Data Privacy Week 2024: The Definitive Roundup of Expert Quotes
Solutions Review editors sourced this definitive roundup of expert quotes on Data Privacy Week 2024 from Insight Jam, its new community of enterprise tech experts.
It’s Data Privacy Week 2024! For Data Privacy Week 2024, it’s essential to spotlight the evolving landscape of digital rights and personal data protection. This year’s theme underscores the critical balance between leveraging technology for advancement and ensuring the confidentiality and integrity of individual data. As we navigate through waves of technological innovation, from AI-driven analytics to IoT proliferation, the question of how to protect personal information while fostering progress becomes increasingly complex.
This roundup features insights from leading experts who dissect the nuances of data privacy today. They explore the challenges we face in safeguarding digital identities, the emerging threats to our online spaces, and the innovative strategies being developed to secure personal information against unauthorized access.
Their perspectives shed light on the importance of proactive measures, the role of legislation, and the individual’s part in maintaining their data privacy.
Note: Data Privacy Week 2024 quotes are listed in the order we received them.
Data Privacy Week 2024: Expert Insights
Sam Gupta, Founder and CEO at ElevatIQ
“Technologies such as Palantir are already changing the game of data privacy, especially with government organizations where individual-centric privacy matters. Visibility of this magnitude wasn’t possible before due to technology limitations. Watch as other companies follow suit, creating a culture of transparency for consumers becoming a new norm, driving competitive advantage. This is likely to impact industries where transparency matters, such as healthcare, financial services, and insurance. Also, AI-consumption reporting is likely to evolve, where companies might use consumers’ data for their LLMs, creating demand for newer data privacy technologies.”
Joseph Harisson, CEO at IT Companies Network
“Data Privacy Week 2024 emphasizes the important intersection of technology and ethics in our digital world. Key industry experts assert that data privacy has transformed from a mere compliance requirement to a fundamental human right, essential for gaining consumer trust and serving as a competitive differentiator in the business landscape. My experiences and insights, as shared in my book “Top 25 IT KPI Metrics You Should Be Tracking As a Business Owner,” align with these views, highlighting the importance of treating data privacy as a continuous journey. This week serves as a reminder for all of us in the tech industry to persistently balance innovation with the imperative to protect individual privacy, shaping a future where data safeguarding is an integral part of our digital culture.”
Raja Mukerji, Co-Founder & Chief Scientist at ExtraHop
“A key focus this Data Privacy Week should be on generative AI. As a new approach gaining attention across enterprises, concerns about data security and privacy have run rampant. Most enterprises are eager to take advantage of generative AI, however, circumstances like employees uploading sensitive corporate data and IP, the opacity of criteria used to train the model, and lack of governance and regulations introduce new challenges.
During this time of development, enterprises should focus on ways to make generative AI work for their specific needs and protocols. Visibility into AI tools is critical, and enterprises should have solutions in place that monitor how they’re being both trained and used while educating employees on best practices for safe and ethical use. Investing in systems and processes that grant you this visibility and training will help position generative AI as an aid for productivity in the workplace, and help mitigate data privacy concerns. Eventually, enterprises will be able to take advantage of the opportunity to build their own unique AI tools to better serve their employees, customers, and processes, in a provably secure and repeatable manner.”
Dave Russell, VP of Enterprise Strategy at Veeam
“Cyber threats like ransomware play a critical role in organizations’ ability to keep their data safe. Knowing how public attacks have gotten and considering consumer demands for better transparency into business security measures, there’s generally more awareness around ransomware in 2024. New research supports the idea that ransomware continues to be a ‘when’ not ‘if’ scenario, with 76 percent of organizations attacked at least once in the past year, and 26 percent attacked at least four times during that time. Data recovery should be a key focus around Data Privacy Week 2024, knowing that it’s still a major concern as only 13 percent of organizations say they can successfully recover during a disaster recovery situation. In 2024, the overall mindfulness of cyber preparedness will take precedence.”
James Dyer, Threat Intelligence Lead at Egress
“With this year’s theme of “Take Control of Your Data,” Data Privacy Week holds a mirror to how much information we share about ourselves online. Cybercriminals use open-source intelligence (OSINT) to create plausible backstories in seconds, usually utilizing social media profiles to gather information about a victim’s career, hobbies, and habits. With valuable personal insights, threat actors will then ask chatbots to write the most persuasive messages, and even use AI software to help create payloads and speed up delivery.
To take control of your data, my first tip would be to hack yourself; no, that doesn’t mean launching ransomware on your own device! Deploying basic OSINT techniques is a simple way to find out exactly how much information is online about yourself. Research your name, common usernames, and even pictures for an overview of how much is already out there at a hacker’s fingertips.
Depending on what you find, you may need to review what you’re posting on social media. A simple solve would be to make as much of your profile private, withholding the attacker’s ammo during their data scrapes. With the rise of deepfakes, videos posted on social media can be used to clone a user’s voice, so depriving threat actors of this valuable resource is crucial.
Two other easy steps to better your data privacy are to limit the amount of email newsletters you sign up to and terminate or deactivate old and unused social media profiles to give attackers fewer opportunities. Narrowing the amount of information readily available on the internet and minimizing the possible attack routes will make it tougher for cybercriminals to take control of your data.”
Petr Nemeth, CEO at Dataddo
As a result of the evolution of AI and changing global standards, data privacy will be more important in 2024 than it’s ever been.
“The increasing use of AI systems is putting four types of risk in the spotlight:
Risk of personal identification (intentional and unintentional)
Risk of poor decision-making
Risk of non-transparency (due to inability to explain decisions)
Risk of violating privacy regulations and/or best practices
New data privacy moves by international and national entities will also force a modified approach to data management:
More stringent regulations (GDPR for Europe – fines getting bigger and bigger; in USA, more states enacting privacy laws)
For digital marketers: Google’s sunsetting of third-party cookies for enhanced consumer privacy will make first- and zero-party data all the more important
Makers of AI systems, as well as organizations that need to stay compliant, will have to pay a lot more attention to how data is collected and processed (e.g., via stricter governance policies), and employ new tooling and technologies to help offset growing privacy risk (e.g., data integration tools capable of masking/hashing sensitive data, or detecting/excluding personal identifiable information). Digital marketers will need to resort to alternative methods of targeting prospects online, like server-side tracking and offline conversion imports.”
James Fisher, Chief Strategy Officer at Qlik
As a result of the evolution of AI and changing global standards, data privacy will be more important in 2024 than it’s ever been.
“We are squarely in the middle of an AI boom, with Generative AI promising to take us into a new era of productivity and prosperity. However, despite its vast potential, there remains a lot of trepidation around the technology – particularly around how to use it responsibly. For example, there are risks around violation of data privacy and individual consent when it comes to the data that AI algorithms are trained on.
Trust in GenAI – and the data powering it – is key for the technology to be embraced by enterprises. With the risk of misinformation, the use of deepfakes and more, it will take hard work to build this trust. One way to do this is through improving the data that AI is fed – because AI is only as good as its data.
We are seeing steps in the right direction here through a push for better governance, origin, and lineage of data to power AI. At an enterprise level, businesses must look to test the validity of their data and get robust data governance in place. Then, it will be possible to use AI to generate more trustworthy and actionable insights down the line.”
