Today, 28th January, 2022, is Data Privacy Day.
Data Privacy Day aims to promote awareness about various issues surrounding data privacy, the threats companies and users face and the steps organisations, individuals and governments can take to protect their data.
Since its inception in 2007, Data Privacy Day has taken on many forms and has been promoted by international companies and organisations alike. Having expanded around the world, Data Privacy Day is the ideal time for companies, organisations and security specialists to highlight the importance of data protection.
Cybercrime is rising at an alarming rate the world over, with experts claiming that we are witnessing record numbers of attacks with ransomware attacks and those against mobile devices in particular are becoming ever more prevalent. In the current environment, data security is of utmost importance.
However, despite this intimidating state of affairs, there are reasons to be positive, with increasing numbers of countries signing up to initiatives such as the EU’s General Data Protection Regulations and information security firms helping to spread the world and push for legislative change.
To do our part on Data Privacy Day, ITP.net recently interviewed a series of cybersecurity experts. We discussed data use across a wide range of applications, how companies must do their utmost to maintain security in a changing environment, and the importance of initiatives such as Data Privacy Day.
Gal Ekstein, General Manager EMEA and LATAM, AppsFlyer
“Data Privacy Day this year provides an important opportunity for businesses to reassess their mobile advertising strategy amongst the mounting user privacy laws and stricter data privacy standards that have transformed the way brands and mobile advertisers can collect and share consumer data over the last year. Between Apple’s game-changing ATT framework, Facebook’s user level data decision, and the upcoming demise of Google’s 3rd-party cookies in 2023, the scale and breadth of data sharing is becoming increasingly limited, making campaign measurement and optimisation more challenging than ever before.
“In 2022, we’ll see marketers continue to adapt to the move away from user-level data towards aggregated data. Privacy-preserving data collaboration within the ecosystem based on Data Clean Room technologies, will offer a neutral, safe space for 1st-party user data to be leveraged collaboratively. In addition, predictive measurement will also play a greater role, both of which will be crucial in gaining meaningful marketing insights in a privacy- complicit way. Ultimately, marketers that are able to balance privacy considerations with a positive user experience will win out in 2022.”
Charlie Smith, Consulting Solution Engineer – Data Protection, EMEA at Barracuda
“It is imperative that Data Protection solutions adopted by companies are reviewed regularly to ensure they have a well-tested and proven data recovery plan in place. A good backup solution should be able to recover key data types, such as office 365 data, Databases, email, and complete systems such as Virtual Servers and legacy Physical systems still used by the business. Often with Ransomware attacks, the only guaranteed way to recover systems cleanly is to carry out full system recovery to ensure all malicious code is eradicated from the environment. It is also crucial to be proactive in scanning systems and cloud data repositories for malware and other malicious content, in order to stay one step ahead of the cyber criminals.”
Morey Haber, Chief Security Officer, BeyondTrust
“Data Privacy means different things based on geolocation, regional, and country laws. It is not safe to assume that your data is subject to the same laws and usage regardless of where you travel and the company or country hosting the information.
“Personally, if you find attributes like your geolocation, sharing of your phone number or storage of photos in the cloud to be sensitive, learn how to change the settings on your mobile phone to disable these features and protect your data privacy.
“If you or your business stores sensitive information in the cloud, regardless of location, always encrypt the data (when legally allowed) to protect it from a potential data leak.
“For the European Union, and several states within the United States, it is important to know that companies must disclose, upon request, what personal data they are storing about you, and you have the right to request them to purge that information.
“While Personally Identifiable Information (PII) is generally associated with data privacy for individuals, business data privacy can include complex data sets including financials, engineering material, personnel information, client information, medical history, and other vertical specific data sets.
“Data privacy is generally thought of in the context of sensitive data within files and databases. However, the written word is not the only concern. Audio, video, and biometrics are also governed by data privacy regulations and should have appropriate controls to identify content and protect them accordingly. As an example, this includes cameras in home and offices and audio recordings from a call centre that may be used for training purposes.”
Sam Curry, Chief Security Officer, Cybereason
“The best way to think about the privacy issues is to imagine the world using Tinkertoy as an analogy. Tinkertoy sets are used to build structures made up of hubs and connecting rods. This is analogous to us all with the hubs or “nodes” being people, objects, computers and data and the rods or “edges” being the relationship among us like “child of,” “owned by” or “used by.” This massive structure could be taken to a ridiculous extreme and could, theoretically, represent the entire world in a shifting, powerful construct. We have a branch of mathematics ideal to this sort of mapping called Graph Theory; and this is exactly what data aggregators like Google, LinkedIn and Facebook do — they mine the metadata about the structure and sell it for money.
