2018 saw the implementation of GDPR finally become a reality, yet data privacy has still presented a huge issue for many companies and businesses globally. With social media giants seemingly selling our data to third parties, NHS staff supposedly reading patient records without good reason, and the questionable way in which banks may be using our data to make money, the chances of our data falling into the wrong hands appears to be bigger than ever.
Consequently, data privacy is now more crucial than ever, through providing individuals and businesses with the correct education and information to ensure our data is consistently in safe hands. Below, six industry experts give their take on why data security needs to be at the heart of operations, and their opinions on what can be done to ensure better data protection.
The crucial importance of data privacy in 2019
“Data privacy is not just a corporate or individual issue that affects digital lives, it can be a route to compromising citizen safety” explains David Higgins, Director of Customer Development, CyberArk. “This Data Privacy Day, organisations should encourage their entire workforce – not just IT teams - to re-evaluate how they secure and manage data.
“Data has become – arguably – the world’s most valuable asset, and data which could be used to wreak havoc on citizens’ lives is a tempting target for attackers. Compromised credentials that lead to a data breach could mean that incredibly sensitive data becomes available. Administration log ins to critical national infrastructure (CNI) systems, for instance, or medical data that could be used to profile or compromise key individuals in Government to help carry out a successful attack, like accessing the plans of a nuclear power station in order to learn how to shut it down.
“Infiltration or compromise of CNI could – very conceivably - result in the loss of control of public services such as utilities, healthcare and government. This consequently represents a severe risk to public safety. These are attacks on the fabric of our everyday existence. This Data Privacy Day, we need to recognise just how important a commodity it is.”
The invasion of privacy
Dr Darren Williams, Founder and CEO of BlackFog agrees that, “following a year of data scandal, data privacy day comes at a pivotal time for organisations across the spectrum. Privacy will undoubtedly come to a breaking point in 2019, with the existence of GDPR in Europe and similar laws under development in the United States and Australia. Citizens are now becoming aware of the invasion of privacy from social network platforms, major tech companies and even major governments around the world.
“And this invasion of privacy is leaving citizens vulnerable to attack. As every single – seemingly innocent – application or website they visit continues to collect some form of data about their usage and identity, this is allowing hackers to attack from every angle – profiling a person’s behaviour as they browse online on their devices and, in many cases, stealing their personal data.
Williams notes that, “while each attack is different, we can say that about 20 per cent of all data flowing from a person’s device is being sent to China, Russia and the Ukraine on a daily basis” (based on internal data collected by BlackFog). “This can include personal information and files on the device itself. As consumers fight back against tech giants and demand more control over their personal data, data privacy day has never been more important.”
The digital age challenges
Tristan Liverpool, Director of Systems Engineering, F5 Networks also explains how advancements in our digital age are creating further challenges for data privacy today. “Corporate cloud literacy is becoming an operational prerequisite as technological progress accelerates in EMEA. The explosive proliferation of applications, and their associated data, has created a vast new playing field for cyber-criminals in the cloud. Today, the fear of attack is constant.
“We urge businesses this Data Privacy Day to rethink where their priorities lie in an increasingly complex and shifting IT landscape. An immediate priority should be to secure all business applications. This will allow organisations to gain a tremendous return on investment and manage multi-cloud deployments with greater certainty.
Liverpool continues, “businesses adjusting their security strategies to focus more on applications and standardise on advanced security solutions have the freedom to deploy apps with efficient control and flexibility, while ensuring their customers’ data is kept safe. They also gain confidence to innovate and sustain business performance. Discerning customers valuing their identity and information will inevitably choose brands based on security and data management credibility.”
Why data privacy is more crucial than ever in the retail sector
According to Richard Bennett, Head of Advisory Services Business Solutions at VMware, the industry that most needs to focus on data privacy this year will be retail: “Consumers increasingly want retailers to provide personalised, seamless experiences based on their previous shopping habits, and as a result, high street retailers have struggled to compete with more established e-commerce players and their greater volume and command of data.
“Nonetheless, the pressure to safeguard customer data is immense, and even without GDPR, consumers now pay far greater attention to data privacy, sovereignty and security than in previous years. VMware research into consumer expectations of the retail industry recently revealed that misuse of data is the reason 55 per cent feel put off buying from a retailer. This shows that any industry looking to harness the power of customer data must therefore ensure security is their primary focus.
“Retailers that fail to demonstrate how they are using data to deliver value, while keeping it secure, will struggle to prosper. Above all, they must remember that while the way consumers shop is changing, data breaches have become one of the key factors in determining brand loyalty. Those investing in retail technology must therefore put security at the heart of their investment to derive value.”
The first Data Privacy Day since GDPR
“As we approach the first data privacy day since GDPR has been in force, there is no doubt that analysing the effectiveness of the regulation will dominate.” Chris Hodson, EMEA CISO, Tanium, goes on to explain that, in his role as a CISO, he believes “there are many common misconceptions of GDPR.
