While companies should focus on data privacy all the time, Data Privacy Day on Jan. 28 is a good opportunity to reassess your business privacy strategies and learn some new methods to safeguard data.
SEE: Identity theft protection policy (TechRepublic Premium)
The sudden shift to remote work in response to the COVID-19 pandemic has brought inherent security issues, and a research team from cloud security provider Bitglass gathered some data points during the height of the pandemic to highlight some of these issues. The researchers have studied hundreds of thousands of companies worldwide, and the below stats and quote demonstrate the pitfalls of the surveyed companies, and how organizations must rethink their current security strategies:
- While 73% of enterprises believe cloud applications are as secure or more secure than on-premises apps, 63% are concerned with data privacy and confidentiality in the cloud—an indication that while the public cloud is considered safe, organizations struggle with using it securely.
- 73% of security budgets are decreasing or staying flat over the next year, while organizations are being tasked to do more with less, demonstrating the necessity to implement cost-effective security that can secure the immeasurable number of cloud interactions.
- 50% of organizations lack visibility into messaging and file-sharing apps, providing a prime opportunity for data leakage, and 30% of organizations have no visibility or control for mobile enterprise messaging, while only 9% have security tools in place for detecting malware.
- 72% of organizations cite malware as a top concern with employees working from home, while 59% believe unauthorized or excessive access privileges is the most concerning threat vector.
We gathered a roundup of insights from 10 industry experts with diverse backgrounds to present for Data Privacy Day.
SEE: The top 5 reasons data privacy should be practiced every day (TechRepublic)
Trevor Bidle, CISO at data center service provider US Signal: A major boost in remote workforces over the past year was accompanied by a substantial rise in cybercriminal activity. In 2019, a survey revealed that 83% of organizations were hit with a cyberattack. In 2020, that greatly increased, with more cyberattacks reported in the just the first half of 2020 than the entirety of 2019. This Data Privacy Day is a great opportunity for companies to take heed of these cyber risks and implement a robust data management solution—or update their current ones.
Modern data management solutions in 2021 should include disaster-recovery-as-a-service (DRaaS) and automatic data backup archive-as-a-service (AaaS). AaaS benefits from the ability to render data immutable to protect it from cyberattacks and securely store data without increasing bandwidth costs.
These solutions should also incorporate vulnerability management tools. Traditionally, these tools were programmed to be reactive. However, best-of-breed solutions should utilize threat intelligence to become proactive and identify and prioritize vulnerabilities dependent on their criticality. This allows companies to recognize their systems’ weak points and rectify them before the cybercriminals spot them.
SEE: How to protect your organization’s remote endpoints against ransomware (TechRepublic)
In 2021, data center providers should provide data management solutions that offer an array of features, including the traditional and the innovative, to ensure that a company’s data is protected regardless of the attack method the cybercriminal chooses. As the danger of cyberattacks continues to grow in the new year, it is important to revisit your data management and security approaches to keep one (or more steps ahead) of digital adversaries and ensure data privacy for your employees and customers.
Laurent Fanichet, VP of corporate communications at enterprise search provider Sinequa: We understand that for some organizations, data privacy requirements like GDPR and CCPA can feel like a burden, however necessary. Still, we caution businesses to avoid the trap that compliance requirements are antithetical to using enterprise data to gather valuable business insights. As privacy and protection regulations continue to evolve, Data Privacy Day is a reminder to companies that creating a comprehensive view of all enterprise data is necessary to maintaining compliance. You cannot protect what you cannot see.
Especially in a remote work environment, it is imperative to recognize the differences between strong governance practices that protect data, and the insight mechanisms needed to leverage the data into broader insights that have direct benefit to business growth. This is exactly where technologies like intelligent search and natural language processing are even more critical in helping workers to consistently find, evaluate, associate, and retrieve information across business units, while protecting and sustaining the highest levels of data privacy.”
Sam Humphries, security strategist at security analytics provider Exabeam: With organizations considering “immunity passports” to get employees safely back to work, companies are going to have to maintain a delicate balance between protecting the health and privacy of their teams. New legislation such as California’s AB685 order— which mandates employers must tell workers in writing that they may have been exposed to the virus—requires businesses to establish an exposure notification system or face a fine. Naturally, some employees might be concerned about data privacy in the workplace and personal health data being exposed. On this year’s Data Privacy Day, I would encourage employees to tackle this problem head on as we all look forward to getting employees back into the office.
SEE: Emotet malware taken down by global law enforcement effort (TechRepublic)
In order to alleviate an employee’s worry about health information being revealed, be sure to be transparent about data monitoring and craft policies for employees that are accessible either through paper or digital training. Reassure the team that exposure notification will not violate HIPAA, and all names will remain anonymous. Content on the process should avoid confusing jargon and feature an appropriate contact person who can answer all questions.
