Enterprise data privacy challenges for 2017 -- and how to defend against them
If you’re not a data security professional, you may have missed the fact that January 28th was Data Privacy Day (also known as Data Protection Day, in Europe). Since 2007, Data Privacy Day has been designated as a day to raise awareness and promote privacy and data protection best practices.
As VP CSO for Zuora, I’m all for anything that raises awareness and promotes dialogue about data security -- but obviously I don’t just focus on data privacy once a year. For me, and my security colleagues, data privacy is an everyday concern. But the fact is that these days we’re seeing data privacy becoming an everyday concern for everyone. Whether it’s potentially hacked elections or IoT devices listening in on your family conversations, questions about data privacy -- and the implications of hacked data -- are becoming more pervasive and more concerning.
With this in mind I wanted to share some thoughts about where I see data privacy heading over the course of this year and what businesses can do to protect themselves, and their customers.
- Data protection costs increase
The cost of data protection is going to skyrocket. With changes to regulations, international companies in particular are going to be required to meet more obligations for global customers. This will lead to an increase in terms of investment. For subscription businesses, we’re already seeing companies putting in a lot of initial investment to make sure that the data is protected.
I see this as a good trend: I strongly support an increase in our investment in data privacy and protection. But the thing to keep in mind is that we’re not just solving for legal privacy obligations but adding value to our existing security programs. It’s important to make sure that our investments are going in the right direction: towards protecting the consumer.
- Targeted attacks
Phishing emails have gotten more sophisticated. For example, emails coming from malicious actors shows as coming from valid email addresses, and the content in these emails is more sophisticated and thus believable. Bad actors are no longer content to just write a program and spam. As they use more tools and technology, they’ll continue to be better able to customize attacks to increase the probability of target clicking.
To protect against targeted attacks, we need to work collaboratively within and across organizations. You need to build a culture of security throughout your organization that includes all personnel, not just your security team. This means continuous training that educates all personnel about their individual responsibility towards data protection.
Equally important is peer-to-peer sharing: working closely with industry security leaders so we can share what we’re seeing in our networks and who the bad actors are. Of course, we have to maintain confidentiality of our customers, but we can still share useful information that allows us to crowdsource our collective knowledge to fight against targeted attacks.
- IoT continues to be problematic
Car, microwave, refrigerator hacks, and more. We’ve only just begun to see the security challenges presented by IoT. For example, the devastating DYN attack from 2016 was a result of attackers using IoT devices and leveraging it as part of the attack vector.
Several years back, we saw the same issues with networking devices. Vendors weren’t proactive about security and these things were at risk. Now, out of the box, we have most of networking devices which default to a reasonable level of security.
IoT device makers need to follow suit and ramp up their levels of security by assuming a defensive posture and researching new technology to help detect intrusion and malicious traffic patterns on devices.
Digital and physical security should be taken into consideration -- and tested -- at every phase of the development process to reduce attack points from the very beginning. Authentication, for communication between devices, and authorization, to limit exposure, are key. Only necessary personal data should be collected and all sensitive personal data must be encrypted at rest and in transit. IoT vendors should also practice vulnerability management and use secure means to remotely deploy security software updates.
It’s also important for IoT vendors to get additional support for security. This means seeking out third-party testing above and beyond internal testing. It also means building consumer awareness so that consumers can help to be on the frontline for protecting their own data.
- Ransomware as a service
Ransomware is not new. We’ve seen this type of attack where malicious software blocks access to a computer system until a designated sum of money is paid. AV vendors have already started building stronger controls around ransomware.
The challenge will be to keep up with ransomware as it continues to change. We’re seeing more technologies that are random and behavioral-based. And we’re seeing more bad actors who have access to ransomware, and who can easily modify a piece of code and release.
AV and malware vendors need to be prepared for the fact that ransomware is going to get a lot of traction now that attackers don’t need to start from scratch, but can merely leverage existing ransomware for malicious intent.
Our tools and technology are going to need to learn to detect zero day attacks based on behavior. The question is: can technology catch the right set of things? We need a baseline against which to compare behavior. Understanding how to catch anomaly behavior in the system is the key.
We need to apply the data science and machine learning principles to identify malicious behavior.
Layers of Defense
Whether you’re talking about protection of consumer data or state level cyber crimes and government hacking, attacks are getting more sophisticated -- and businesses need to keep pace. It’s very hard to defend against every attack vector, and bad actors know this and will leverage it to find your weak point to try to access your system and data. This is why you need layers of defense in place so that whatever it is you are protecting will remain safe.
Ultimately security is a proofpoint of dedication to your customers, a proofpoint that needs to be taken seriously and reinforced every day.
Pritesh Parekh is VP and CSO at Zuora. Pritesh joined Zuora in 2013, with 18 years of experience in building and managing enterprise security programs, the last 12 years of which were spent leading security for Cloud platforms. Prior to joining Zuora, Pritesh led the worldwide Security and Compliance for ServiceNow. He has extensive experience in Cloud Security, IoT Security, Application Security, Compliance, Data Protection, Fraud Protection, Security Architecture and Risk Management for Financial Institutions, SaaS & Cloud Providers.