Data privacy has drastically changed in the past year. Massive regulation fines were served and privacy culture rapidly evolved during the COVID-19 pandemic. We asked cybersecurity and data privacy experts for their take on the state of data privacy and what we should expect in the year ahead in this expert insights series.
Brad Brooks, CEO, OneLogin:
“2020 was a challenging year for data privacy due to COVID-19 and the huge shift to work from home. A recent OneLogin survey of 2000 U.S. and UK workers showed 48% of U.S. respondents reporting breaches since working remotely. These findings indicate that a large portion of companies, particularly in the US, were woefully underprepared for the onset of remote working. It is crucial that all organizations - particularly those breached - undertake a thorough security audit in order to understand the reasons why these breaches occurred.”
A key step to keep your business safe from breaches is to ensure that your employees are following security best practices. For Data Privacy Day, here are some practical tips (not necessarily followed by the survey respondents!) to keep employees secure at home:
Don’t share your work computer with friends, housemates or family members: 26% of respondents admitted doing this
Don’t download personal applications onto a company device: 23% of respondents admitted doing this
Don’t work on a public wifi that is not protected: 22% of respondents admitted doing this
Don’t share your corporate password with others: 12% of respondents admitted doing this
Don’t leave your corporate devices unattended in a public space:10% of respondents admitted doing this
Do encourage your company to engage with multi-factor authentication (MFA), which gives you multiple layers of protection: Only 36% of respondents suggested that MFA had been implemented.”
Tim Bandos, CISO, Digital Guardian:
“Data is the lifeblood of most modern companies and the long-term negative impact on those who suffer breaches demonstrates just how serious the issue of data loss has become today. And for those of us who are now working from home, the threat level posed by the blurred lines of using personal devices to respond to work emails, or using our work laptops to buy something online, has increased exponentially. With such a high volume of data flowing in and out of businesses every day, effective data protection strategies must embrace the following: visibility to all data, all the time; analytics to understand and manage risk; controls to enforce data protection policies; and a consolidated view into all threats targeting sensitive data. Taking a comprehensive approach while implementing cybersecurity controls is imperative for protection, especially when it comes to sensitive and valuable customer or financial information. Fundamentally, what we’re talking about here is no-compromise data protection for your no-compromise organization.”
Rick Tracy, CSO at Telos Corporation:
“Due to the pandemic, increased ransomware attacks and the SolarWinds breach, 2020 was a cold hard slap in the face for many organizations and reinforced the importance of certain basic security practices.
Here are three important security lessons that 2020 taught us:
The pandemic literally changed business operations overnight. Work from home became a reality for many. Businesses that had continuity of operations and pandemic plans in place were in good shape. Things like secure remote access technologies (VPNs), telework policies and mobile devices (e.g., laptops) became urgent overnight. If not prepared, organizations probably stumbled out of the gate and the rush to enable work from home probably resulted in security compromises. It will be important to learn from this pandemic to ensure operational resiliency in the future.
Don’t forget basic blocking and tackling:
Ransomware attacks reinforced the need for critical practices like teaching employees to recognize and avoid phishing attempts, deploying critical security patches quickly, using encryption for sensitive data, employing MFA as much as possible and backing up your data. Ransomware is not going away. Implementing cyber risk and compliance management frameworks across the organization will be very helpful for ensuring and evidencing that required security practices are in place.
Trust but verify:
The SolarWinds breach brought supply chain security to the forefront in 2020. Standards bodies like the National Institute of Standards and Technology have been promoting supply chain risk management for more than five years. Standardizing security practices across interconnected ecosystems (e.g., supply chains) is very important. As SolarWinds demonstrated, one weak link in the chain can corrupt an entire ecosystem. SolarWinds emphasized the need for some form of supply chain risk management practice to ensure all partner and vendor systems and data are trustworthy before you authorize connection.
These are important lessons that we should carry forward into 2021 and beyond.”
Richard Montbeyre, Chief Privacy Officer (DPO), BMC Software:
“In the past year, Covid-19 has had a major impact on privacy and security. With vast majorities of the workforce now logging on to enterprise systems remotely, businesses must maintain confidentiality and ensure that the company is protected from unauthorised access. Replicating a secure environment for remote working devices has therefore become crucial to protecting an autonomous digital enterprise’s assets – such as creating containers within devices that meet company security standards, allowing employees to safely access enterprise systems with personal devices. Technical means, including VPNs and multi-factor authentication, can also help to protect devices at home, while services and tools such as reporting tools, help lines, and escalation mechanisms, can support employees when it comes to data security. With these adaptive cybersecurity measures in place, any vulnerabilities, breaches or hacks can be detected almost as quickly as if everyone was working in the office.