Companies also need to make sure that exposure notification systems are compliant with not only AB685, but data privacy regulations such as CCPA, GDPR, and HIPAA. Utilizing existing technologies in their arsenal such as security analytics, organizations can establish exposure notification without the need for additional investment or worry about breaking compliance laws. This particular approach will help organizations identify individuals’ movement around the physical office based on Wi-Fi connections, scans, etc., and determine who may have been exposed. Without naming the individual who has the virus, companies can make sure employees know when to quarantine and work from home.
The path forward back to the office from COVID-19 must include data privacy. Data Privacy Day should serve as a reminder that even when things go back to some semblance of normal, it is good to be open and honest with employees on current privacy policies. Regular audits should also be conducted during this time, like when new laws such as the AB685 extension emerge. This will reassure skeptical employees that both their health and digital data are protected, while the organization is also being safeguarded.
Jay Ryerse, VP of cybersecurity initiatives at software solutions provider ConnectWise: The age of data privacy and security is now. We are continuing to educate colleagues and our customers that data privacy should be built into everything we do. Service providers need to fully immerse themselves into the threat landscape and the best practices associated with securing data. Without cybersecurity, there is no such thing as privacy. This deep dive includes the governance aspect of data protection as well as the technical and physical controls necessary for the confidentiality, integrity, and availability of data.
SEE: How ghost accounts could leave your organization vulnerable to ransomware (TechRepublic)
Consumers and businesses need to start asking the tough questions of their vendors. They need to understand the supply chain for the services they outsource and what those companies are doing to provide the best in class cybersecurity protections. If those vendors don’t believe they are at risk, then it may be time to find a new provider.
Josh Odom, CTO of email delivery platform provider Mailgun: In honor of Data Privacy Day 2021, it’s time we broke down the most prominent privacy regulations and how they play into the data-saturated world of email marketing.
The EU’s GDPR covers several lawful bases for data processing, and consent is one of them. As email marketers, we need to shift our understanding of consent from permanent to dynamic. This means that consent under GDPR is specific to the activity. We must ask ourselves: Do I have permission to send marketing messages to them? Are they expecting my emails?
Even a scammer would need my explicit consent to continue sending me spam. While this might frustrate email marketers, customers must also have the option to withdraw consent (objecting to use of information for direct marketing) if they decide they don’t want to hear from you anymore. But why would you want to talk to someone who isn’t interested in what you have to say anyway?
The requirements for the US’s CCPA echo the importance of consent. Email marketers must be explicit about any information collected or sold from the exchanges with the California-based contact and work with their sales teams to ensure that contact receives the same quality service at the same price as all prospects, regardless of their privacy decisions.
Whether you’re looking to optimize your GDPR and CCPA compliance or just getting started in email marketing and want to ensure you’re on the right path, prioritizing steps into actionable pieces is the way to go. Confirming consent with existing contacts and protecting data with proper security measures can seem overwhelming, but when in doubt don’t hesitate to reach out for advice or to a lawyer that specializes in data protection.
At the end of the day, what matters is keeping your contacts informed at all times of what’s being done with their information. Having a trail of documentation that you can show to prove this will prepare you in case you’re audited for compliance purposes. There is no one-stop shop for achieving compliance, but we hope these tips will help our email marketing friends this Data Privacy Day—and far beyond.
JG Heithcock, GM of data backup provider Retrospect: According to IBM, the average cost of a data breach in 2020 was $3.86 million. After a year rife with economic uncertainty, massive shifts of data to the cloud and an increase in remote workers, ransomware, and phishing attacks have grown exponentially. Cybercriminals have leveraged information about COVID-19 testing, research, and vaccine rollout to lure victims with phishing attacks, increasing the attack surface faced by organizations who might be operating with lean teams and limited resources.
SEE: Bad actors launched an unprecedented wave of DDoS attacks in 2020 (TechRepublic)
As business leaders look to secure their data, an arsenal of standard practices will protect sensitive and important information from ransomware and other cyberattacks. By maintaining proper password hygiene and vigilance around suspicious email addresses, requests and links, employees can reduce the risk of phishing and other data privacy violations. When organizations incorporate the added layer of maintaining an effective backup strategy with a 3-2-1 backup rule, organizations are better equipped to store sensitive information, which can be recovered quickly, easily, and safely to avoid disruption.
Surya Varanasi, CTO of storage solutions provider Nexsan: As we contemplate safe returns to the office, many organizations will explore either full or hybrid remote work options for this year and into the future. With an increased reliance on the cloud and a distributed enterprise, new challenges are brought on by an expanding threatscape spurred by cybercriminals looking to exploit the pandemic for their gain.
In order to fight the mounting threats and protect their data, organizations must combine known best practices with modern technology. Once those are in place, incorporating unbreakable backup solutions will serve as a last line of defense, allowing organizations the ability to recover, maintain uninterrupted operations and avoid paying ransoms should they be attacked. This way, sensitive information is kept safe, and business continuity remains intact.