“It costs money to learn about this super graph that exists, shifting theoretically and combining us all. Some of the metadata we want available for things like public safety and law enforcement, cheaply and easily. Others, we want to share selectively with like-minded people or for products and services we like. Finally, some of it we may not want to share, could be recorded wrong or we may not even know about!
“Privacy is about controlling the metadata about the “real” graph structure and Tinkertoy is the sum total of the world and all its “things.” Specifically, it’s about the rule of law and about the cost to obtain this information. We want law enforcement, under the right conditions, to get data as defined by law; but we also do not want anyone else lowering the costs of obtaining any of this information. We also want to put people back in the centre, controlling the nodes and edges that are about them or related to them: their family, their friends, their interests, their things.
“This might be hard for many to understand and even harder to enforce, but the distinction is important — we should not only obey the letter of the laws and regulations but should lean in and do no harm to the mission of putting the elements of the super graph in control of the metadata collected and used about them. This is an ongoing struggle. It is vital to understand rather than just paying lip service to the regulatory language of the day or progressively watching our privacy erode as we downplay its importance and become more and more desensitised by the minutiae of the latest breach.”
Gregg Ostrowski, Executive CTO at Cisco AppDynamics
“The AppDynamics App Attention Index 2021, showed that for consumers, security is the number one component of a high performing ‘total application experience’. And 90% say that their expectation of brands to keep their data secure has increased since 2020. It goes to show that brands must go above and beyond to meet their users’ expectations towards security. In this post-pandemic era, a strong security posture means organisations have the necessary processes in place to protect their applications and their business from vulnerabilities and threats. In a world where sensitive data is constantly at risk of being compromised by malicious actors, they must be prepared and strengthen their security posture, enabling them to predict, prevent and respond to threats.
“The DevSecOps methodology, a modern approach to software development, takes things a step further and incorporates security enhancements at the beginning of the application development lifecycle for a more proactive approach to reduce risks of threats to sensitive customer data. But in order for a DevSecOps approach to be fully effective, teams need to implement a full-stack observability solution. This approach will give them in-depth visibility into the entire IT stack, including traditional legacy systems through to new, native cloud environments as well as hybrid deployments. It is a vital step in the right direction.”
Joseph Carson, Chief Security Scientist and Advisory CISO, ThycoticCentrify
“The notion of real ‘privacy’ is perhaps something that no longer truly exists. Internet connected device usage has exploded in recent years, bringing huge changes to our society, but this has come with risks as we’re all tracked and monitored 24/7.
“It means we need to consider not just data privacy, but the safeguards that govern how data is collected and processed. Thanks to stricter regulations, the public now has greater say on how their data is used, but regulatory bodies need to continue to pressurise companies and governments to maintain good cyber security practice, incorporating the principle of least privilege to protect collected data and provide users with transparent access to such data.
“Our personal data is becoming more and more profitable, and many will begin to ask how citizens will be incentivised, or perhaps paid, for their data? What will the future hold for personal data ‘renting’?”
Bernard Montel, EMEA Technical Director and Security Strategist at Tenable
“When discussing data privacy, we must also consider data security – you can’t have privacy without safeguarding it. And yet, according to research by Tenable’s Security Response Team, 2021 was another record year for cybersecurity incidents, and with it data breaches. A staggering 40,417,167,937 records were exposed worldwide in 2021, but that’s just an indication of the true number. According to the researchers, 87% of breach disclosures analysed did not include any information on the number of records exposed, meaning this figure will be significantly higher.
“The issue is that threat actors know they can monetise their crimes by targeting valuable data. Unfortunately, in the vast majority of cases, it’s not advanced threats that cause organisations to spill their secrets, it’s known but unpatched vulnerabilities. If companies want to stay ahead of the curve and avoid becoming a target, they need to appear unattainable to bad actors and that means removing the low hanging fruit – the known but unpatched flaws in systems and software. This data privacy day, rather than focusing on the tactics threat actors use, focus on identifying and blocking the attack paths they look to exploit.”
