“Data Privacy Day, like many of the new man-made holidays, can come across as a day dedicated to marketing fodder. However, this does not mean the root message behind the day is not valid,” said Stan Christiaens, CTO and co-founder of Collibra in one of a slew of industry comments sent to SC Media UK.
Not the biggest fan of these artificial constructs ourselves, SC wholeheartedly concurs with both sentiments - including the second, which makes today an opportunity to share industry insights. Building and ensuring trust are the key issues, and there are recurrent themes such as education, awareness, going beyond GDPR/compliance and implementing best practice, however, people’s concerns do differ, as our range of viewpoints on today’s theme demonstrate:
Peter Carlisle, VP at nCipher Security:
"Organisations are failing to measure up and trust is significantly lacking when it comes to how companies and entire industries protect our personal data. On Data Protection Day it's important we address this mistrust and the way in which organisations prepare to face a potential data breach.
“Based on our research, the technology industry is currently trusted by only 28 percent of people in the UK when it comes to protecting our personal information. Building confidence means not only prioritising security, but taking the necessary and visible steps towards it – from implementing encryption and deploying hardware security modules (HSMs) to protect the encryption keys to installing software updates and regularly updating passwords.
“Eight out of 10 people in the UK have never been asked by their employer to hand over login or password credentials before changing or leaving a position at a company. In 2020 password and overall workplace security must be placed at the top of the priority list in order to avoid fatal data beaches."
Jan van Vliet, VP and GM EMEA, Digital Guardian:
“Not all types of data are as sensitive or vulnerable as others, and it's for this very reason that data discovery and classification techniques are crucial parts of any organisation’s data security strategies. It is imperative that, as businesses continue to generate data at unprecedented rates, IT security professionals are able to quickly identify which items are the highest priority for protection.
“The first step is to understand what value each piece of data has, where it is being used, whether it needs to be encrypted, and how employees or third parties are interacting with it. This information is central to helping organisations make informed decisions about how to manage and secure data appropriately.
“It’s not a one-size-fits-all approach, but done correctly, it can greatly assist companies in meeting governance and compliance regulations, as well protecting intellectual property.”
Jay Ryerse, chief technology officer, security products at Continuum, a ConnectWise company:
“We are starting to hear from colleagues and our customers that data protection be built into everything we do as service providers. Our clients understand that we have the keys to their network and will need to have controls in place to protect their data while at rest, during processing, and when in motion. Our colleagues demand we take the confidentiality of their personal data as a serious matter.
“Service providers need to fully immerse themselves into the threat landscape and the best practices associated with securing data. Without cyber-security, there can't be privacy. This deep dive includes the governance aspect of data protection as well as the technical and physical controls necessary for the confidentiality, integrity and availability of data.
“Consumers and businesses need to start asking the tough questions of their vendors. They need to understand the supply chain for the services they outsource and what those companies are doing to provide best in class cybersecurity protections. And if those vendors don't have a good answer or don't believe they are at risk, then it may be time to find a new provider.”
Samantha Humphries, senior product marketing manager, Exabeam:
“In a 2019 Forrester survey, respondents revealed that 48 percent of data breaches in their organisations were caused by insider threats. This has been trending upward in recent years, resulting in tightened security rules and monitoring that leaves some employees concerned about their data privacy. This year on Data Protection Day, I encourage IT teams and HR departments to collaborate on a plan that communicates to employees what data your company is monitoring, and why. This is a best practice that will pay dividends as everyone wants to work with organisations that respect the privacy and security of their customers and their people.
“Companies should aim to be transparent about data monitoring and craft policies for employees that are accessible either through paper or digital trainings. Content should avoid confusing jargon and feature an appropriate contact person, who can answer any questions. Even for organisations that are not required to comply with data privacy laws like GDPR or CCPA, it’s still a good idea to use these five points as guiding principles for data protection:
· Is the data monitoring lawful, fair and transparent?
· Will the personal data collected be used for a specific purpose?
· Is every reasonable step being taken to erase or rectify data that is inaccurate or incomplete?
· Is data deleted once it is no longer necessary?
· Is the data being appropriately secured?
“To achieve and maintain privacy, the key is education. Data Protection Day, therefore, serves as an annual reminder for organisations to review privacy policies with employees and conduct audits for compliance especially during times such as this, when new laws like CCPA have recently taken effect. This can reassure skeptical employees that their accounts are protected and that their privacy is maintained, while also safeguarding organisational data.”
Setu Kulkarni, VP, strategy and business development, WhiteHat Security:
“Trust and privacy are the cornerstones of security. For society to work, physical entities need to trust each other and ensure privacy. Today, where a doctor is using a digital assistant to capture notes, and you are using web and mobile interfaces to interact with the doctor, there are digital representations of physical entities in play (digital assistants, web and mobile apps) that need to afford the same (if not higher) levels of trust and privacy to you and the doctor. Systems will need to change soon to accommodate this status change of digital entities. Digital entities will become at-par with physical entities, and the social contracts as we know them will need to change to ensure the trust and privacy boundaries across humans, systems and data are upheld.”
Rob Mellor, VP and GM EMEA, WhereScape:
“Data Privacy Day serves as a reminder to remain proactive in protecting and managing your data. To stay compliant with privacy regulations such as GDPR and CCPA, knowing where each piece of data sits and who can access it is essential. Also, by tagging the data and then tracking its lineage, this helps organisations better understand its usage. Data must then be stored in a location with fast and adaptable extract capabilities, to further data protection and comply with subject access requests.
“Organisations with a large number of data sets can experience significant challenges, since manually processing all of the information can be time-intensive and error-prone. One solution many organisations are turning to is data infrastructure automation, which is helping companies ensure all data is tagged, identifiable, auditable and quickly retrievable. Companies can then more easily prove their level of data privacy compliance to regulators and customers, and be better prepared for data privacy regulations today and in the future. Data infrastructure automation additionally allows organisations to fully optimise and auto-generate code in-house rather than rely on non-standardised custom code generated by third parties. This further reduces an organisation's data privacy regulation risk.”
Jitesh Ghai, SVP and general manager, data governance and privacy, Informatica:
“It’s heartening to see that data privacy is now a boardroom priority for every business. Privacy isn’t just a compliance concern; it has broader implications for the business. It’s data that drives competitive differentiation and companies that take privacy seriously are five times more likely to have their customers entrust their data to them, which in turn helps drive key strategic business initiatives, such as customer experience, supply chain optimisation, new product and services innovation.
(However) “Businesses are failing to appreciate that data governance is the bedrock for data privacy. Focusing on data privacy governance aligns an organisation to drive business value, by providing best practices for discovering data, who’s using it, who it belongs to; understanding risks for prioritising remediation; and protecting personal data exposure as the key to building trust with consumers.
“In reality, data governance enables greater data democratisation while supporting data privacy. By putting de-sensitised data insights into the hands of data-driven leaders and subject matter experts from across the lines of business and IT, as opposed to just one data scientist, businesses can empower employees to utilise data-led insights to collaborate2 and deliver successful outcomes that build trust and improve customer experience.
Jasmit Sagoo, senior director, head of technology UK&I, Veritas:
“Data Protection Day serves as an important reminder of the significant value of data in today’s digital economy and why it needs to be protected. Hackers are using increasingly sophisticated attacks to hold companies to ransom. The rise of social media, online banking and e-commerce mean our digital footprints are bigger – and riskier – than ever.
“While the burden is on businesses to safeguard consumer data, today should also serve as a reminder for consumers, who can get in control of their own data by checking the preferences they’re enabling online. Data Protection Day may be a one-day event, but it’s imperative to maintain good privacy practices year-round.”
Richard Wadsworth, VP delivery operations at Contino:
“Security is the first concern for organisations. It’s worth organisations considering what their first step towards enhanced security should be. Breaking down silos between teams and ensuring everyone is responsible for security is a good starting point. If applications are built by development teams with security in mind, Ops can deploy them faster and with peace of mind knowing that Dev understands how important reliability and security is.
“Security patches should be quick and automated—and not take months to complete. Similarly, when designing APIs and new features, it should be done with an eye on future releases so you don’t end up with technical debt and are unable to patch your system for fear of breaking something.
“As businesses continue to embrace cloud, it’s important to remember that it operates on a shared responsibility model. This means that the cloud vendor is responsible for the security of their cloud platform, but businesses are responsible for the security of data in the cloud platform. Having security policies in place that can be scaled across your organisation goes a long way in securing cloud-native applications.
“Ultimately, security needs to be step-zero for every process put in place. By having a security-first approach built around a combination of tactics, businesses can ensure data security is a top priority – for Data Protection Day, and every day after.”
Terry Ray, senior vice president and fellow, Imperva:
“As more organisations turn to cloud environments to store their data, today serves as a stark reminder to businesses to ensure compliant data privacy practices are maintained.
“Businesses are reminded to find a balance between their security and regulatory needs, the expertise of their technical staff and security enabling technology. It is this discrepancy that can lead to simple security mistakes that shouldn’t happen.”
Roger Magoulas, VP of Radar, O’Reilly:
“The goals for Data Protection Day are the same for everyone – to raise awareness of data privacy and protection issues and to encourage best practices for both businesses and users.
“But what should we pay attention to? Understanding the concept of personal identifiable information, and why serious steps are needed to protect that type of information, becoming aware of regulation and how the regulation obligates organisation to behave, and engage in dialogue with key constituencies to understand expectations and learn about best practices.
“While having a day to celebrate privacy and data protection is a start, for technology users, it is incumbent on them to arm themselves with enough knowledge to take appropriate precautions and carefully consider the everyday trade-offs they make between convenience and how their data gets used. Here are a few simple steps that can help users get started on improving their data privacy hygiene regime:
Back up your important data with strong encryption or through cloud services that promises privacy, security and redundancy.
Use appropriate passwords, two-factor authentication, and password managers for common sense protection
Unplug when you can. The best way to protect your privacy is not create data you don’t want to fall into the hands of others
“This may seem daunting, but don’t despair. Investing a little time and common sense can bring peace of mind for those engaging the technology that surrounds us all.”
Joe Petro, chief technology officer, Nuance Communications:
“Consumers are hyperaware of the value placed upon their information, and Data Privacy Day serves as a reminder for all organisations to realise how important it is to act as stewards of the data entrusted to them, especially in the age of AI. Consumer trust matters more now than ever with repeated data breaches, reports of unauthorised data use, and increased regulatory scrutiny, and it needs to be top of mind.
“To realise AI’s potential benefits, organisations often must grant access to data and be able to trust their AI partners. This trust is built upon an ingrained sense of data stewardship that respects consumer privacy and treats their data as a precious resource, not a market commodity. The success of AI depends on establishing and maintaining consumer trust with ingrained sense of stewardship that treats data privacy as a business requirement.”
Colin Truran, principal technology strategist at Quest Software:
“Businesses still need to move away from viewing data privacy as a simple check box exercise and consider the ethical responsibility. Legislation such as GDPR and the role of the ICO are pushing this mandate to the forefront and holding organisations accountable. It’s early days, but the foundations are starting to be laid and businesses need to start considering the impact of their actions. This will be another watershed moment, and one they may fall victim to, if unprepared.
“With organisations becoming more aware of the ethical implications we have to start considering data sovereignty, anonymity and ownership. One of our biggest challenges is human error and there is still a significant lack of understanding from the public on the true dangers of data misuse. Whilst we don’t know how our information will be used in the future, there is a lot we can do as individuals to protect our identities and perhaps by integrating data privacy into the national curriculum we can start to safeguard data from day one.”
Adenike Cosgrove, cybersecurity strategist, international, Proofpoint:
“Just because a business complies with a regulation, that does not necessarily mean it is doing everything it can to protect its customers’ personal data. For example, under the GDPR, the integrity and confidentiality principle states that organisations must implement ‘adequate security controls’ to safeguard personal data. Critically however, the regulation does not define what ‘adequate’ really means.
“An organisation could argue that their implementation of basic anti-virus protection and once-yearly data protection training for staff is ‘adequate’ – this may technically be regulatorily compliant, but is it really enough to keep consumers’ personal data safe from malicious attacks and data breaches? Today’s cyber-threat landscape has changed dramatically, with malicious actors favouring sophisticated, targeted attacks which rely on social engineering to capitalise on human vulnerabilities. ‘Adequate’ security simply isn’t enough. Defending against such threats requires an equally sophisticated strategy for the ongoing security of people, processes and technology.
“Regulatory compliance is often viewed as a check-box exercise and can be open to interpretation, so becoming compliant with regulations such as the GDPR should not be a primary driver of security. Compliance is an important step in the process as it can help an organisation discover critical gaps in its current security, but it should only be viewed as a starting point on the journey to true data protection and information security. Beyond the compliance check box, organisations need to implement industry best practices, understand their individual risk profile, and implement people-centric security strategies.”
Stan Christiaens, CTO and co-founder of Collibra:
“Considering the past scandals – Aggregate IQ and Leave.EU – and the massive political events to take place in 2020 – Brexit finally happening (?) and the US 2020 elections – this is a perfect time for businesses to stop and reflect on how they can improve their compliance and data privacy strategy. Consumers increasingly care about privacy, and they do vote with their wallets.
“Looking at how businesses can improve, the answer is simple: don’t be lazy, pay attention and ask questions. Claiming not to know and remaining ignorant on the main issues behind privacy and compliance is no longer an excuse – we’ve been on this road for years now and the signposts and pitstops on the way have been plentiful. Taking the road of least resistance and doing ‘just enough’ to comply is simply the wrong attitude towards doing businesses in the 2020s. We are way past the point that yet another checkbox on your website is sufficient. Data is the lifeblood of any organisation and if it is not protected and monitored correctly, it can cripple an organisation. Instead of thinking of GDPR – or CCPA for our colleagues across the pond – as an extra annoying daily exercise you have to do to comply with a new fad diet, it should be thought of as a fundamental health concern to keep your vitals in check. And remember, boards will measure those vitals.
"With political and economic uncertainty ahead, what remains is that businesses need to protect themselves and make sure they have the answers to crucial questions on how they handle their data. Questions like: is personal data being used, who owns it, where can it be found, what does it mean, why and where is it being stored, and whether it is trustworthy, need to be answered. Without these answers, businesses will either be made liable to regulatory fines or lose out on revenue because they were not prepared for the potential changes in how businesses in the UK, EU or US operate. So, while you may smirk on this ‘holiday’, make sure you keep this in mind: don’t be lazy, pay attention, ask questions.”
Fabian Libeau, VP EMEA, RiskIQ:
Paul Farrington, EMEA CTO, Veracode:
“There is a greater need to ensure security is a core part of the software development process going forward. As a new data-driven decade commences, businesses should empower developers by training them on best practices in secure coding and providing the tools to enable them to find and fix vulnerabilities in their software.
“We know that unresolved vulnerabilities that pile up over time, also known as security debt, can leave organisations exposed to data breaches. Hackers will continue to look for weak points at the application layer, which is still the predominant threat vector. By shifting security left, developers are able to fix vulnerabilities faster and more effectively, improving an organisation’s overall security and ultimately better protecting sensitive data. Across Europe, more businesses are learning that they are able to adopt application security without stifling innovation.”
Nigel Hawthorn, data privacy expert, McAfee:
“Over a year after the EU’s General Data Protection Regulation (GDPR) came into force, the regulatory bodies are changing their focus from guidance to full enforcement. The GDPR framework serves as a driver for organisations to revisit their current processes and take full responsibility for how they process and store personal data. As the UK leaves the EU, this legal responsibility doesn’t go away. The UK government passed the Data Protection Act 2018 to provide an equivalent law to GDPR. As we’re stepping into a new decade, we are seeing the rise of more regulations which put internet users first and a rise in the data stored in the cloud.”
“With the increasing reliance on the cloud, businesses need to be rest assured that they have complete visibility and control over data regardless of where it is. According to our latest research, 40 percent of large UK businesses expect to be cloud-only by 2021. What we’re going to see in 2020 is even more data and applications shifting to the cloud – and where they migrate, cyber-criminals will follow.
“Today, we should recognise that the age of the cloud is here. Whether businesses are cloud-only or shifting towards a cloud-first approach, the key is to make sure it isn’t an easy target for cyber-criminals.”
Zachary Jarvinen, head of product marketing, AI and analytics, OpenText:
“It’s clear that 2020 will be the year that the rest of the data privacy iceberg begins to emerge. While regulations like Europe’s GDPR and the California Consumer Privacy Act (CCPA) have already been established, new regulatory developments surrounding data privacy are continually coming to light.
“Until now, most organisations have focused their efforts on structured information, but they must also be able to understand what PII is located in textual documents. Archived data, in particular, is an especially pressing concern for most enterprises. AI-powered solutions will be instrumental in locating sensitive data and managing it through automated workflows. Today, organisations will also need to establish internal data governance practices to determine who is accountable for data security and enterprise-wide policy, which may include creating teams that blend technical and regulatory expertise.
“It’s also a great time to get started with a career in the industry. Over the past four years there has been a 75 percent increase in jobs with “privacy” in the title. Privacy is hot. And, finally data protection is at the table for new initiatives and technology decisions.”
Elodie Dowling, EMEA general counsel, BMC Software:
“Data Privacy day comes as a very timely reminder for customers and their service providers to continue to work towards updating their existing privacy standards to a compliant level, while ensuring robust security is in place to protect customer data. Most recently, European regulators have imposed £97 million in data breach fines, and businesses who operate within the cloud must remain vigilant to avoid similar penalties.
“It’s important once a business starts using a variety of cloud-based services and infrastructure to regularly carry out audits to ensure that systems and services being used remain compliant with data privacy laws. Under GDPR, personal data may not be stored longer than needed for the predefined purpose. Therefore, it’s important businesses implement retention periods, whilst having the ability to delete data effectively when retention periods have expired - both for data locally stored and in the cloud.
“Companies are able to achieve better data protection in today’s IT ecosystem through four critical measures.
1. Visibility – IT needs the tools to know where sensitive customer data resides, how it is being processed, and by whom.
2. DevOps - teams must be aligned to maintain security and compliance.
3. Integrity – IT must validate structured and unstructured data automatically, and ensure that stored data is intact.
4. Recovery – Organisations must ensure data is recoverable in a timely manner in the event of any physical or technical incidents.”
Simon Wood, CEO, Ubisecure:
"A large cause for concern (around breaches) is when it comes to businesses building identity management functionality in-house. No matter how big the development team some companies may have, a lack of experience and resources in cyber-security areas like identity management means that building such features internally comes with increased risk. Faced by tight deadlines and pressure to get applications to market as fast as possible, teams are challenged to build functionality that properly adheres to privacy by design and proven security methodology. Often, we see the impact of not doing so through the breaches that take advantage of weak authentication policies and a failure to keep data privacy central to the whole design process.
"One way for tech leaders to solve this problem is to deploy Identity-as-a-Service (IDaaS) solutions - cloud based authentication and identity software or APIs already proven and in use in the market. Such solutions allow teams to integrate identity features into applications as securely and as seamlessly as possible, without reinventing the wheel each time. Ultimately, this on-demand expertise reduces the risk of data breaches caused by employee-led error and places data privacy at the forefront of the development process.“
Gijs Roeffen, director IT & security, EclecticIQ:
“Here are a couple of simple tips to help keep your personal information secure:
“Swap PIN codes for biometrics
“When it comes to passwords and PIN codes, people are creatures of habit. People not only use the same password across multiple online accounts, they will also happily use the same PIN code for their debit card and their phone, or a generic PIN number. In fact, cyber-security specialist Tarah Wheeler recently shared the most common PINs used by smartphone users to secure their devices, and shockingly, the most common PIN number was 1234.
“Passcodes and PIN numbers can easily be captured from a glance over someone’s shoulder, or can be photographed or filmed from another mobile device. Biometrics, however, such as facial recognition or fingerprints, are unique to the user and can’t be obtained in either of these ways, making them a much safer option than passwords and PINs.
“Safeguard your SMS messages
“While it is possible to intercept SMS messages over the air, it requires multiple factors to be aligned to be successful. Attacks on SMS are often very targeted, since intercepting SMS codes requires specialist knowledge and hardware.
“Using a two-factor authentication, however, is an effective means of defence against account takeover, so be sure to check your SMS is protected. Alternatively, look into using an encrypted messaging service. Apple’s iMessage service uses encryption, as does WhatsApp, which works across both Android and iPhone devices.”
Ashley Bill, enterprise data consultant, Micro Focus:
“Fortunately, life after the General Data Protection Regulation (GDPR) has seen organisations begin to change how they think about data privacy. While avoiding regulatory fines and reputational damage is often top of mind, savvy business leaders may also see the business benefits that effective compliance can bring: the ability to generate high quality, streamlined data that can be monetised through applying predictive analytics.
“By investing in optimised data management driven by compliance, organisations can effectively increase the value of their data. It not only saves them pouring significant amounts of time into making sense of exploding datasets, but also creates an environment where teams can effectively deploy predictive analytics to make informed decisions. Using insights gleaned from quality data, companies can better predict the preferences and behaviour of their target audiences to inform and maximise the potential of marketing, advertising and product development. Ultimately, accurately predicting what customers want and remaining a step ahead of competitors is the ‘holy grail’ of business success.
“If predictive analytics is essential for boosting business outcomes, data privacy compliance is a fundamental component. And looking ahead, it will be a major driving force behind the development of modern, ethical, data-driven organisations.”
Chris Greenwood, senior director and general manager UK&I, NetApp:
“Data privacy has moved beyond protection and is now a question of trust.
“We, as consumers, trust organisations to handle our data in a secure, standardised and accountable way. But with 60 percent of UK businesses planning to migrate apps and data to the cloud within the next year, the risks are high. Combine this with the rise of 5G, edge computing and AI bringing about entirely new and disruptive ways to use data, organisations must ensure suitable safeguards are in place, tested and updated as we begin to unravel these various possibilities.
“75 percent of IT leaders anticipate that security will have the largest impact on their data strategy over the next 12 months. In order for privacy to succeed, it is the duty of companies and organisations to not only understand how and why data is being used, but also have the capabilities to remedy any ethical concerns which may naturally arise as new lines are drawn on what ‘is’ versus what ‘was’ acceptable as technology becomes ever more powerful.
“This can only be achieved by being able to see, access and conscientiously use data from any and every environment whilst affording the end user the means to control how and what data is there in the first place. Only then can user privacy truly succeed.”
Malcolm Murphy, systems engineering director, EMEA, Infoblox:
“Despite the hype, no one is actually doing ‘Zero Trust’ yet. Putting the infrastructure in place to enable organisations to verify anything and everything trying to connect to its systems before granting access is a really hard thing to do, as we can’t easily layer it onto existing technology at scale.
“As it stands, we’re nowhere near being able to implement the Zero Trust concept at a cost-effective level, and this is unlikely to change in 2020 - and our data privacy may suffer because of it.”
“This approach will remain difficult, expensive and inconvenient. I think it will take a catastrophic event or new regulation to make organisations invest in Zero Trust, it won’t happen on its own.”
Chad McDonald, VP customer experience, Arxan:
“We need to consider what businesses and consumers alike can do to better their privacy and avoid their data being leaked. Consumers should be more aware than ever, and businesses need to understand that once they gain the trust from their customers to store their data correctly, measures should be put in place to ensure this data is protected.
“The first thing consumers need to do is treat their personal information as currency, because the bad guys certainly do. This is not understood by many people but personal information has monetary value so they need to protect it as they would their wallet. Not all organisations are trustworthy so it’s important not to trust that every business will keep data safe or assume that information is encrypted. Clear text storage of data whether personal or not is alive and well. It’s cheap and easy and will be a pervasive problem so it’s always good to validate how information is stored.
“Consumers need to know their rights. They own their information so it’s therefore their responsibility to know who they share it with and how they use it. It should never be assumed that personal data won’t be sold. Many vendors with whom we share data have downstream data sharing and sale agreements with other data aggregators. The further someone gets from their initial share, the harder it is for them to maintain control of their personal information. Read privacy statements and be wary of those who will share personal data. If there’s the option of refusing to share data, choose it. With that said, it is important not to leave a trail of breadcrumbs. Consumers should request deletion of old accounts, of personal information and anything that may be leveraged to piece together someone’s digital identity. Innocuous pieces of information can in many cases be aggregated to provide some scary details.”
Richard Meeus, security, technology and strategy director, Akamai Technologies:
“Data Privacy Day should act as a stark reminder to businesses that the battle to protect their own and customers’ data is never won. Criminal hackers have shown frequently over the last year the value of personal data and we have seen big fines associated with the mishandling of these identity stores. Companies are in a position to foster more trust from their customers by showing good care over their data, allowing them to change what is stored instantaneously, and delete if necessary. Protecting these databases is now key to a company’s stability and its ability to do business. Lack of availability or integrity of identity data, or a breach of confidential information, can bite hard in the online world from both a regulatory and reputational point of view.”