Sophie Stalla-Bourdillon, Senior Privacy Counsel & Legal Engineer at Immuta
As a result of the evolution of AI and changing global standards, data privacy will be more important in 2024 than it’s ever been.
“Privacy is now a top concern for individuals, while organizations still struggle to implement effective data protection safeguards when engaging in data analytics and AI practices. We’ve seen US states such as California passing their own privacy laws and drafting detailed regulations on cybersecurity audits, risk assessments, and automated decision making privacy by design in practice a must-do to be able to effectively respond to the demands of augmented privacy regulatory frameworks. At the global level, it’s becoming obvious that attempting to redirect data movements from one location to another to try to avoid data protection obligations is not a viable strategy for a variety of reasons. By reviving core, but often denigrated data protection principles, such as purpose limitation and data minimization, with the recent take-off of purpose-based access control, new paradigms such as zero trust architecture and data mesh will help data teams to enhance transparency and accountability when building data architectures and organizational processes and to produce quality insights.”
Omri Weinberg, Co-Founder and CRO at DoControl
“An often-overlooked aspect of data security, especially in SaaS environments, is the insider threat posed by employees. Collaboration through these platforms, while boosting productivity, can inadvertently lead to the exposure of sensitive information. It’s crucial for organizations to educate their teams on the risks of data sharing and implement robust controls to mitigate accidental breaches. Ensuring data privacy is a collective effort, where every employee’s awareness and vigilance are key.”
Gopi Ramamoorthy, Head of Security & Governance, Risk and Compliance Engineering at Symmetry Systems
“For individuals, data privacy should start with Zero trust. It is highly recommended not to share the personally identifiable data (PII) with any organization or any website unless required. If you are providing PI to a required site, always use caution to ensure the website that you are on is correct, legitimate and secure. There are many fake sites that collect personal data. Additionally, posting on social media and reacting to social media posts should be done with no sharing of personal information including sensitive information like home address, travel, family plans and related information.
For organizations, GDPR articles 4,5 and 6 can be referred for guidance to make decisions on what personal data to collect and why. These three articles define the means and purpose of collection data and processing principles. Other privacy regulations have similar articles that provide the guidance on the basis of PII data collection. Once data collection and purpose is decided, adequate data security needs to be carefully planned. Securing PII starts with Privacy By Design (PbD). The core principle of Privacy By Design is based on least privilege and need to know basis. Organizations should have clearly defined and strict access controls around PII data based on regulations, policies and procedures. Also, organizations should implement adequate logging and monitoring controls. For many tasks such as data discovery, data classification, data access controls, etc., the latest technologies can be used for effective security, automation and scaling.”
Eric Scwake, Director of CyberSecurity Strategy at Salt Security
“Data Privacy Weeks allows organizations of all sizes to reflect on their critical data and assess ways to ensure its safety and security. Customers and internal stakeholders trust organizations with their data, but the digital transformation has exposed it to more significant threats. As APIs are now touching this data more than ever, it’s essential to understand how they utilize it and promptly identify any potential risks. When considering data privacy, it’s crucial to consider the people, processes, and policies involved.
- Understand your APIs: Have processes in place to understand APIs used in your environment, including what data they access. Knowing this will allow you to apply policy governance rules to API’s across your organization.
- Embrace Access Control: Implement strong authentication and authorization protocols to ensure only authorized applications and users can access data. Use multi-factor authentication, API keys, and granular access controls.
- Encryption is Everything: Encrypt data at rest and in transit, rendering it useless to any unauthorized eyes that might intercept it.
- Vulnerability Vigilance: Regularly scan your APIs for vulnerabilities and patch them promptly. Proactive monitoring is vital to staying ahead of evolving threats.
- Transparency Matters: Open communication is vital. Clearly document your API usage policies and data privacy practices. Let users know what data you collect, why, and how they can control its use.
These steps allow organizations to build a robust data privacy ecosystem where APIs become guardians, not vulnerabilities. Commit to securing these digital gateways and ensuring data travels safely in the online world this Data Privacy Week.”
Patrick Harr, CEO at SlashNext
“One of the biggest gaps in security postures today is how personal and corporate data is protected in the age of the hybrid and remote workforce. These blind spots are becoming more readily apparent as organizations and individuals adopt new channels for personal messaging, communications, and collaboration. Targeted phishing attacks in collaboration tools are becoming more common because the likelihood of success is higher than email phishing attacks. Users are not expecting phishing attacks in Teams or Sharepoint, and these attacks are often too sophisticated for a user to determine the communication is malicious. It’s also far less common for organizations to have security protections in place around these types of tools compared to email security solutions. And when a phishing attack succeeds, the cybercriminals capture private data, personal information, company data, or they may even install malware directly onto the device to facilitate ongoing attacks.
In 2023 especially, the introduction of Generative AI technologies like ChatGPT has been a game changer for cybercriminals, particularly in relation to cyberattacks launched through common messaging apps including email and SMS text messaging. These new AI tools have helped attackers to deliver fast moving cyber threats, and have ultimately rendered email security that relies on threat feeds, URL rewriting and block lists ineffective, putting organizations’ private data at high risk. In fact, SlashNext’s latest State of Phishing report revealed a 1,265 percent increase in phishing emails since the launch of ChatGPT in November 2022.
The best defense for an organization to protect against phishing and ensure the safety of both its corporate data as well as employees’ personal data is to always be one step ahead of the attackers. It’s crucial for cyber security protection to leverage AI to successfully battle cyber threats that use AI technology. You have to fight AI with AI.”
Philip George, Executive Technical Strategist at Merlin Cyber
“Year after year, Data Privacy Week invokes calls for better data protection practices, regulations and standards, and encourages individuals to be more conscious of how they share and protect their own personal data online. These are all important parts of the data privacy conversation, but this year a much stronger emphasis needs to be placed on post-quantum cryptography (PQC) and what organizations must be doing now in order to ensure data remains protected in the post-quantum future. Today’s data encryption standards will be ineffective against advanced decryption techniques fueled by cryptographically relevant quantum computers. Although commercial quantum computers exist today, they have yet to achieve the projected computational scale necessary for cryptographically relevancy. However, this reality may change quickly, considering the continued investment by nation states and private sector alike. Coupled with the growing application of ML/AI in the areas of research and development, the potential for more breakthrough developments in quantum computing remains high. Which means the chances for any of the aforementioned entities reaching quantum cryptographic relevancy are improving day-by-day.
NIST is expected to publish its first set of PQC standards this year, which will serve as an important step toward providing organizations with quantum resistant cryptography solutions. Security leaders and data-owners should follow NIST’s guidance and begin their internal preparations today. Primarily, this should entail establishing an integrated quantum planning and implementation team and mapping out cryptographic dependencies by conducting a full system cryptographic inventory. After conducting this inventory, security teams can then implement a risk-driven modernization plan that starts with business-critical and protected data (by law) systems.
These activities must happen in 2024, because threat actors are in fact already targeting encrypted data, by taking a “steal and store now to decrypt later” approach. Quantum computing-based attacks will become a reality in the near future, and we cannot wait until cryptographic relevancy is achieved to begin what may become the largest cryptographic migration in modern history/the history of computing.”