Ultimately, having strong, adaptive security practices in place can ensure the company’s data privacy is optimised and all sensitive enterprise data is securely stored.
Unfortunately, employees often feel less bound by company security and data protection policies when not in the office – however, it’s vital that they stay vigilant. Having the right awareness training in place can help improve data security and help employees recognise attacks that target individuals, such as phishing attempts. With a combination of technical measures and situational training, employers can keep awareness levels high and transform the capabilities of remote employees to ensure they still comply with data privacy regulations while working from home.”
Jason Frugé, Vice President of Business Application Cybersecurity, Onapsis
“While Data Privacy Day symbolizes the importance of protecting customers’ and employees’ sensitive, personal information, it’s a 365-day job for every CISO. To help focus on this priority, security teams should create a progression list, ranking their businesses’ most important data and the applications where the information resides. It could be financials, employee information, customer data, trade secrets and more. The next step is to ensure there’s a thoughtful and strategic security strategy put in place to keep this data safe. Relying on legacy security solutions is no longer enough, especially as data and applications are increasingly moving to the cloud and SaaS-based environments. Ensuring an application-specific plan in place will be critical to success moving forward.”
Kowsik Guruswamy, Chief Technology Officer, Menlo Security:
"A new year is upon us, but the same threats – phishing, ransomware, business email compromise, and more – persist, which means security teams must be more vigilant than ever before. In just a single month, Menlo customers attempted to access more than 56,000 phishing sites, signifying that using email and other communications channels to trick people into unwittingly handing over the keys to their devices continues to be successful and will only grow in volume and sophistication. And with remote work still the norm for many, collaboration channels will see a surge in phishing attacks and new tactics such as Zishing (Zoom phishing), HTML smuggling, and the use of captchas to deter crawlers and sandboxes will make these attacks hard to detect and even harder to stop in the coming months. Attackers will continue to capitalize on a largely mobile workforce, leveraging email to establish trust and credibility before compromising sensitive information, initiating fraudulent wire transfers and more. Known as business email compromise (BEC), this type of attack accounts for $2.1 billion in losses in a typical year, a figure which will likely skyrocket in 2021. The good news is Command and Control (CnC) attacks will likely become less prevalent as data continues to move to the cloud and Software as a Service (SaaS) platforms. That said, security pros should not rest easy as new vulnerabilities and lack of visibility in HTTPS traffic ensure this will remain a troubling attack vector for years to come. While 2020 was dedicated to reacting and responding to a new normal, 2021 will be the year organizations across industries find efficiencies and learn to thrive in a new era of work. With this in mind, security training and education will be key to ensure users are wise to new phishing tactics and threats. Organizations should look to implement security tools that prioritize user experience to ensure productivity remains high and embrace innovation whenever possible."
Jasen Meece, CEO of Cloudentity:
“Data Privacy Day is an ideal time to build awareness and start an open dialogue about how individuals’ data is being leveraged by companies. It’s important to put the power of data back into consumers’ hands so they can decide how their data is being used and shared. After the California Privacy Rights Act (CPRA) passed in November 2020, many other states and countries may follow suit in implementing data and privacy laws to give consumers control of their personal data. However, adhering to privacy standards can be challenging for companies, especially as applications become more complex with the addition of distributed services, APIs, and serverless resources all collecting and passing user data across environments.
When it comes to managing consumer identity, API Protection is a key leg of the identity stool, dictating how the app handles user data, identity governance and who has access to private data. Companies need to ensure that they request customer consent to access or use their private information required to deliver their services. Every user consent action and the contextual information needed to establish some form of identity needs to be captured to prove compliance with legislation and to respect the data privacy of their customers.
Cloudentity’s Privacy Ledger, part of our Authorization Control Plane, captures all the necessary information to all for progressive consent and enables consumers to understand exactly why they consented, what they consented to, when they consented to it, and what is collected. Thereby empowering the consumer to take control of their data privacy. This approach builds trust and loyalty with the brand while ensuring companies remain compliant with the latest data privacy legislation.”