Given the increasing reliance on technology in people’s lives, it is not surprising that we have generated a substantial amount of data in recent years, with estimates suggesting that we have produced approximately 64 zettabytes in the last few decades.
Notably, a significant portion of this data, potentially as much as 90 percent, was created in just the last two years. This highlights the importance and urgency of protecting data.
Data Privacy Day, an annual event observed on January 28th, is an opportunity to raise awareness about data privacy and discuss effective data protection strategies.
To mark the occasion, we reached out to top security leaders to share their recommended best practices for data protection with readers. Here’s what they have to say:
Failure results to fines
Charles Smith, Consultant Solution Engineer, Data Protection, Barracuda
Data privacy is a critical issue for organisations for two reasons.
First, businesses need to ensure that customer and company data, including valuable IP and financial data, is safe and secure and complies with national and international data protection regulations, such as GDPR in Europe. Failure to do so could risk a significant fine if there’s a data breach, as well as the loss of customer trust and damage to their brand reputation.
Keeping data private also helps to address the threat of data theft and ransomware attacks. Ransomware attacks are evolving, and cybercriminals will often steal data and threaten to expose it unless the ransom demand is paid, also risking financial loss and reputational damage. Ensuring that all data types are protected with end-to-end encryption is essential. Having the same level of encryption for backed up data is also key, as many attackers also try to target backups.
Understanding ‘3D’
Christopher Hills, Chief Security Strategist at BeyondTrust
Organisations need to keep the ‘3D’s in mind – Data Privacy, Data Security, and Data Protection.
Ensuring the proper use data or how it is accessed falls under Privacy. Data Security aims to protect the data from unauthorised access by implementing proper controls and mechanisms. Data Protection then covers the availability of the data and preservation along with proper deletion and/or destruction.
Understanding the differences across all three of these, their importance, and how each is applied across data is critical for business leader to ensure they are handling the data properly.
Privacy is dead
Joseph Carson, Chief Security Scientist & Advisory CISO, Delinea
The end of privacy as we know it might be closer than you think. While definitions and personal perceptions of privacy vary between different nations and cultures, one common thread is that privacy is becoming less and less of an option for many citizens.
In 2023, deepfakes will become so authentic that it will be easy to steal our digital identities and, unconsciously, we are even helping cybercriminal by exposing on the Internet our “digital DNA”, including photos, videos, images, and audio, which give out a lot of information about ourselves.
But exposing our digital DNA gives cybercriminals the opportunity to not only steal our identities: they can become digital versions of us online. Cyber-criminals can easily replicate the digital DNA and use it with the info they gathered online to create deepfakes so believable that it would be almost impossible to tell apart from the originals without sophisticated technology not ordinarily available.
To protect your privacy, ensure that you are checking each application including what data is being collected and processed, and how it is being secured. If you’re only protecting it with a simple password, then make sure you’re using a strong passphrase, get the help of a password manager and activate the multifactor authentication whenever possible.
Navigating data privacy can be complex
Sreedharan K S, Director of Compliance, ManageEngine (Zoho Corporation)
The competing standards for data protection across different regions create challenges in navigating the complex regulatory space. Organisations should be aware of variations of data protection regulations across different jurisdictions and accommodate them in their policies and procedures.
Corporations also need to be vigilant and conscious about transferring data. It’s possible that some of the former processes through which these transfers occurred are obsolete. Businesses must restructure their work procedures and examine how sub-processors handle data in order to shield data against potential threats and comply with regulatory requirements.
The data protection laws will evolve based on how effective they are. Organisations need to keep track of the evolving data protection landscape, review their processes, and embrace agility. To address the ever-changing requirements of data protection laws, cloud companies are localising their data and processes.
Data privacy vs data security
Giuseppe Brizio, CISO EMEA at Qualys
Relying too much on data privacy, at the detriment of data security, could be an issue.
Business leaders have to care about data privacy to ensure that only authorised people access the data that is necessary for them to perform their job, according to their role and responsibilities. This takes into account principles like “least privileged access”, to provide access only to the data required to perform the assigned job, and “segregation of duties” by assigning roles, responsibilities and boundaries in order to avoid conflicts of interest.
The data privacy, among others, supports the purpose of preventing insider threat actors from perpetrating their malicious and/or fraudulent activities. Data security is the defense of data against malicious and accidental threats, by focusing on protecting it but also including infrastructure security, as data can’t be secured if the related infrastructure is not secured.
Remove low-hanging fruits
Bernard Montel, EMEA Technical Director and Security Strategist, Tenable
When discussing data privacy, we must also consider data security – you can’t have privacy without safeguarding it. Unfortunately the daily headlines detailing numerous organisations that have fallen victim to cybercrime, with vast tomes of data compromised as a result, demonstrates that many are still finding this an impossible task. The issue is that threat actors know they can monetise their crimes by targeting valuable data with little fear of capture or punishment.
If companies want to stay ahead of the curve and avoid becoming a target, they need to appear unattainable to bad actors and that means removing the low hanging fruit – the known but unpatched flaws in systems and software. This data privacy day, rather than focusing on the tactics threat actors use, focus on identifying and blocking the attack paths they look to exploit.
Privacy is everyone’s responsibility
Brian Gin, Chief Privacy Officer, Trellix
There’s no doubt privacy is a priority — and Data Privacy Week is a great time to talk about how we all have a key role in protecting it. Sometimes, we as people and organisations make the mistake of thinking privacy is someone else’s job. When in fact, every one of us is critical. Everyone with access to personal information or who helps build a product that does — almost everyone in the workplace — is responsible for safeguarding it.
I continue to find that the most successful and trusted privacy programs are the ones encouraging and empowering all employees to be responsible for protecting data. People across all functions — marketing, sales, engineering, etc. — not only understand their basic privacy obligations, but also feel it’s their duty to advocate for the proper and ethical use of data. With this strong foundation, and a core belief that we all benefit when privacy is viewed as a fundamental human right, corporate privacy programs can shine. This needs to be the north star we follow.