David McNeely, chief strategy officer of access management provider Centrify: Beginning the year by observing Data Privacy Day serves as an excellent reminder for organizations to explore the mounting threats to their data and system and review the security of their credentials. This year, it’s imperative to note that the exponential growth of non-human identities means human users are not the only identities that can or will have access to sensitive data, often leaving credentials with broad privileges open to compromise. As the threatscape continues to expand, organizations must realize the importance of securing all identities including humans, machines, services, APIs, etc., which often provide privileged access to sensitive data.
Complexities around protecting and securing identities have been compounded by the industry’s mass shift to remote work and disbursement of security teams. Additionally, as modern organizations continue to expand automation’s role in DevOps and cloud environments, organizations must protect their credentials by following best practices to reduce the use of shared passwords, implement multi-factor authentication, strive for zero standing privileges, and adopt a centralized privileged access management (PAM) solution.
Authentication methods such as federation, ephemeral tokens, and delegated machine credentials can also help to reduce the overall attack surface and seamlessly incorporate PAM into the DevOps pipeline. When combined with a least-privilege approach, these best practices and modern solutions can improve an organization’s security posture, minimize the risks of compromised credentials, and ensure data privacy for both the organization and its customers, throughout 2021 and for the long term.
Lex Boost, CEO of IAAS provider Leaseweb USA: Data Privacy Day comes as we all begin settling into the comfort of normalcy of remote working, and provides an opportunity for business leaders to consider whether their current hosting solutions are meeting business needs.
Companies should take this opportunity to reassess their office environment and corresponding data strategies. Organizations leveraging an on-premises data strategy should consider restructuring to a data center model. As office spaces continue to remain largely unoccupied, the security of data housed on-premises increases in vulnerability—both to malicious actors and to unforeseen events like natural disasters. A hosting provider can offer a variety of solutions and configurations (i.e. dedicated servers, hybrid cloud, colocation, etc.) that moves your data to an offsite location with enhanced physical and cybersecurity measures.
Many hosting providers have the extra layer of protection by offering 24/7 security-related support services to guarantee your data is secure at all times. Hosting providers are required to comply with critical and stringent standards such as ISO 27001, SOC type 1, HIPAA, GDPR, and CCPA. The physical buildings where the data centers are located are also typically gated, and require identification to enter.
SEE: How asset management companies are vulnerable to ransomware and phishing attacks (TechRepublic)
During Data Privacy Day this year, it’s important for organizations to remember that protecting data doesn’t have to be a job done alone. As we continue to telecommute, it is important to rely on hosting providers for an extra layer of protection and peace of mind.
Saket Modi, co-founder and CEO at cybersecurity and risk quantification provider Lucideus: We are stepping into an era that is more digital-dependent than ever before. With PHI [protected health information] selling on the dark web for as little as a few hundred dollars, data is the new currency.
While to date, the ethical and moral responsibilities that come with its abundance have rested with governments and the corporate world, the end-user (consumer) has to start sharing the onus. From being prudent about what kind of information they are making publicly available, to knowing exactly which website, platform, or service they are using has been breached, there is a lot the average person has to incorporate into their cyber-consciousness.
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
Consumers need to take control of their digital footprint and privacy. They must know, objectively and in real-time, what they expose through their online identities, devices they own, applications and services they use, along with staying updated with the modern trends leveraged by cybercriminals to misuse data. To that end they can start safeguarding some of the most recurring pain points:
- Take action over compromised credentials: While 72% of consumers frequently lose sleep over having their information stolen, 64% have never checked to see if they were affected by any major data breaches. Understanding the effects of a data breach is paramount to taking the appropriate steps, from changing passwords and security questions to checking any other accounts where you might have used the same credentials.
- Set up two-factor authentication or multi-factor authentication: Enabling MFA or 2FA where possible will add an extra layer of security to your accounts, no matter if you are logging in from a computer or a mobile device. It creates an extra barrier for those trying to break into your accounts.
- Secure your mobile devices: Malicious actors can get to your devices through several ways, which is why we recommend closing the loop on the main characteristics of your device. Always keep the operating system up to date and be sure to use antivirus technology—it’s not just for your computer. When downloading applications only do so from the official stores , like the App Store or Google Play). Never download something directly from the internet where hackers can embed malware in apps offered for free. Finally, enable the encryption option on your phone, which makes it difficult for cybercriminals to recover your data if you lose your phone.
- Protect your social media identity: With 50% of people using public and open social media accounts, the need for increasing cyber-consciousness has never been more important. Consumers need to understand that where they are logging in from and which devices have access to their information impact their ability to keep their accounts safe. Enabling notifications for unrecognized login alerts can also help manage these risks better.