Nick Edwards, VP of Product Management at Menlo Security
“The explosion of Generative AI use following the launch of ChatGPT in November 2022 has opened a world of new risks and data privacy concerns. Companies must be aware of how these tools can potentially compromise or expose sensitive data. By nature, they pose a significant security risk, especially when employees inadvertently input corporate data into the platforms. When data is entered within these models, that data is used to further train the model to be more accurate. In May 2023, a group of Samsung engineers input proprietary source code into ChatGPT to see if the code for a new capability could be made more efficient. Because of the model’s self-training ability, the Samsung source code could now be used to formulate a response request from other users outside of Samsung. In response, Samsung banned ChatGPT. Our own team of researchers at Menlo Security found more than 10,000 incidents of file uploads into generative AI platforms including ChatGPT, Microsoft Bing, and Google Bard, and 3,400 instances of blocked “copy and paste” attempts by employees due to company policies around the circulation of sensitive information.
To prevent data leakage similar to the one described previously, employees should be trained in how to use these platforms securely. Organizations need to prioritize data security tools that prevent information from being shared with Generative AI platforms in the first place. While data loss protection (DLP) tools are useful, organizations need a layered approach that could include, for example, limiting what can be pasted into input fields, restricting character counts or blocking known code.
Another data privacy concern was uncovered last week, when OpenAI launched the GPT store, which allows OpenAI subscribers to create their own custom versions of ChatGPT. As exciting as this is for developers and the general public, this introduces new third-party risk since these distinct “GPTs” don’t have the same levels of security and data privacy that ChatGPT does. As generative AI capabilities expand into third-party territory, users are facing muddy waters on where their data is going. Securing access to generative AI tools is just one of the topics covered in Menlo’s State of Browser Security Report, launched this week, which talks to the wider landscape of evasive threats targeting users in the browser.”
Krishna Vishnubhotla, VP of Product Strategy at Zimperium
“The biggest risk to our private data lies in the mobile devices we use everyday and the applications that are on them. In fact, the Zimperium 2023 Global Mobile Threat Report showed that 80 percent of phishing sites now either specifically target mobile devices or are built to function on both mobile devices and desktops, and that the average user is 6-10 times more likely to fall for an SMS phishing attack than an email-based one. As we know in today’s workplace, particularly following COVID, many of us are working from home (or working from anywhere). We have clearly seen employees working on personal mobile devices that are accessing all the same data that they were previously accessing via corporate devices. It’s the organization’s duty to protect the data that’s being accessed at all times, while at the same time ensuring privacy for the user on the personal device. Organizations must ensure that the device accessing its data is safe; the network it’s connecting from is safe and trusted; and the applications on the device are not hostile.”
Manu Singh, VP, Risk Engineering at Cowbell
“In today’s threat landscape, we are seeing the continued evolution and sophistication of cyberattack techniques and tactics, including bad actors circumventing multi-factor authentication (MFA) and accessing offline backup systems. What the industry previously considered ironclad defenses simply aren’t anymore. This Data Privacy Day, organizations should prioritize staying ahead of threats through:
- Conducting a risk assessment to identify the vulnerabilities within the organization, and actioning on the findings. A risk assessment shows organizations what their architecture looks like, their vulnerabilities, and more. Addressing issues identified in a risk assessment puts an organization in a better position to deal with cyber incidents. If you work with a cyber insurance provider, ask them for your organization’s risk assessment report and how they can help you improve your cyber hygiene.
- Upholding good cyber hygiene. While cybersecurity measures should be tailored to an organization based on its risk assessment, it’s important to follow basic best practices: adopt MFA, deploy an Endpoint Detection and Response (EDR) solution, keep up with patching, maintain good password hygiene by adopting a password manager, and have offline and tested backups/copies of all data.”
Darren Guccione, CEO and Co-Founder at Keeper Security
Attacks are changing, protecting yourself isn’t
“This Data Privacy Day, industry experts may warn about the new and novel ways attackers violate your privacy and breach your data. From the threats that come with generative AI to the rise of attacks targeting genealogy companies like 23andMe that hold highly sensitive personal information, it’s certainly clear the tools in a cybercriminal’s arsenal are growing more sophisticated. But the fundamental rules of protecting oneself in the digital landscape remain as relevant as ever. Basic cybersecurity measures, such as creating strong and unique passwords, enabling multi-factor authentication and keeping software up to date, are frequently overlooked. A recent study by Keeper found a quarter of IT leaders confessed that they even use their pet’s name as a password!
Take the following steps to proactively protect yourself in the evolving digital world:
- Use strong, unique passwords for every account
- Enable multi-factor authentication
- Regularly update software
- Employ strict privacy settings on apps and browsers
- Avoid oversharing on social media
- Back up your important data
Before finding yourself overwhelmed by all the ways cybercriminals can attack you, sit down and consider these basic cybersecurity measures and whether you are following them. Number one is critical, but difficult to achieve using just your memory, so consider using a password manager to safely and securely store and manage passwords. By taking these proactive steps, you can significantly strengthen your data privacy and reduce the risk of falling victim to both current and evolving cyber threats.”
John A. Smith, Founder and CSO at Conversant
“Cyberattacks are the top global business risk of 2024. Data Privacy Week provides organizations an opportunity to raise awareness about data privacy issues and associated security risks, educate individuals about protecting their personal information, and promote more secure organizational data practices.
In today’s digital age, most enterprises obtain personal and confidential data from their employees, customers, and stakeholders, making them vulnerable to a cybersecurity attack or data breach. All organizations have a responsibility to protect their data; many (such as law firms and healthcare institutions) have a fiduciary duty to protect sensitive information regarding clients. These businesses are built on trust; and in many cases, lives and financial well being depend on it; both can be easily and irreparably harmed if data is compromised. Organizations should consider the following to increase data privacy and security within their company:
- Adhere to regulations and compliance requirements: Enterprises should constantly review and be aware of data privacy regulations, such as GDPR, CCPA, or other regional laws.
- Understand that compliance isn’t enough: While security frameworks and mandatory compliance standards must be met, they in no way guarantee security: These frameworks and compliance standards should be viewed as a minimum floor. Threat actors are not limited to the guardrails within these frameworks, and threat actor behavior simply changes faster than the frameworks and standards can keep pace with. It’s essential to have a layered security program across people, process, product, and policy that protects the entire security estate with redundant controls.
- Measure your secure controls against current threat actor behaviors: By implementing robust security protocols and conducting regular security assessments against current threat tactics, organizations will know where their vulnerabilities lie and how to protect them. Threat actors are exploiting things that make the users’ experience easier, such as Help Desks that provide easy access and few verification steps, self-service password tools, weak forms of MFA, etc. To keep up, companies must trade some levels of user convenience for more stringent controls. Know your limitations: Most organizations have gaps in security controls and orchestration because they lack access to breach intelligence—how threat actors are causing damage technically. It’s those very gaps that threat actors seek and prey upon. It’s important to seek expert assistance to gain breach context and act without delay. While addressing these gaps may require additional capital investments, it will be far less than the cost of a breach, its mitigation, and the long-term fallout.