“Firstly, we must remember that approximately 80 per cent of GDPR isn’t directly within the CISO’s purview. The whole business, most notably the DPO, must be responsible for driving data privacy across the enterprise. The security function can certainly help with the “how” of data protection and must be responsible for putting the processes in place to ensure that data is safeguarded. However, we are often very little use in ascertaining the “why” of data collection. For a security team or CISO, it’s about ensuring that controllers (and processors) carry out data processing in a transparent fashion. It’s about making sure that information is not left lying around in servers ad infinitum.
“That’s why the best defence is a model for qualification and assurance. That means having real-time visibility of the data stored across your network and where threats and vulnerabilities exist. But it also means taking a role in educating our boards, executives, and fellow employees on their role in protecting data: choosing systems and practices that support GDPR principles and maintaining practices that safeguard customer data in the long-term.”
Chris Huggett, Senior Vice President, Europe & India, Sungard Availability Services agrees that “GDPR sent organisations across Europe into a tailspin over their data storage and privacy procedures, and months on, only 59 per cent of companies believe they are GDPR-compliant. The amount of data we produce every day is truly mind boggling. There are 2.5 quintillion bytes of data created each day at our current pace, and that will only accelerate with the growth of the Internet of Things (IoT). Over the last two years along, 90 per cent of the data in the world was generated.
“A growing issue, as shown by O2 and TSB in the past 12 months, that is often overseen in terms of GDPR, is the result of an IT outage. There is no point in having resilient hosting and secure clouds if employees can’t connect during an outage. As a server or organisation’s infrastructure is down, data is then at risk to exposure and therefore a company is at risk of failing compliance. Securing your business and personal information takes diligence, consistency and maintenance. When an outage occurs, businesses must know exactly how to react immediately. IT and business teams will need to locate and close any vulnerabilities in IT systems or business processes and switch over to Disaster Recovery arrangements if they believe there has been a data corruption. Business units need to invoke their Business Continuity Plans and organisations need to stand up their executive Crisis Management Team.
“An organisation’s speed and effectiveness of response will be greatly improved if it has at its fingertips the results of a Data Protection Impact Assessment (DPIA) that details all the personal data that an organisation collects, processes and stores, categorised by level of sensitivity. If companies are scrambling around, unsure of who should be taking charge and what exactly should be done, then the damage caused by the outage will only be intensified.”
Adam Mayer, Senior Technical Product Manager, Qlik says, “respecting data privacy rights is something that all employers must be confident with, especially in the GDPR era, where being open and transparent about the use of personal data has become increasingly paramount.
“Just last week Google faced a huge £44m fine by the CNIL for breaching privacy rules, and privacy group NOYB claimed Spotify, Netflix, Amazon and Apple are also breaking GDPR rules.
“When it comes to supporting staff with data protection regulations, companies must ensure that strong data governance polices are in place and that all employees know them and understand why they are important. Being data literate - the ability to read, work with, analyse and argue with data - is the key to unlocking this understanding and building customer trust in the long-term.
“Organisations need to embrace their ownership of personal data from the top down and empower all their staff to have a good level of understanding of data and how it is stored, managed and used. After all, when everyone is data literate, everyone can play their part in keeping the organisation on the straight and narrow, avoiding hefty fines and penalties.”
Being prepared with the right prevention solutions
Dan Turner, CEO, Deep Secure believes “it’s always best to assume that cybercriminals are better at attacking than you are at detecting them. Indeed, most ‘detect and protect’ technologies, like data loss prevent systems, are not sophisticated enough to identify new exfiltration methods. Steganography, for example, whereby a cybercriminal can encode both the initial infection and then the information it wants to steal into the pixel data of images, is largely undetectable. Whether the images are sent out in emails by a malicious insider, a tactic used by Chinese spies stealing turbine information from General Electric, or remotely infected and controlled by a hacker, detecting and protecting against data exfiltration has never been tougher. Indeed, our researchers found that a cybercriminal could complete bypass convention defences and extract as many as 300,000 credit card details in just 50 images. In 2019, we must concede that detect and protect technologies are no longer enough to assure the privacy of data. Instead, developing new prevention solutions, like content threat removal that can completely remove any “hidden information” from coming into or out of an organisation, is the critical next step for the cybersecurity industry.”
2019 is now well under way, and January, thanks in part to Data Privacy Day, has been an opportunity to reflect on the learnings of 2018 when it comes to protecting data. The focus should now be on reviewing existing data privacy and security procedures and ensure they are embedded into every operation and part of the business. Although GDPR has raised the bar, all organisations need to ensure they regularly review and update their data security strategy if they want to remain compliant.
Image source: Shutterstock/Maksim Kabakou