Organizations and consumers alike need to consider the ways in which they can keep data safe and secure. As we navigate through a post-Brexit UK, a global pandemic, and the remote working environment, securing data against ever-opportunistic adversaries is vital. Below, cyber security experts weigh in on how consumers and businesses can protect and secure their data this year.
Data privacy Day comment from Joseph Carson, chief security scientist at Thycotic:
“Data privacy will, and already is, evolving into a Data Rights Management issue.
Citizens’ privacy will continue to be under the spotlight in 2021. The end of privacy as we know it is closer than you may think. Privacy definitions are very different between nation states and cultures, however, one thing that is common is that privacy is becoming less and less of an option for most citizens. In public and online, almost everyone is being watched and monitored 24/7 with thousands of cameras using your expressions, fashion, walk, directions, interactions, and speech to determine what you need, what you might be thinking, who you are going to meet, who is nearby, and even algorithms that determine what your next action might be.
Regulations will continue to put pressure on companies to provide adequate cyber security measures and follow the principle of least privilege to protect the data they have been entitled to collect or process.
I believe the big question, when it comes to data privacy, is “How is citizens’ data being used, collected and processed?” Ultimately data privacy will evolve into Data Rights Management which means rather than giving up personal data for so called free use of internet services, citizens should and can get paid for allowing their personal data to be used for marketing purposes. It will become more about how the personal data will be used, and what monetization is resulting from the data. In the future everyone will become an influencer this difference is how much is it worth.”
Commentary from Ed Williams, EMEA Director of SpiderLabs at Trustwave:
2020 was an incredibly impactful year for a number of reasons, one of which was data protection/data privacy. When I look at the work we’ve been conducting at Trustwave’s SpiderLabs, I see a specific emphasis on remote working solutions. While many organizations are being proactive with their assurance work, we’re seeing that this isn’t the case for all organizations.
When it comes to regulations, as we begin 2021, I believe that GDPR will still have an impact in the short term, regardless of Brexit. Coupled with the digital transformation we’re seeing with organizations moving to the cloud, there are plenty of areas for organizations to come un-stuck. Businesses must be sure to remember that the cloud has a ‘shared model of responsibility’, in that both parties must ensure the security and privacy of data.
Moving forward this year, if the strategy for privacy fell under my remit within my organization, with my penetration test hat on, I’d focus on looking to ensure that appropriate security and privacy training is given to all staff. Given that many organizations are now working from home potentially using equipment that isn’t specifically work-related, and with threats and vulnerabilities abound, being able to identify these threats is imperative. Secondly, I’d focus on the data itself. Data is always valuable to the bad guys and ensuring that data is managed correctly should also be a focus. Having appropriate policy and procedures for data given the recent home working trend should be updated, with appropriate training and technical controls.
To round off, at a high level there are several broad security practices that can help with data privacy and protection however the two I’d prioritize are:
- Enable multi factor authentication on services, especially those that you value, email being a good example of this, and I’d also consider using a password manager.
- Always update software and operating systems to the latest versions available to prevent against the ever-growing threat of ransomware.
Commentary from Adam Brady, Director, Systems Engineering, EMEA, at Illumio:
“With this Thursday being named as a day to recognize data privacy or data protection, it’s a great reminder that data protection should be something that should be a top priority for organizations every single day. And a big part of that should be stopping the spread of breaches to prevent access to PII.
Ransomware is in the news almost daily, and that’s only going to continue for the foreseeable future. Organizations need to take the more pragmatic approach of assuming breach and consequently maintain an ongoing focus on protecting the data they store. Privacy and consumer data is such a high-value currency that if an attacker knows what they have, they’ll exploit it for every last penny.
For organizations looking to secure PII, micro-segmentation as part of a Zero Trust approach is a critical control. Traditional segmentation of the network is no longer enough to prevent the kind of lateral-movement-based threats we see. Forward thinking enterprises need to be thinking about visibility, and micro-segmentation - where they can easily isolate high-value applications and environments, prevent lateral movement, enforce granular security policies, and apply the Zero-Trust posture of “never trust, always verify”.
Although we hope measures are already in place, today is a good reminder for organizations to pause, take stock and ensure they are protecting data to the best of their ability.”
Paul Dant, Vice President - Product Management at Digital.ai comments on how security can be added into application pipeline so that data is secure when customer's use an organization's app:
“Companies that require access to our data need to take responsibility and ensure they are putting all the relevant measures in place to secure this data as much as they possibly can. Apps often hold the most amount of data and they are tools everyone around the world uses every single day so we need to start at the beginning of this process and consider how we can ensure data privacy when handling applications.
Any company that requires its customers to use an app needs to implement Agile development methodologies with a DevSecOps model, leading to system security with operational visibility, that can identify and thwart hackers from attacking and disrupting the privacy of the company’s data. Allowing the entire software development team to have a fully integrated view into the product development lifecycle and allowing them to have the understanding and knowledge of the importance of securing and testing a device will go a long way in helping organizations do their utmost to providing excellent data privacy. This will ensure the company are on track to achieving their business outcomes because consumer trust is intact and their customers are retained - with the proper security measures in place, the chance of a data breach is less likely and therefore, their data remains secure and private and the integrity of the company itself remains intact.”
Mike Wood, CMO at Versa Networks comments on the importance of securing a remote workforce this year:
“We anticipate some drastic changes to the world of work as companies re-evaluate their use of traditional workspaces. With this in mind, organizations that have managed to scrape by on ill-suited and outdated remote working set-ups need to take the opportunity to adapt their operations with a more long-term strategy. To enable a hybrid workforce, security is key, and integrating solutions such as SASE which includes services such as Secure SD-WAN, SWG, ZTNA, and segmentation, will allow the best security practices an organization can put in place. Investing in and implementing solutions that can ensure privacy of your remote worker’s data is key this year and going forward because who knows how long we’re going to be in a situation where companies are supporting a hybrid workforce.”
Chris Strand, Chief Compliance Officer at IntSights comments on how to individuals and companies can keep their data safe now that the UK has left the EU:
“On Data Privacy day there are many perspectives on the protection of data that come to mind. I believe that an important example to focus in on is the rate of change that the world has experienced recently, and how that change has affected the value of data. Recent world events have accelerated the focus, concern, and value of data at all levels.
For example, the recent departure of the UK from the EU means that individuals and businesses alike, need to understand that the EU GDPR no longer applies to the UK. That said, the Data Protection Act 2018 (DPA 2018) continues to apply for the UK, and it incorporates provisions of the EU GDPR with some adjustments and amendments that apply to the UK only. For companies dealing with the EU-UK change, there are still many standard best practices to follow in order to protect consumer and personal data for the UK. There is no need to change these standards under the UK DPA 2018 as the rules that have been put in place for the GDPR will help ensure that companies are complying with data protection. UK companies should still strive to practice minimal data collection, and only collect the data they need in order to conduct business-as-usual activities. With the change, now would be a good time for UK companies to revisit their operational policies as they pertain to data use within their business. A good understanding of the BAUs will enable UK companies to limit the data required to conduct business just as it always has under the umbrella of the GDPR. UK companies may also want to consider a review of their customer consent policies and ensure that they are up to date for any data collection activities that they have in place or intend on modifying.”
Joseph Carson, chief security scientist, Thycotic
Ed Williams, EMEA Director at SpiderLabs, Trustwave
Adam Brady, Director, Systems Engineering, EMEA, Illumio
Paul Dant, Vice President - Product Management, Digital.ai
Mike Wood, CMO, Versa Networks
Chris Strand, Chief Compliance Officer, IntSights