- Change your paradigms: Systems are generally open by default and closed by exception. You should consider hardening systems by default and only opening access by exception (“closed by default and open by exception”). This paradigm change is particularly true in the context of data stores, such as practice management, electronic medical records, e-discovery, HRMS, and document management systems. How data is protected, access controls are managed, and identity is orchestrated are critically important to the security of these systems. Cloud and SaaS are not inherently safe, because these systems are largely, by default, exposed to the public internet, and these applications are commonly not vetted with the stringent security rigor.
- Most breaches follow the same high-level pattern: While security control selection and orchestration are important, ensuring a path to recovery from a mass destruction event (without paying a ransom) should be the prime directive. Organizations should assume a mass destruction event will occur, so that if it occurs, they can have confidence in their path to recovery.
Data privacy is not just a technical concern, but a crucial tenet of ethical business practices, regulatory compliance, and maintaining the trust of individuals who interact with your business. It has become an integral part of building a secure and resilient digital economy.”
Ratan Tipirneni, President & CEO at Tigera
“This Data Privacy Awareness Week, enterprises and small businesses alike should prioritize holistic cybersecurity. While Kubernetes adoption has taken off, most Kubernetes teams haven’t implemented adequate posture management controls. They continue to implement the minimal level of security mandated by compliance requirements. This bubble is about to burst. This will manifest as stolen data (data exfiltration) or ransomware. However, this can be easily prevented through effective posture management to ensure that the right egress controls and micro-segmentation is in place.”
Rick Hanson, President at Delinea
“The end of privacy as we know it might be closer than you think. The world is increasingly relying on more AI and machine learning technologies. This reliance could result in privacy becoming less and less of an option for individuals, as AI’s capabilities in surveillance and data processing become more sophisticated.
2023 marked a significant leap in the authenticity of deepfakes, blurring the lines between reality and digital fabrication, and that is not slowing down any time soon. Our digital identities, extending to digital versions of our DNA, can be replicated to create digital versions of ourselves, which can lead to questioning who actually owns the rights to our online personas.
Unfortunately, advancements in AI technologies are evolving more swiftly than current regulations can keep pace with. In 2024, we can expect stricter data protection requirements across more countries and regions. But until these regulations evolve and can keep pace, it is important to reduce our risk and protect our privacy however possible.
One of the best ways to do this is to continuously check each application including what data is being collected and processed, and how it is being secured. Use a password manager or password vault to securely store credentials, and leverage multi-factor authentication (MFA) to ensure credentials don’t get exploited by forcing whoever the user is to prove its identity beyond just a username and password. In the event that a data privacy breach does occur, it is also important to have a cyber insurance policy in place to ensure you’ll have the means to continue to operate and recover.”
Michael Brown, Vice President of Technology at Auvik
“The evident tension between employee monitoring and personal privacy makes it imperative for companies to find and maintain an appropriate balance that upholds critical visibility while respecting boundaries and adhering to data privacy laws.
With the continued expansion of remote and hybrid work, there is a heightened necessity for employers to keep a close eye on the way that employees are utilizing devices and applications in their daily routines. In addition to providing valuable information about the types of and ways in which technology is being used, employee monitoring ensures that installed applications are up-to-date, protects against known security vulnerabilities, and identifies potential productivity improvements. However, maintaining data privacy during this process is critical; when boundaries are overstepped and certain kinds of information is collected, this can feel invasive to employees and result in reduced morale as well as the potential violation of data privacy laws.
On one end of the spectrum, monitoring an employee’s every action provides deep visibility and potentially useful insights, but may violate an employee’s privacy. On the other hand, while a lack of monitoring protects the privacy of employee data, this choice could pose significant security and productivity risks for an organization. In most cases, neither extreme is the appropriate solution, and companies must identify an effective compromise that takes both visibility and privacy into account, allowing organizations to monitor their environments while ensuring that the privacy of certain personal employee data is respected.”
Gal Ringel, CEO and Co-Founder at Mine
- “With a new wave of AI set to revolutionize how we live and work, data privacy has never been more important than it is today. Ensuring companies use data to train and develop AI systems safely and transparently is reliant on all of us emphasizing how much we collectively value individual data rights and could very well be the defining question of whether society builds a healthy, trusting relationship with AI innovation.”
- “Over the past few years, the enthusiasm so many companies have had for data privacy software has grown immeasurably. There is still work to be done in spreading that enthusiasm to every company that handles personal identifiable information (PII), but it’s heartening to see data rights receiving the love and attention they deserve as the role data plays in business continues to soar.”
Shivajee Samdarshi, Chief Product Officer at Venafi
“Artificial intelligence is democratizing coding to a whole new level. Everyone can be a developer now, but this opens up a massive opportunity for malicious actors to take advantage of unauthorized code and use it as an attack vector within unaware organizations. This is fundamentally altering how we protect privacy and ensure the systems our lives depend upon are secure. The attack surface is expanding day by day, but organizations are often not adapting in real time.
This Data Privacy Week, it’s critical for organizations to bear in mind the detrimental impacts of unauthorized code. To combat this risk and reduce the attack surface, know what code your organization is using and deploying. Secure the code signing process and use trusted code signing certificates. The best offense is a good defense, especially when it comes to your code.”
Theresa Lanowitz, Head of Evangelism at AT&T Cybersecurity
“Edge computing is the next generation of computing and is all about data. A characteristic of edge computing says that the applications, workloads, and hosting are closer to where data is being generated and consumed. And, edge computing is about a near-real-time and digital-first experience based upon the collection of, processing of, and use of that data.
This data needs to be free of corruption to assist with decisions being made or suggested to the user, which means the data needs to be protected, trusted, and usable. In response, strong data lifecycle governance and management will be a continued requirement for edge computing use cases.
Such data security is something a security operations center (SOC) will begin to manage as part of its management of edge computing, while working to understand diverse and intentional endpoints, complete mapping of the attack surface, and ways to manage the fast-paced addition or subtraction of endpoints.”
Patrick Harding, Chief Product Architect at Ping Identity
“Privacy is really about choice, trust, and giving customers autonomy over how their data is managed. A disheartening 10 percent of consumers have full trust in organizations that manage their identity data – and it shouldn’t be that way. It’s up to organizations to ensure customers understand how data is collected and are given a clear opt-in or opt-out option to feel secure and respected. This transparency and accountability go a long way in instilling brand loyalty, long-term trust, and a positive customer experience.
Ultimately, customers just want to know their data is being protected and not exploited. The majority (61 percent) of global consumers report that having privacy laws enacted to protect consumer data and knowing that the website vendor is complying with those regulations makes them feel more secure when sharing their information online.
Data Privacy Week serves as a great opportunity to underline the value of decentralized identity management, which improves data security and privacy, and empowers individuals with control of their data while reducing resource and compliance burdens for enterprises.”
Bjorn Andersson, Senior Director, Global Digital Innovation Marketing and Strategy at Hitachi Vantara
“Right now, technology is moving faster than regulations in many ways and across many regions globally. Governments are actually racing to keep up. For example, the European Union in December 2023 just reached a landmark agreement on its AI Act, but it’s not yet in effect. While the U.S. has laid out a risk framework in its October 2023 executive order on AI, there is no comprehensive law passed by Congress nor stringent regulation of the private sector on AI aside from critical infrastructure governance. As new compliance and regulation standards in the data management industry get codified, companies must ensure employees stay informed, adopt relevant policies, and deploy best-in-class security measures.
