Happy Data Privacy/Data Protection day
These days no important topic is worthy of the name if it doesn't have a day devoted to it. Today (January 28) it's the turn of data privacy -- or data protection depending on who you talk to -- to take its turn in the spotlight.
As organizations gather ever more data, concerns around how it is stored and used have grown which has led to legislators taking an interest too.
So, what are the current big issues surrounding data privacy and how are they being addressed? We asked some industry experts for their views.
"This Data Privacy Day, we want to draw attention to how security threats impact data privacy issues," says Raffael Marty, EVP and GM of cybersecurity at ConnectWise. "Businesses need to remain agile and responsive to the evolving threat landscape in order to keep theirs and their customers' and users' data private. We will see an increased demand from customers that will demand greater transparency about how business is keeping data secure and private. All of this will usher in an entirely new model for cybersecurity that relies on continuous verification rather than just hardening networks and systems."
"Data creation has exploded in recent years, with entire industries being built on having access to unique and useful data," says Thomas LaRock, head geek at SolarWinds. "This information can enable better business outcomes, making it an invaluable asset for any company. Unfortunately, this growing emphasis on data can also present risks. It's critical that companies focus on becoming Secure by Design to ensure strong data policies by upgrading their Data Loss Prevention (DLP) solutions and adopting zero trust security."
Okey Obudulu, CISO at Skillsoft, believes everyone needs to take responsibility for data:
Change has been the only constant of the last few years, with data protection being no exception. Delays to the UK Government’s Data Reform Bill have made it difficult for businesses to plan ahead, grappling with what the future of data privacy will look like post-Brexit.
Whilst there's no clear timeline in sight, the evolving regulatory frameworks around these topics require greater compliance input and oversight across all areas of business. Organizations need to recognize that every single employee has a role to play. From the CISO down, data protection is everyone's responsibility.
This is echoed by W. Curtis Preston, chief technical evangelist at Druva:
Privacy is now at the forefront and one of the top concerns for consumers, making it the responsibility of everyone in IT. On Data Privacy Day, organizations have the opportunity to reflect and commit to a holistic approach within their IT teams to ensure data privacy standards are upheld and data resiliency is achieved.
In an IT team, it's the web developer's job to ensure that any personal data received via the web is stored directly in a special database designed for personal information.
It's the database administrator (DBA)'s job to ensure that database is treated differently, judiciously applying the process of least privilege to it, to ensure only a select few are granted access, and everyone else (including bad actors) sees encrypted nonsense.
It's the system administrator's job to apply the same concepts to wherever that database resides. It is the backup person's responsibility to ensure the backups of this database follow best practices, and are encrypted and air gapped.
Finally, it is, of course, the security person's job to check in with everyone else to help them understand their responsibilities and ensure they are meeting them.
When all of these pieces of the team are aligned, organizations can be certain that they've done everything possible to keep their data resilient in the face of unexpected threats and adversity.
"Data that is stolen under the noses of organizations can have damaging and lasting impacts. Customers, partners and employees trust businesses to look after their data, and when it is stolen that trust is broken. People lose confidence in digital services, which can then lead to long-term reputational damage as well as a significant financial hit," says Ronan David, chief of strategy at EfficientIP. "Organizations need to be able to stop the exfiltration of data at the earliest possible stage. Businesses need to be looking at real-time DNS traffic so that security teams can detect, locate and thwart hidden security threats. Furthermore, DNS-based application access control at the user level needs to be implemented to reduce the attack surface of businesses and block lateral movement, and ultimately, strengthen their security chain."
"The intersection of security and privacy has been evident for years -- and in the end, you can't have one without the other," says Clar Rosso, CEO of (ISC)2. "As we continue to interact, process and consume data at an exponential rate, there needs to be a clear understanding of where data is located, managed and accessed to avoid getting into the wrong hands. With privacy and cybersecurity functions becoming increasingly synergistic, privacy and cybersecurity professionals must work collaboratively to ensure strong and effective data stewardship. Not only will it improve security and privacy postures, but the collaboration will help alleviate resource challenges."
Dr. Ellison Anne Williams, founder and CEO of Enveil, says:
Digital transformation, the rise of the digital economy, and the broad recognition of data as an asset have significantly transformed global data requirements, making it critical for us to advance awareness surrounding the challenges and opportunities in the data privacy arena. Data Privacy Day does a great job of spurring such discussion.
With the vast quantities of data available today, organizations increasingly need to find the right balance between value extraction and risk management. Regulators are scrambling to keep up with the pace of change so there is frequently a lack of clarity concerning the boundaries of acceptable data use. Leading data-driven organizations are forced to ask themselves: 'how much risk can we tolerate?'
Eve Maler, CTO at ForgeRock, believes children's data will need better protection. "Today's generation of children are growing up digitally native, signing into multiple devices, and accessing a vast ecosystem of services online. However, children are not capable of truly consenting to the use of their data, making the standard 'opt-in', 'opt-out' authentication practice meaningless. Organizations need to strike the balance between knowing enough information about these users, without knowing too much, and ensure that parents and guardians have the ability to consent to the right level of data sharing. In 2023, we can expect to see meaningful changes around legislation in this area."
"Organizations looking to better protect customer data should consider how well they can validate their security policies, controls and configurations," says Song Peng, SVP of engineering at NetBrain. "Even the best security hardware and software develop vulnerabilities over time, usually as the unintended consequence of other IT activities. And with the larger attack surfaces created through cloud-based services, the need to continuously verify that security profiles are intact is essential."