Working from home because of the pandemic has led to sensitive corporate information being stored on private devices, and experts say protecting data must become a business imperative.
It may be Data Privacy Day, but security experts say privacy should become a daily, defined practice affecting almost all aspects of an organization and no longer just a part of compliance, legal, or auditing disciplines.
"As a rapidly growing stand-alone discipline, privacy needs to be more integrated throughout the organization," according to Gartner. "Specifically, the privacy discipline co-directs the corporate strategy, and as such needs to closely align with security, IT/OT/IoT, procurement, HR, legal, governance and more."
According to data from Atlas VPN, 54% of baby boomers and half of Generation Z feel very uncomfortable sharing with the government their personal data, including location and where they had traveled.
The same is true for 46% of Gen Xers and 40% of millennials, the firm said.
SEE: COVID-19 workplace policy (TechRepublic Premium)
Here are the top 5 reasons data privacy should be practiced every day.
It protects individuals' independence
Protecting personal data means protecting individuals from unwanted surveillance and physical harm, said Enza Iannopollo, senior analyst, privacy, security, and risk, at Forrester.
Our personal data provides a window into who we are, what we believe in, our weaknesses, and our consumption patterns, she said. "If we don't share this data carefully and with actors that we trust, it might become the basis for manipulation ... Examples of it are everywhere, in every country."
Protecting personal data means protecting "the most vulnerable among us," she added.
There is increased potential for breaches
Breaches in data privacy can have severe consequences for organizations and individuals, as they could lead to expensive follow-up attacks, said Candid Wüest, vice president of cyber protection research at Acronis.
Anurag Kahol, CTO of Bitglass, agrees that as companies continue to have WFH and hybrid work models, cloud adoption and digital expansion will continue to grow exponentially, creating more opportunities for cybercriminals.
"While the financial implications can be steep, it's even more devastating for an organization's reputation in the eyes of consumers,'' he said. "Consumers are constantly discovering the information that is collected about them, how that data is used and how daily breaches put that information at risk. With only 25% of people stating that they trust companies to handle their personal data responsibly, the margin for error is already incredibly thin."
Last year was the worst year on record for cybersecurity attacks, with the FBI's Cyber Division reporting as many as 4,000 attacks a day, Kahol noted—a 400% increase from pre-COVID figures.
Some of the possible consequences Wüest sees for enterprises if data is not properly protected include:
Regulatory fines, from regulations such as GDPR and CCPA.
Trust and brand reputation loss, such as what has happened with social media messaging apps.
Competitive disadvantage when corporate data is publicly shared. This is also why over 20 ransomware groups have started to steal sensitive data before encrypting it, as it is a big leverage for extortion. Especially if the data is financial information, intellectual properties, or customer lists.
It will eventually become the law
Liability risk for data exposure grew significantly during 2020 due to laws like California's CPRA, or Illinois' DTPA, said Rob Shavell, co-founder and CEO of DeleteMe.
"The range of ways companies are at risk for mishandling consumer information is rapidly expanding," Shavell said. "It's safer to practice privacy as part of your overall business culture."
It provides competitive advantage
The FAANG companies are all increasingly differentiating and positioning users' data privacy as a value-added feature, Shavell said. "It won't be long before customers expect the same—and more—from everyone they do business with. Burying privacy rights details in user agreements is no longer going to be enough when competitors are using it as part of their sales pitch."
It is increasingly becoming a necessary employee benefit
With a growing number of employees working remotely, company data is being personally commingled on employee accounts and devices. That means protecting company data and protecting workers is increasingly the same problem, Shavell observed.
"Maintaining customer as well as employee data privacy both in an out of the office helps insure against risks of social engineering attacks, ransomware attacks, or inadvertent data loss," he said.
What organizations should be doing to keep data secure
Organizations need to evolve their privacy programs to include employee privacy, said Forrester's Iannopollo.
"Between the huge amount of sensitive, personal data employers have been collecting to respond to the pandemic and the growing appetite for more sophisticated workforce analytics projects, protecting employee data must be their priority in 2021," she stressed.
Iannopollo recommends organizations:
Improve the effectiveness of an existing privacy program to create meaningful collaboration across the organization. "I see mature privacy programs breaking silos between security and risk, data governance, and privacy,'' she said. "If a regulatory requirement is to produce real change, it must affect systems, data flows, data itself. If requirements only live on paper, on the chief privacy officer's desk, they will never make an impact and deliver effective protection."
Make privacy and data ethics a critical business strategy. Compliance is just the floor. "It prevents companies from falling through the cracks, with evident benefits to their reputation, finances, and efficiency," Iannopollo said. "But, companies must still build the ceiling, adopting standards and values that align to regulations and requirements, while moving away from a traditional command and control mechanism." They should commit to viewing privacy and ethics as values and act consistently, she said.
Wüest of Acronis agrees that companies must know where all their data is, who is accessing it for what purpose, and protect it at all times.
"An integrated approach is key here to get the visibility and cyber protection across the complete infrastructure," he said.
Organizations must have an accurate inventory of data, advised Bitglass' Kahol. This is critical for adhering to data privacy regulations because if companies don't know the information they have or where it is going, they can't properly protect it, he noted.
Further, "companies must protect access to consumer information as well as the various systems that store it," he said. "This can become more challenging for improperly equipped organizations that adopt cloud technologies and other remote work capabilities, as consumer data can then potentially be accessed across numerous applications and on various devices."
Lastly, it is essential for organizations to have a thorough understanding of data jurisdictions and any security challenges they may present after migrating to the cloud, Kahol said.
"To ensure compliance, organizations should look for security solutions that allow them to encrypt cloud data wherever it resides, while maintaining local control of encryption keys."
- How to become a CIO: A cheat sheet (TechRepublic)
- Top 5 programming languages for systems admins to learn (free PDF) (TechRepublic)
- New Employee Checklist and Default Access Policy (TechRepublic Premium)
- ZDNet's top enterprise CEOs of the 2010s (ZDNet)
- CXO: More must-read coverage (TechRepublic on Flipboard)