Global organizations navigating the nuances of diverse regulations across countries should seek guidance from legal experts. Teams can harness the power of generative AI and other kinds of AI tools to elevate organizational knowledge and awareness on data security and privacy and to implement the guardrails themselves.”
Larry Zorio, CISO at Mark43
“With 91 percent of first responders facing cybersecurity issues in the past year, it’s imperative that public safety agencies have cost-effective and data-driven protections in place. The intersection of data and technology has long been central to public safety, but the ascent of AI and other emerging technologies has revolutionized the sector. To counteract bad actors and evolving security threats, public safety agencies need robust internal security processes and strong external partnerships to effectively serve their communities, especially in crises.
Information security is pivotal for the confidentiality, integrity and availability of public safety data, systems and networks. Providing partners and government agencies with comprehensive security controls and reliable platforms — like their CAD and RMS — couldn’t be more important. In 2023, the global average cost of a data breach was $4.45 million, highlighting the urgency for agencies to adopt a strategic, risk-based approach to data protection in 2024 and beyond.”
Daniel Chechik, CISO at WalkMe
“The emergence of technologies like AI marks a new era of data protection in enterprise tech, defined by a need for constantly-evolving, modernized technology that adapts to security regulations. Alongside this, organizations have an increased responsibility to safeguard sensitive information. As AI-driven solutions are deployed, cybersecurity considerations and data safeguarding are top priorities to ensure that AI serves as an enabling factor for businesses without posing an outsized risk.
Business and government entities must adapt to this new “digital age,” all while ensuring employee trust and productivity. The global agreement to make AI ‘secure by design,’ for example, highlights the responsibility of large, small, public, private, government, and organizations of all types to prioritize and invest in the safe use of these new capabilities by putting proper measures in place to safeguard their organizations against thefts and data leaks. Without sacrificing the innovation, creativity, and productivity boosts promised by generative AI applications, organizations must pursue the right technology and employee education to create clear guidelines and guardrails that prioritize effective, data-driven protection.”
Erik Gaston, CIO at Tanium
“In an age when individuals produce almost 2MB of data every second, it is critical for companies to have proven, proactive and preventative security strategies in place to protect employee and customer data. It is also important to understand what data is coming in and out of the network and where it is being stored at all times.
Data breaches (both accidental and intentional), data mining, surveillance, and the potential misuse of personal data by corporations or governments all have the potential to expose personal information to unauthorized parties. To mitigate the risk, a few recommendations to achieve a proactive, preventative strategy – over one that solely relies on reactive data protection – include:
- Actively managing passwords, authentication, social media and installed software / settings on personal devices
- Choosing strong and unique passwords for all online accounts and updating them often
- Having multi-factor authentication as an extra layer of security
- Avoiding sharing ANY personal information online, especially on social media sites
- Keeping software up to date
- Understanding privacy settings on various devices and platforms and exercising your rights to control the collection and use of your data”
Geoffrey Mattson, CEO at Xage Security
“Data Privacy Week serves as a reminder of the symbiotic relationship between data security and the safeguarding of critical infrastructure. The threat landscape continues to evolve, leaving critical infrastructure increasingly reliant on interconnected systems, all of which can be breached. When it comes to critical infrastructure, the implications of a data breach stretch far past the digital realm, instead impacting real-world, everyday operations such as water systems, emergency services, government facilities, transportation systems, and more. Consider the thousands of electricity, oil and natural gas facilities that provide energy to people every day, suddenly shut down. These aren’t abstract scenarios—they directly impact the average citizen’s quality of life. Protecting critical infrastructure is a responsibility with the potential to preserve and save lives daily.”
Will LaSala, Field CTO at OneSpan
“In today’s online world, more data is being shared by users than ever before and has expanded to include intricate connections between individuals, organizations, and the vast web of the internet. Many users are not aware of how this data will be used. Technological advancements, such as AI, have led to freely available data that not only trains software but also becomes vulnerable to attackers exploiting application and security service vulnerabilities. Generative AI further complicates data security by generating content that closely mimics the original, often relying on common solutions based on private data. While AI can also serve as a tool to catchfraudulent data and secure it before it gets attacked, there needs to be more comprehensive measures toprotect data from being readily available for AI to use. There is a shift towards individual management of data privacy, which has introduced a new era of distributed identity. Digital wallets, for example, allow users to control data access and duration in user-friendly ways. Organizations benefit from this by gaining insights into data ownership changes and building trust to offer enhanced services based on reliable data. This Data Privacy Week, responsible data handling is crucial. Navigating this expansive sea of data poses a constant challenge that has prompted regulations to encourage banks and other organizations to take data privacy seriously. Everyone has a responsibility to practice safe data handling.”
Cam Roberson, Vice President at Beachhead Solutions
“Complying with government agencies’ data privacy and cybersecurity is getting more complicated this year. For many businesses, regulatory enforcement is quickly becoming the single biggest cybersecurity-related risk they face. Data privacy and security requirements and enforcement are expanding on just about every front—and the risks of non-compliance are real and accelerating. For example, the FTC Safeguards Rule now requires *any* business that transfers money to and from customers (and isn’t already under the purview of another regulator) to secure customer data effectively. This affects millions of previously unregulated businesses that are now subject to six-figure fines per violation, additional fines that can personally target business leaders, and risk to their business’s licensing. Organizations in or adjacent to the healthcare field subject to HIPAA need to be aware that HIPAA fines around data privacy have become more actionable. Regulators have shifted strategies, from massive seven-figure fines that were rarely enforced, to $35,000-$50,000 fines per violation that businesses are fully expected to pay. While the ubiquity of cyber insurance to protect businesses from these fines’ impact continues to be another key development to pay attention to, cyber insurance policies require the same security protections as major compliance mandates. There will continue to be less leniency for organizations that don’t have the encryption, data access controls, and other non-negotiable data privacy capabilities required of most cybersecurity compliance regulations.”
Viktoria Ruubel, Managing Director of Digital Identity at Veriff
“As consumers and employees, we have all seen or experienced biometric technology in action. Fingerprints or “selfies” have replaced passwords, granting access to our smartphones and other devices. In business settings, face scans can enable entry into controlled access areas or even the office. However, while these tools have made identity verification easier and reduced some of the friction of identification and authentication, there’s growing concern around biometric data and privacy – biometric data is unique to each individual and permanent, making it one of the most personal forms of identification available.
As concerns mount and amid an escalation of regulatory action, users need greater transparency around collecting and using biometric data. Careful considerations are required to properly reflect the use of biometric data in public-facing policy and the approach to gathering and employing data around user consent and data security.
Data Privacy Week is a time to facilitate open dialogue around these risks and how to address them to strike a better balance between protecting users’ privacy and demystifying their experience with technologies like biometrics. Organizations must be ready to balance user experience with effective security controls to ensure the highest levels of data privacy in all transactions.”
Steve Stone, Head at Rubrik Zero Labs
The most compromised data
“Breaches often compromise the holy trinity of sensitive data: personally identifiable information, financial records, and login credentials. As long as these lucrative data types remain decentralized across various clouds, endpoints and systems not properly monitored, they will continue to entice, and reward increasingly sophisticated attackers.”
Why it’s vulnerable
“Over 60 percent of sensitive data stored across disparate–on-prem, cloud, and SaaS–environments lack unified security protocols. Cybercriminals can easily access the keys to deeply infiltrate the systems and exfiltrate the most valuable data undetected over longer periods.”
How to better protect it
“Reliance on prevention is simply ineffective. Organizations need cyber resilience – a combination of cyber posture and cyber recovery – to keep their business running without interruption, even in the midst of the inevitable cyberattack.”
Tim Wade, Deputy CTO at Vectra AI
“Customers and consumers alike are sharing more data than ever with organizations. This comes at a time when enterprises are shifting more applications, workloads, and data to hybrid and multi-cloud environments, and threat detection and response has become increasingly siloed and complex. Together, this underscores the crucial responsibility organizations have in safeguarding sensitive information and serves as a poignant reminder of the challenges involved in maintaining data privacy.
We’ve seen steady improvement on the part of the end user towards keeping their personal information secure and private. They deploy multi-factor authentication solutions, only use secure networks or VPNs, and are much more selective about which information they share with organizations, but exposure incidents still happen. As we strive to make the world a safer and fairer place, companies have a responsibility to their customers, partners, and end users to implement the right practices that will ensure their privacy and data are protected. In the upcoming year, businesses will face heightened expectations to demonstrate their commitment to implementing comprehensive measures aimed at safeguarding data.”
Reed Taussig, CEO at AuthenticID
“Inconsistent data privacy regulations are being legislated all over the world, and indeed, across all 50 states. While some of these regulations are ubiquitous, many of the requirements vary from country to country and state to state. Look at GDPR and the right to be forgotten, as an example. Fraudsters can legally require a site to delete all of their PII data thus making it much more difficult to identify who those individuals are. Globally fraudsters are winning. Fraud goes up year after year despite the billions of dollars invested in security. Data privacy is a double-edged sword; it protects good customers and people, but it also creates significant hurdles for security experts trying to keep a company’s assets safe.”
Stephen Franchetti, CIO at Samsara
Amidst emerging threats, increased regulation, and data privacy laws, organizations will lean on technology for management and protection.
“With a global focus on data privacy, organizations must leverage technology to identify and mitigate risks quickly and effectively. In 2024, leaders will invest in AI-driven security to monitor network behavior, detect anomalies, and protect against potential threats – all in real time. This proactive approach will allow organizations to enhance their ability to safeguard data and operations.
This technology, however, is only effective when coupled with a robust data strategy that leverages a zero-trust model. In the new year, more leaders will adopt this approach, which requires verification at every step of the data access and transfer process, significantly reducing the potential for breaches.”
Dan Benjamin, CEO and Co-Founder at Dig Security
“As organizations moved to the cloud, their infrastructure has become increasingly fragmented. With multi-cloud and containerization becoming de-facto standards, this trend has intensified. Data storage and processing is dispersed, constantly changing, and handled by multiple vendors and dozens of tools.
To secure data, businesses found themselves investing in a broad range of tooling – including DLP for legacy systems; CSP-native solutions; compliance tools; and more. In many cases two separate tools with similar functionality are required due to incompatibility with a specific CSP or data store.
This trend is now reversing. Economic pressures and a growing consensus that licensing and management overhead have become untenable are leading organizations toward renewed consolidation. Businesses are now looking for a single pane of glass to provide unified policy and risk management across multi-cloud, hybrid, and on-premises environments. Security solutions are evolving accordingly – moving from point solutions that protect a specific data store toward more comprehensive platforms that protect the data itself, wherever it’s stored and in transit.”
Jim Liddle, Chief Innovation Officer at Nasuni
“This year’s Data Privacy Week is all about ensuring that organizations maximize their data intelligence with privacy best practices. A shocking number of companies store massive volumes of data simply because they don’t know what’s in it or whether they need it.
These questions must be asked to retain maximum privacy and quality: Is the data accurate and up-to-date? Is it properly classified and ‘searchable’? Is it compliant? Does it contain personal identifiable information (PII), protected health information (PHI), or other sensitive information? Is it available on-demand or archived?
Data Privacy Week serves as a reminder to organizations to answer these questions to ensure they meet data quality, privacy, security, access, and storage requirements. This must be assessed and completed before pursuing AI initiatives that may compound risk exposure without these foundational governance guardrails in place.”
Jackie McGuire, Senior Security Strategist at Cribl
Data as an Asset
“In many senses, data is the new oil. It’s a finite resource that needs to be mined and managed strategically, and its value is highly dependent on your ability to refine and manipulate it for specific applications. For this reason, we see 2024 as being a critical year in the transition of data from being 1s and 0s on a screen to an actual asset to be managed, tracked, and optimized within an enterprise.
If we look past data as the space it takes up and consider each data point (IP, port number, customer name, city name, temperature reading) as an asset in and of itself, it becomes clearer that the way we are mining and storing data is incredibly wasteful. The same data points are often collected repeatedly, stored more redundantly than necessary, and contain no single source of truth. With the increasing use of AI and machine learning, as well as more stringent regulatory requirements that both require you to hold some data longer, as well as delete some data sooner, it will become crucial that data is managed as an asset.
To accomplish this, the accurate identification and categorization of data will be essential. We see an entire industry dedicated to data identification developing over the next few years, and companies becoming increasingly more focused on what the sole source is for any piece of information. This will ensure changes to data propagate, unexpected output from data science models can be traced to the training source, and ensure that any data that a company no longer has the right or desire to hold is actually deleted.”
The SEC Shines a Spotlight on Systemic Risk
“2024 may very well become the year of dirty laundry, as anew SEC requirement that registered companies disclose material cybersecurity events within four business days lays bare just how interconnected and systemic risk in cybersecurity can be. In the few months since its passing, we have already seen several high-profile disclosures from Clorox, Johnson Controls, MGM, and Okta rile the securities markets and send teams scrambling. While breaches are nothing new, the level of disclosure the SEC is now requiring ensures that enterprises feel a level of financial pain as punishment for their security misdeeds. It also makes far more public the common threads among various breaches, be they threat actors or vendors.
The good news here is that the SEC and cyber risk providers will likely succeed where guidelines and best practices have failed; financial punishment and shareholder angst cause changes in businesses’ security investment and behavior – fast. The reason we have seatbelt laws is because of the auto insurance industry, and security incident disclosures will likely have the same impact. As much as it shouldn’t be the case, hitting companies in the wallet is typically the best way to influence behavior, and in 2024, we think the SEC will do just that.”
Alex Tray, Cybersecurity Consultant at Nakivo
Data as an Asset
“As data privacy concerns continue to grow, there will likely be an increased demand for secure data backup solutions. Organizations will seek robust backup strategies to safeguard sensitive information and ensure quick recovery in the event of data breaches or ransomware attacks. Data backup solutions are expected to integrate more privacy-centric features, such as encryption mechanisms, access controls, and audit trails to enhance the overall security and privacy of backed-up data.”
Adam Ferrari, SVP, Engineering at Starburst
“Navigating the intricate landscape of data privacy regulations lacks a one-size-fits-all solution. Each company’s risk exposure is shaped uniquely by consumer interactions, information structure, geographic presence, and other variables. Despite this complexity, companies need to collect data for operational efficiency and innovation. In the realm of data analytics and compliance, the concept of data sovereignty is significant. We advise prioritizing data localization strategies aligned with regional regulations. Storing data on local servers and complying with specific laws, such as GDPR in the EU, enhances consumer data protection. This not only reduces non-compliance risks but also builds consumer trust in data-driven innovations by safeguarding their personal information according to stringent data protection rules.”
Cassius Rhue, Vice President of Customer Experience at SIOS Technology
“For organizations maintaining high availability of crucial applications and databases, with a 99.99 percent accessibility target, enhanced security measures are essential for operational success. Key to the success of these robust security measures is ensuring their integration with high availability (HA) and disaster recovery (DR) solutions and their storage. Addressing malicious threats, without also addressing unforeseen factors like natural disasters, system failures and human errors can be disruptive to critical business operations. A well-designed security architecture that integrates with HA and DR plans ensures the swift restoration of critical systems, without compromising security or data and application availability.”
Tim Golden, Founder & CEO at Compliance Risk
“With dozens of data privacy rulings and pieces of legislation already on the books and more in the pipeline, it is going to get harder for SMBs to comply with the dizzying array of state and federal requirements. The U.S. is long overdue for a single, comprehensive data privacy rule. We could learn a lot from the EU’s GDPR.”
Liat Hayun, CEO at Eureka Security
“As we enter 2024, it is important to note that safeguarding organizational data can no longer mean restricting its use. As AI and LLM models add to the size, scope and types of data usage, organizations should focus on leveraging these emerging technologies to use their data for increased productivity, and accept some of the risk that goes along with this adoption – but must also consider ways to reduce it. With more data being stored and used, reducing data exposure will become the main focus for reducing this risk. Organizations should assess who and what has access to their data, when and how this access is used, identify anomalous behavior, suspicious access and the impact it may have on their data security.”
Andrea Malagodi, CIO at Sonar
“Data privacy today is turning into an old challenge with “new clothes” thanks to the AI-provided solutions now available to employees (the upload of data to websites). The reality is, mostly due to lack of education, that “Convenience beats Security” — malicious actors would typically rely on this to provide conversion websites (JSON to CSV as an example) and use these sites to collect data for possible attacks. The new AI sites also ask you to upload or grant access to content, which may even be worse, but not in that they service malicious intents. Any data that is shared is unlikely to have any privacy guarantees attached to them and data shared is likely to be part of new training, as the AI services have an ever-increasing hunger for data.
Companies should develop a clear policy around Generative AI, educate employees, and ensure that the data classified at the highest tier stays safe from any sharing to AI services to help secure the data. Companies should also contract with providers that can create privacy protections around shared data. Gen AI is here to stay, so facing it fully and developing your strategy is key to the successful protection of your assets.”
Danny de Vreeze, VP IAM at Thales
“GDPR continues to set the standard for how data is stored and processed on a regional level, but 2024 will bring an increasing demand for this control in the U.S. and Canada. Enterprise organizations will meet these needs at the company level by implementing strong data encryption methods, including bring-your-own-key and hold-your-own-key features. At the individual level, users will benefit from more options to consent to the use of their data, zero-knowledge proof, and more. As we see more movement, from the U.S. side in particular, on data privacy and protection, data sovereignty will take a front seat in legislative conversations.”
Bryan Harris, CTO at SAS
“We are in an era of having everything we need at our fingertips thanks to great advances in technology. However, this convenience also comes with risks to privacy, especially in a world where humanity collectively creates 2.5 quintillion bytes of data daily. At SAS, we are committed to balancing privacy, security and safety and, most importantly, protecting our customers’ sensitive data.
To maintain this balance, human talent is essential. While generative AI experiences have lowered the barriers to human interaction with data and systems, generative AI is not a “get out of jail free card” for poor data management and data governance. If organizations have neglected the quality of data in the enterprise or have not defined a proper data management strategy – which includes data privacy – the promised value of generative AI will not be realized.
As innovation rapidly accelerates, there are two constants that will always serve as the foundation: good data management and strong data privacy.”
Mike Loukides, Vice President of Emerging Technology Content at O’Reilly
“How do you protect your data from AI? After all, people type all sorts of things into their ChatGPT prompts. What happens after they hit “send”?
It’s very hard to say. While criminals haven’t yet taken a significant interest in stealing data through AI, the important word is “yet.” Cybercriminals have certainly noticed that AI is becoming more and more entrenched in our corporate landscapes. AI models have huge vulnerabilities, and those vulnerabilities are very difficult (perhaps impossible) to fix. If you upload your business plan or your company financials to ChatGPT to work on a report, is there a chance that they will “escape” to a hostile attacker? Unfortunately, yes. That chance isn’t large, but it’s not zero.
So here are a few quick guidelines to be safe:
Read the fine print of your AI provider’s policies. OpenAI claims that they will not use enterprise customers’ data to train their models. That doesn’t protect you from hostile attacks that might leak your data, but it’s a big step forward. Other providers will eventually be forced to offer similar protections.
Don’t say anything to an AI that you wouldn’t want leaked. In the early days of the Internet, we said “don’t say anything online that you wouldn’t say in public.” That rule still applies on the Web, and it definitely applies to AI.
Understand that there are alternatives to the big AI-as-a-service providers (OpenAI, Microsoft, Google, and a few others). It’s possible to run several open source models entirely on your laptop; no cloud, no Internet required once you’ve downloaded the software. The performance of these models isn’t quite the equal of the latest GPT, but it’s impressive. Llamafile is the easiest way to run a model locally. Give it a try.
I’m not suggesting that anyone refrain from using AI. So far, the chances of your private data escaping are small. But it is a risk. Understand the risk, and act accordingly.”
Sean Costigan, PhD, Director of Cyber Policy at Red Sift
“The lifeblood of our deeply connected global system is data. Global business is deeply challenged by the complexities of cross-border information flows, cybercrime, data privacy, new frameworks, and changing cybersecurity regulations.
Meantime, governments are becoming more proactive in issuing guidance and legislating cyber policies. The global cybersecurity landscape is witnessing considerable transformation through regulatory changes that push organizations to prioritize data protection, privacy, and risk management. At present, this is having varied results. In the US, there are now 13 states that have comprehensive data privacy laws, and additional laws will come into focus in 2024. The various efforts could give rise to greater complexity for all involved. While the US does not yet have a national, federal, comprehensive data privacy law, pressure is mounting for one. Globally, cyber regulations may be misaligned between countries, creating challenges for multinational corporations, people, and organizations, even within regulatory blocs like the European Union. Commendably, regulatory changes appear to be driving better prioritization of measures that will improve resilience. For example, new legislation around data protection and privacy is pushing cyber risk into reporting for the corporate boardroom, making cyber resilience an enterprise issue. The goal for all should be to improve confidence in cyberspace and markets by building trust and transparency.”
