Businesses have entered an era of eternal data-harvesting, making data an extremely valuable commodity. And for that reason, as with any other high-value asset, it is vulnerable.
Unfortunately unlike the hardware it is often stored on, data is by nature more like a liquid. It leaks through pores in systems and presents an easy target to be scooped away by prying hands. Various new regulations and fines are therefore being levied and implemented by governments to ensure data remains in the correct hands, posing a further threat to a company’s reputation in the event of successful attacks and forcing organisations to take responsibility for the data they hold on their customers.
To raise awareness of the ever-growing threat of data breaches this Data Privacy Day, we’ve spoken to a number industry experts to garner their insights on how to exhibit best practice in data security and privacy during the forthcoming decade.
Clarity, consistency and customer-centric security
In light of GDPR laws, Tim Hickman, Partner at White & Case says that reporting data breaches to the authorities and the affected individuals is not straightforward. “On the one hand, the GDPR requires companies to report data breaches to the ICO within a very tight 72-hour timeframe, as well as requiring companies to notify the affected individuals without undue delay. On the other hand, a company often cannot determine for certain, within that timeframe, whether it has suffered a data breach or not.
“It is always possible to report a data breach to the ICO with the option of providing additional information once an investigation has taken place. However, pre-emptively reporting a data breach can have serious adverse consequences because such a report effectively requires the company to admit that it has suffered a breach.”
Consumers will also demand clarity in the years ahead according to Andrew Tsonchev, Director of Technology at Darktrace. “Whilst regulation will no doubt grab headlines in 2020, we anticipate this will be the year consumers realise the value of their personal data and take back control by holding businesses to a higher standard of data privacy that extends far beyond just simple regulatory compliance.
“Large-scale data breaches, from Capital One last year to Marriott in 2018, have opened consumers’ eyes to the importance of holding businesses accountable. The question now being asked of organisations is not “which data regulations are you compliant with?” but “what exactly are you doing to keep my data safe?”.
Nicola Pero, CTO of Engage Hub comments that Data Privacy Day reminds us why customers are increasingly wary of how brands are using their data. “Research shows that 65 per cent would stop using a brand that was dishonest about how it was using their data. This percentage seems poised to grow further and further in the years to come, driven by a core group of influencers for whom data privacy is a hot issue with political connotations, similar to climate change or gender inequality”.
Pero adds that “new legislation has made keeping large amounts of data expensive (because of all the expensive controls that are required), limited the ability of selling data to third-parties, and introduced the requirement to delete data as soon as it's no longer needed. It's better for businesses to focus on becoming excellent at dealing intelligently with time-sensitive interactions using the data that the customer provides of their own will in that occasion, but discarding most of it afterwards. Brands will try to be less ‘big brother’ and more ‘best friend’.”
Securing critical processes
Chris Huggett, Senior Vice President, Europe and India at Sungard Availability Services argues that the results of an IT outage are often overseen under the terms of GDPR. “As a server or organisation’s infrastructure is down, data is then at risk to exposure and therefore a company is at risk of failing compliance. IT and business teams will need to locate and close any vulnerabilities in IT systems or business processes and switch over to disaster recovery arrangements if they believe there has been a data corruption.”
The importance of securing business critical accounts mustn’t be overlooked according to David Higgins, EMEA Technical Director at CyberArk. “More often than not, attackers are pursuing credentials that they can use to infiltrate businesses and target sensitive and valuable data. Attackers seek ways to cause irreparable damage across a whole range of industries, from seizing companies’ administration logins to hacking into medical data so as to hold individuals to ransom over the disclosure of sensitive personal information. As a tragic, but potentially realistic scenario, this could even result in a doctor being unable to perform a life-saving operation due to a lack of availability of the patient’s records for example.
Higgins concedes that hackers will “inevitably be successful from time to time” and argues that “addressing this threat and limiting how far they can infiltrate a network after a successful breach is imperative in order to safeguard national security. The infiltration or compromise of CNI, for instance, could plausibly result in the loss of control of public services such as utilities, healthcare and government, posing a severe risk to public safety. This Data Privacy Day, we need to take a step back to not only understand the value in the data we hold, but also the importance of only allowing individuals and systems that need it to access it.”
Steps to overall security
In the age of social media and sharing of personal information, many forget that privacy is our right, and protected by laws such as Article 8 of the European Convention on Human Rights, according to David Warburton, Senior Threat Research Evangelist at F5 Networks.
“Most of us will download a new app without knowing how our data is being used and shared with others.” Warburton questions “even if we know, do we really understand the impact? How do we keep up with all the rapidly shifting and increasingly sophisticated privacy threats?
“If you do anything this Data Privacy Day, make it a positive step to enhance your business’ privacy stance by reinforcing the importance of cybersecurity and the dangers of social engineering. This should include robust employee awareness programmes that evolve in line with new social platforms and ensure a culture of responsible sharing.
But it isn’t just individual employees that need attention, he says. “Attackers can also target specific organisations via employee details on company and partner websites. Information such as ownership records, SEC filings for public companies, lawsuits, and social media, all provide insights that can be used maliciously. Every business should periodically review any information shared on associated websites and social media pages to determine if the content is essential.”
Euan Davis, European Lead for Cognizant’s Center for the Future of Work thinks that will see new roles emerge within security departments emerge, requiring different capabilities to the jobs that we see on offer today, including Cyber City Analysts, Cyber Attack Agents, Juvenile Cybercrime Rehabilitation Counsellors and Cyber Calamity Forecasters, all of whom be required to defend data privacy.
“These represent just some of the jobs that will emerge as a part of the changing employment landscape, combining human strengths, such as imagination and ingenuity, with new technologies such as AI and robotics”, Euan added.
Chris Hodson, CISO at Tanium places his faith in employee engagement and training to help safeguard data privacy, stating that businesses must consider whether they are helping employees understand how attractive personal information and data is to cybercriminals. “Organisations need to effectively engage senior leadership and board members to ensure they are actively encouraging incident response planning and tabletop exercises that will grow employee knowledge and improve data protection across the organisations”, he says.
Act now, thank yourself later
It is clear that many organisations lack an appreciation of the value and extent of their data assets. In our new data-rich world, businesses play host to huge troves of sensitive information that can easily fall into the wrong hands.
To maximise the strength of their digital fortifications and prevent the theft of data, this Data Privacy Day businesses must heed the above advice, as well as prioritising timely upgrades and employee training, and implementing patches as soon as they become available. With hordes of priceless data on the line, every moment counts when it comes to defending privacy.