This is part 1 in a series for Data Privacy Day 2022. Don't forget to apply for our Cyber Top 20 List - recognizing the top companies in cyber!
Data Privacy Day occurs each year on January 28 and was created to raise awareness and promote privacy and data protection best practices. Data Privacy Day's educational initiative originally focused on raising awareness among businesses as well as users about the importance of protecting the privacy of their personal information online, particularly in the context of social networking.
We heard from privacy and security experts from across the world about how far we've come in the past year in terms of data privacy understanding and implementation -- and how far we still have to go...
[part 1]
Erkang Zheng, Founder and CEO at JupiterOne, a Morrisville, North Carolina-based provider of cyber asset management and governance solutions:
The industry is grappling with a fragmentary approach to privacy, which has significant security implications. From a security standpoint, it’s a massive challenge because there is no single global privacy standard to build upon, which leaves room for errors.
Security is often a game of details, so as the privacy landscape becomes increasingly complex, it introduces more things that can go wrong. In addition, a patchwork approach makes operations difficult as security professionals must understand and implement the disparate privacy and compliance regulations from around the world and jerry-rig them together for business continuity.
Ideally, an international consortium would address these diverse privacy rules worldwide. New privacy rules create complexity and not just from a compliance standpoint. It also creates operational complexities for security teams.
We need to see greater simplification on the process side, driven by the unification of regulations. So many things sound great on paper, but how practical is it to implement security across so many different regulatory frameworks? At the very least, national rules will need to come together for organizations to implement a cohesive privacy framework for each country. By not reaching some consensus about privacy, we introduce greater risks for everyone to stand up with adequate security protections.
Corey O’Connor, Director of Products at DoControl, a New York City-based provider of automated SaaS security:
Data privacy has been top of mind for both individuals and organizations alike. There are now global, national and local regulations that require companies of all sizes and types to have the appropriate cyber security measures in place to prevent PII from making its way into the public domain. From a business’ perspective, the negative implications for non-compliance with some of these regulations such as General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) are significant. At the individual or consumer level, people are more frustrated than ever with losing control over how their own PII is handled, manipulated and processed by businesses.
Software as a service (SaaS) applications are a critical data source for business today. These productivity and collaboration tools are what drives the business forward. PII files and data are enveloped into many of the SaaS applications being utilized by the business. Whether its data within SFDC, or files exchanged over Slack many of the tools and technologies being leveraged by organizations today are not granular enough to prevent data leakage or data exfiltration. There's a need to go deeper down the stack and introduce granular data access controls across the SaaS application data layer.
Industry regulations evolve. Cyber attackers' techniques improve and evolve as well. Organizations need to have the right people, process and technology in place to stay one step ahead and establish a strong data privacy program that effectively mitigates the risk of non-compliance, as well as a data breach.
Craig Lurey, CTO and Co-Founder at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software:
People's personal data has become a hot commodity. As a result, we have seen a record number of cyberattacks and data breaches in recent years as cybercriminals will stop at nothing to get their hands on people's data. Personal data is used for advanced social engineering attacks, password stuffing attacks and ransomware attacks against companies and individuals.
Despite this, people and companies do not pay enough attention to the tools and software that has access to their personal and corporate data. Rigorous vetting of software that is installed by end-users on mobile and desktop devices is not taking place in many cases, which may inadvertently be placing user and corporate data at risk.
As we mark Data Protection Day, it is therefore critical to highlight the importance of using powerful and sophisticated tools that properly secure people's data. Users should pay particular attention that the software has strict privacy policies and utilizes a zero-knowledge architecture, which ensures that the company developing the software has no ability to access or decrypt the user's data stored within. This is key if consumers and business users want to make sure their personal and sensitive data is - and continues to be - well protected.
Archie Agarwal, Founder and CEO at ThreatModeler, a Jersey City, New Jersey-based automated threat modeling provider:
A major part of data privacy is safeguarding the data. And when it comes to safeguarding data, we feel organizations should operate from a very simple paradigm: identify all the threats and then mitigate them.
Safeguarding data means different things to different organizations. But for those involved in developing software systems, we feel strongly that the best way to identify all the threats and mitigate them is by incorporating threat modeling right into their development lifecycle. It’s the most effective way to identify threats prior to deployment, which is obviously preferable.
Heather Paunet, Senior Vice President at Untangle, a San Jose, Calif.-based provider of comprehensive network security for SMBs:
In today’s connected era, people disclose personal data during dozens of daily interactions, from online shopping, healthcare portals, social media, wearable devices to streaming services. This data is used to create profile-specific experiences across a multitude of devices and mediums, resulting in personalized, effective marketing campaigns.
However, the information customers give in exchange for a personalized experience can be very attractive to hackers, yet there is growing concern as to how companies are using information. As a result, many people want to trust that the companies they give their information to will keep it safe, but it also means consumers must take some privacy matters into their own hands to keep their personal data safe.
Deploy Multi-Factor authentication for cloud-based tools
Ensure that passwords are strong
Lock your computer when away from your desk, even at home
Don’t use public Wi-Fi for transactions
Install anti-virus & anti-spyware software, and a firewall
As more high-profile data breaches and cyberattacks come to light, customers are looking to businesses to strike a balance between data protection and collection.
To ensure compliance with current, and new regulations, businesses need to understand the data they’re taking in and who has access. Laws such as the Colorado Privacy Act (CPA), with similar versions in CCPA and CDPA, include a requirement to conduct a data protection assessment. This is an important first step that any business collecting consumer data should take. Businesses will need to understand what is being collected, and how to protect customer data, while also continuing employee education about data ownership and protection.
In addition, businesses need an effective strategy to communicate how customer information is collected, used and when it may be sold or disclosed for business-related purposes. Transparency in data collection is a foundational pillar for businesses looking to maintain a trusting relationship with their customers.
Mohit Tiwari, Co-Founder and CEO at Symmetry Systems, a San Francisco, Calif.-based provider of cutting-edge Data Store and Object Security (DSOS):
You do not need to give up data privacy so that organizations can thrive off of personalized advertising or by hosting customer data in a Software-as-a-Service (SaaS) application. Road safety is a great example where protocols and training sets appropriate expectations among drivers, bikers, pedestrians, etc. Similarly, there is considerable research and new commercial tools for organizations to measure how customer data is used internally and safeguard it -- and the recent exodus towards Signal shows that respecting customer privacy can actually be good for business.
Imposing reasonable fines is indeed a good way to make measuring and improving data risk a board-level priority. And this can only be good for both customers and enterprises that host their data.
Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, a Washington D.C. based provider of cloud identity security solutions:
The notion of real ‘privacy’ is perhaps something that no longer truly exists. Internet connected device usage has exploded in recent years, bringing huge changes to our society, but this has come with risks as we’re all tracked and monitored 24/7.
It means we need to consider not just data privacy, but the safeguards that govern how data is collected and processed. Thanks to stricter regulations, the public now has greater say on how their data is used, but regulatory bodies need to continue to pressurise companies and governments to maintain good cyber security practice, incorporating the principle of least privilege to protect collected data and provide users with transparent access to such data.
Our personal data is becoming more and more profitable, and many will begin to ask how citizens will be incentivised, or perhaps paid, for their data? What will the future hold for personal data ‘renting’?
###