This is part 1 in a series for Data Privacy Day 2022. Don't forget to apply for our Cyber Top 20 List - recognizing the top companies in cyber!
Data Privacy Day occurs each year on January 28 and was created to raise awareness and promote privacy and data protection best practices. Data Privacy Day's educational initiative originally focused on raising awareness among businesses as well as users about the importance of protecting the privacy of their personal information online, particularly in the context of social networking.
We heard from privacy and security experts from across the world about how far we've come in the past year in terms of data privacy understanding and implementation -- and how far we still have to go...
[part 1]
Erkang Zheng, Founder and CEO at JupiterOne, a Morrisville, North Carolina-based provider of cyber asset management and governance solutions:
The industry is grappling with a fragmentary approach to privacy, which has significant security implications. From a security standpoint, it’s a massive challenge because there is no single global privacy standard to build upon, which leaves room for errors.
Security is often a game of details, so as the privacy landscape becomes increasingly complex, it introduces more things that can go wrong. In addition, a patchwork approach makes operations difficult as security professionals must understand and implement the disparate privacy and compliance regulations from around the world and jerry-rig them together for business continuity.
Ideally, an international consortium would address these diverse privacy rules worldwide. New privacy rules create complexity and not just from a compliance standpoint. It also creates operational complexities for security teams.
We need to see greater simplification on the process side, driven by the unification of regulations. So many things sound great on paper, but how practical is it to implement security across so many different regulatory frameworks? At the very least, national rules will need to come together for organizations to implement a cohesive privacy framework for each country. By not reaching some consensus about privacy, we introduce greater risks for everyone to stand up with adequate security protections.
Corey O’Connor, Director of Products at DoControl, a New York City-based provider of automated SaaS security:
Data privacy has been top of mind for both individuals and organizations alike. There are now global, national and local regulations that require companies of all sizes and types to have the appropriate cyber security measures in place to prevent PII from making its way into the public domain. From a business’ perspective, the negative implications for non-compliance with some of these regulations such as General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) are significant. At the individual or consumer level, people are more frustrated than ever with losing control over how their own PII is handled, manipulated and processed by businesses.
Software as a service (SaaS) applications are a critical data source for business today. These productivity and collaboration tools are what drives the business forward. PII files and data are enveloped into many of the SaaS applications being utilized by the business. Whether its data within SFDC, or files exchanged over Slack many of the tools and technologies being leveraged by organizations today are not granular enough to prevent data leakage or data exfiltration. There's a need to go deeper down the stack and introduce granular data access controls across the SaaS application data layer.
Industry regulations evolve. Cyber attackers' techniques improve and evolve as well. Organizations need to have the right people, process and technology in place to stay one step ahead and establish a strong data privacy program that effectively mitigates the risk of non-compliance, as well as a data breach.
Craig Lurey, CTO and Co-Founder at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software:
People's personal data has become a hot commodity. As a result, we have seen a record number of cyberattacks and data breaches in recent years as cybercriminals will stop at nothing to get their hands on people's data. Personal data is used for advanced social engineering attacks, password stuffing attacks and ransomware attacks against companies and individuals.
Despite this, people and companies do not pay enough attention to the tools and software that has access to their personal and corporate data. Rigorous vetting of software that is installed by end-users on mobile and desktop devices is not taking place in many cases, which may inadvertently be placing user and corporate data at risk.
As we mark Data Protection Day, it is therefore critical to highlight the importance of using powerful and sophisticated tools that properly secure people's data. Users should pay particular attention that the software has strict privacy policies and utilizes a zero-knowledge architecture, which ensures that the company developing the software has no ability to access or decrypt the user's data stored within. This is key if consumers and business users want to make sure their personal and sensitive data is - and continues to be - well protected.
Archie Agarwal, Founder and CEO at ThreatModeler, a Jersey City, New Jersey-based automated threat modeling provider:
A major part of data privacy is safeguarding the data. And when it comes to safeguarding data, we feel organizations should operate from a very simple paradigm: identify all the threats and then mitigate them.
Safeguarding data means different things to different organizations. But for those involved in developing software systems, we feel strongly that the best way to identify all the threats and mitigate them is by incorporating threat modeling right into their development lifecycle. It’s the most effective way to identify threats prior to deployment, which is obviously preferable.
Heather Paunet, Senior Vice President at Untangle, a San Jose, Calif.-based provider of comprehensive network security for SMBs: