Data Privacy Day is Jan. 28. While in theory every day should be Data Privacy Day, having an annual day to focus on promoting these concepts can help build awareness and share useful information.
In my experience data is best protected by utilizing encryption both for at-rest and in-transit information, multi-factor authentication, strong group- and role-based access permissions and strictly limiting data to company-owned systems that have been locked down to prevent the malicious or unintentional loss or theft of data, such as by blocking the use of flash drives and using data loss prevention software.
SEE: Hiring Kit: Security Analyst (TechRepublic Premium)
I received input from eight industry leaders regarding the focus companies should rely on to keep data private. Here are their insights.
Rajesh Ganesan, vice president of product management at ManageEngine, recommended on-premises applications to keep sensitive data within geographical boundaries and to facilitate better control of business data. He referenced the increased safety and regulatory benefits as well as cost advantages and recommended data protection to be built right from the design stages of all services and operations.
“Moreover, data protection should be present as a strong, invisible layer; it shouldn’t hamper operations, nor should it require big changes or specialized training. It’s best to educate employees on the do’s and don’ts of data protection in a way that is contextually integrated into their work, as opposed to relying solely on periodic trainings. To do this, leaders should implement alerts in the system that pop up and inform users about any violations to data protection policies the users’ actions are causing. Such alerts help employees learn contextually, and ultimately, this training results in fewer data management errors,” Ganesan said.
Ricardo Amper, CEO and founder of Incode, cited facial recognition technology as a data privacy concern due to reported mishaps that have made businesses and consumers shy away from digital identity.
“There are a lot of misconceptions about how facial recognition technology is currently used. However, despite the reported privacy mishaps and concerns, there is a true inclination among consumers to embrace this technology. Trust is essential and is often missing when consumers aren’t in the forefront of the conversation around privacy.
The individual must be put first, which means getting their consent. The more an individual feels that they can trust the technology, the more open they will be to using it in additional capacities.”
David Higgins, technical director, CyberArk, referenced the problems with software bots which can have sharing issues therefore requiring companies to better protect the data that these bots access from being exposed. He warned that if bots are configured and coded badly, so they can access more data than they need to, the output might be leaking that data to places where it shouldn’t be.
“In the U.S. alone, there are several disparate federal and state laws, some of which only regulate specific types of data—like credit or health data, or specific populations—like children. Following the correct regulations stemming from the many different international laws that aim to ensure data privacy, such as GDPR, means that compliance for companies with global operations becomes an extremely complex undertaking,” said Keith Neilson, technical evangelist at Cloudsphere.
Given such complexity it behooves organizations to appoint a data privacy czar or even team to master the organization’s awareness of laws and regulations and ensure compliance.
Neilson stressed the importance of cyber asset management, pointing out that e-enterprises cannot ensure compliance and data security unless all assets are properly known, tagged and mapped in the cloud. It’s also a key priority to understand connections between business services, he said. “This includes identifying misconfigurations and automatically prioritizing risks to improve overall security posture, allowing for real-time visibility and management of all sensitive data.”
Rob Price, principal expert solution consultant at Snow Software, touched on the significance of the dual concepts of data retention and recovery:
“When it comes to data protection, organizations need to understand what they are legally obligated to do. This is especially true when it comes to data retention, as organizations need to understand how long they must keep data. Once their data retention period ends, organizations should get rid of excess data they no longer need because it quickly becomes a liability as well an unneeded expense.”
Price said it’s a common misconception to think that offsite or cloud-based data is not your problem to secure. He cited two fundamental factors for data protection and security: the recovery point objective (how old data can be when you recover it) and the recovery time objective (how quickly you can recover the data).
Bojan Simic, CEO and CTO of MFA cybersecurity company HYPR, talked about the threat of ransomware attacks to data privacy. He advised disconnecting impacted computers from the network to keep data from being seized and malware from spreading. It’s also crucial for end users to work with their IT departments to fully investigate (with help from law enforcement and a professional incident response firm) and remediate the attack, he warned.
Furthermore, he pointed out the risk to business reputation and finances in terms of notifying customers of a data breach and possibly providing them with services that help protect them beyond that.
SEE: SMB security pack: Policies to protect your business (TechRepublic Premium)
Lewis Carr, senior director of product marketing at Actian, followed suit in discussing ransomware trends for 2021 and beyond.
“2021 was one of the worst years for cybersecurity ransomware attacks to date. The threat will only grow in the upcoming year as attackers become emboldened by their success and the lack of adequate responses against them. However, data privacy will be driven by changing perceptions of how important it is for public and private sector organizations to safeguard personal data and what exactly is considered ‘personal data.’ The need to protect personal data and information will impact where and how data is stored, integrated and analyzed in accordance with an expanding set of data privacy regulations, balanced against the need to better understand consumers, citizens, patients and employees working remotely,” Carr said.
Carr foresees that 2022 will offer more granular personal information and data sharing options as to how we control them—on our devices and in the cloud—specific to each company, school or government agency. He also predicts that companies will start to get some visibility into and control over how our data is shared between organizations without us involved.
“Companies and public sector organizations will begin to pivot away from the binary options (opt-in or opt-out) tied to a lengthy legal letter that no one will read and will instead provide the data management and cybersecurity platforms with granular permission to parts of your personal data, such as where it’s stored, for how long, and under what circumstances it can be used. You can also expect new service companies to sprout up that will offer intermediary support to monitor and manage your data privacy,” he said.
Rina Shainski, chair and co-founder of Dualiy Technologies, pointed out that two key questions to ask on Data Privacy Day are “How can we increase the business community’s understanding that privacy is a necessity for enterprises both large and small?” and “What will incentivize businesses to proactively integrate data privacy protection into their day-to-day operations?”
Pointing to the risks of collaboration on sensitive data, both within and between enterprises,Shainski discussed the growing ability of privacy-enhancing technologies to operate at scale across a wide variety of use cases. “This enables this collaboration to be done in a manner that not only generates value, but also preserves the privacy and confidentiality of that sensitive data, increasing consumers’ confidence that their data is not being misused while maintaining compliance with growing privacy regulations,” she said.
PETs allow sensitive data to be analyzed without exposing the protected data itself, she explained, which supports enterprises in their quest to extract value from the sensitive data that they curate, protect and manage.
Shainski also stressed the consumer side. “Consumers are increasingly aware of their privacy rights and are often reluctant to compromise them, even at the expense of missing out on new services. Businesses today must take this into account when building new digital services if they want to develop trustworthy data-sharing relationships with consumers. In addition, given the expanding scope of data privacy regulations, businesses often need to re-engineer their existing processes in order to guarantee more extensive data privacy protection,” she said.
Shainski added that data privacy regulators are showing strong acceptance towards PETs as appropriate technological means to be used by regulated organizations when implementing data-collaboration processes and added that satisfying regulators’ demands and bolstering public trust will help business leaders to benefit from privacy-enhancement of their processes.