founder and CEO, ForAllSecure:
“The greatest compliance challenge for large organizations is data management. Businesses need to keep track of where information is stored and understand how to remove it. While this sounds simple in theory, the fact is businesses use tons of different apps, from in-house to SaaS, and keeping track of their users’ information across all business logic can be complex. ISVs must lead the transformation to smarter, more secure applications. As we saw with the SolarWinds breach, it’s quite possible for an attacker to insert code undetected. There are a few things companies can do to protect data, and prevent this from happening to them in the future:
Create a “product security” team that is responsible for the security of the code itself. Like any walk of life, there are disciplines within development, and creating a team responsible for the overall security posture is important.
Create a code review process that ensures all code contributions are reviewed by a valid employee before being included in the “production” build.
Make sure each major component has a tech lead who feels responsible for it.”
Reuven Harrison, CTO, Tufin: "Zero Trust is the industry buzzword at the moment, and for good reason. Today, most organizations are employing some level of a remote workforce, and attention is now focused on network security to manage and control access of the hybrid environment. Zero Trust principles, particularly microsegmentation, provide a model to reinforce and improve network security. Microsegmentation has the benefit of making it more difficult to access sensitive data, but just as importantly, make it difficult to exfiltrate data once a breach has occurred. On Data Privacy Day, take some time to review your network segmentation policy and see where you can apply it at the micro level. " ####