Mark Sangster, VP, Chief of Strategy at Adlumin
“Data privacy has never been more critical than it is now. Not only do our digital identities carry more currency than any other form, but they are also easily manipulated, stolen, or disfigured by cyber criminals. Additionally, the rise in artificial intelligence has created existential risk regarding criminal hijacking, poisoned data lakes, and private data being fed into large learning models.
Business and public organizations must prioritize privacy and security as the top risk to their operations. Fundamental security practices should become the outer shield, with a specific focus on data and resulting obligations. In terms of artificial intelligence, companies need to protect data lakes and build policies and procedures to ensure private data does not mistakenly leak into data sets for large learning models that can easily expose confidential and potentially damaging information.”
Paola Zeni, Chief Privacy Officer at RingCentral
“With rapid innovation across artificial intelligence, organizations must remain relentlessly focused on protecting customers and their data. We should not wait for regulations to guide us; we must take charge of the associated security and privacy risks AI brings.
It is imperative to embed privacy principles across all aspects of the company’s products and services. At RingCentral, our privacy by design framework guides everything we do, ensuring transparency on how our customer’s data is collected and used.
When providers are transparent and share information about their AI, how it works, and what it’s used for, customers will be able to provide more specific disclosures to their users, thus making their lives (and jobs) easier, and improving users’ trust.
Companies should adopt a strong governance by bringing together AI stakeholders, adopting policies around AI use and AI development, introducing AI risk assessments into vendor due diligence processes, and adding information about AI to their terms and to customer collateral.”
Chris Hickman, CSO at Keyfactor
“Data privacy and security go hand in hand, and both require a foundation of digital trust. Trust is built in part by having the confidence that all things have an identity and that the proper steps are taken to vet, manage and continuously monitor those identities from both people and devices.
The foundation for device identity continues to be public key infrastructure (PKI). From the corporate network to smart devices in the home, PKI both establishes the identity of those devices, authenticates them, keeps rogue software from being installed on them and makes sure the transmission of data, including personal data is encrypted.
Increasingly and all too often, weak identity, poor management of keys, and lack of policy adherence lead to breaches that compromise data privacy. Fortunately, both emerging and established data privacy protections take the management of identity to prevent breaches into account and impose greater penalties to companies that violate or mismanage these important assets.”
Justin Daniels, Faculty member at IANS Research
“Despite an increasing number of privacy laws around the world, many people still have little understanding of how much information is collected about them every hour of every day. In the United States, Congress has yet to pass meaningful privacy legislation at the federal level, resulting in a patchwork of privacy laws that vary from state to state. This lack of clear federal data privacy guidelines makes it painfully difficult for individuals to make informed decisions about how and when to share their personal data and what level of data protection to expect from the companies collecting it.
Adding to the confusion, people are increasingly likely to encounter misinformation and opinions presented as fact. Spreading misinformation is easy and nearly instantaneous in today’s digital environment, reinforcing personal bias despite the availability of trustworthy evidence. Rapid advancements in AI have aggravated the problem by making it easy to create deep fake voices and videos quickly and cheaply. Determining what is real and who to trust with your personal information has never been more difficult — or more important.
As we mark another Data Privacy Day, one goal should be for individuals to become more cautious about sharing their data for a discounted price or minor perk. As they become more data-privacy conscious, brands that protect and manage customer data responsibly will build trust with customers online, offline, and around the world.”
Larry Whiteside, Jr., CISO at RegScale
“Privacy is an evolving aspect of our digital landscape, and its significance has been shaped by a pivotal driver: consumers actively expressing the importance of their data, particularly in the aftermath of numerous breaches compromising consumer information. Additionally, companies have been avidly engaging in data collection to gain valuable insights into the consumers they serve. Consequently, organizations are now under greater pressure than ever to handle data responsibly, which is particularly daunting for those managing large volumes of data. However, by adhering to a few fundamental principles, organizations can effectively navigate the demands of privacy regulations.
- Principle #1 – Understand Your Data: To comprehend the privacy implications for your organization, it is imperative to be aware of the data at your disposal. This requires a thorough investigation to identify the type of data, its location, users, and access. Although seemingly simple, this task can be complex, emphasizing the critical importance of Principle #2.
- Principle #2 – Establish Ownership: Ownership is key for the execution of any program or process. To ensure accountability, assemble a team of stakeholders with board-level visibility to establish policies and standards governing the organization’s use, collection, and maintenance of data.
- Principle #3 – Implement Sensible Controls: At a high level, three control categories—physical, technical, and administrative—need consideration. These controls serve as the linchpin for determining how to handle Privacy Data effectively and align with Privacy Regulatory mandates.
- Principle #4 – Minimize Unnecessary Data: Organizations often collect data for specific purposes without establishing processes for its proper disposal once it becomes obsolete. Failure to address this exposes companies to unwarranted risks. Following Principle #1 allows organizations to identify data that should be disposed of to mitigate potential risks.
- Principle #5 – Continuous Improvement: Many organizations halt their efforts after completing these fundamental exercises, which can be detrimental. A “rinse and repeat” approach can ensure that privacy measures remain effective, adapting to evolving circumstances. Ceasing at this point risks rendering previous efforts obsolete, as the context of data evolves over time.”
Jeff Reich, Executive Director at Identity Defined Security Alliance
“More and more of us wake up every day realizing that the amount of control that we have over our digital identities is less than we believed yesterday. Not only do each of us need to take more effective control over our identities, but we also find that the custodians of our data, whom we trust, need to do more as well. While legislators and leaders take steps to address this issue, most are far enough removed from the actual goings-on that they don’t know how to create the appropriate laws. The time it takes to enact legislation means we are months, if not years, behind where we need to be.
The European Union’s General Data Protection Regulation (GDPR) was an excellent first step towards achieving this goal. Some US states have adopted their customized version of that. Federal laws are a patchwork, focused on specific verticals such as banking or healthcare. Adding this to the picture across the rest of the globe, and you can see the magnitude of the problem.
We have an underlying problem of poor security across many platforms and applications, leading to untrustworthy privacy provisions. This issue is compounded by the patchwork of privacy laws that drives many organizations to focus on compliance with whatever they feel applies to them. They may believe that compliance leads to security when, in fact, good security leads to compliance.
Adding AI into the equation means that we don’t know what needs to be done, by whom, and if that is even the identity that I think I am working with. Multi-Factor Authentication (MFA) is adding trust and friction at the same time. As a global society, we need to evolve to more seamless solutions that can add trust to identity management and confidence in what we do.”
Niels van Ingen, Chief Customer Officer at Keepit
“No one likes surprises, particularly IT executives who believe their SaaS cloud providers have taken all the necessary steps to back up customers’ critical enterprise data. This is never truer when a disaster strikes, whether from an internal mistake or an attack from the outside, leaving business operations at a complete standstill.
The unfortunate truth is that most SaaS providers don’t offer the necessary level of data backup and recovery that enterprises require to get back up and running.
And guess what? If you read the cloud agreement, you’ll discover SaaS vendors aren’t responsible for data backup. The onus is on you.
It’s easy for individuals and businesses using popular cloud-based services to believe their data is “backed up in the cloud” and easily retrievable in the event of an attack or accidental deletion. However, they quickly learn – often too late – that backup services from SaaS vendors are usually very limited, disorganized, or prohibitively expensive to access. Organizations also get surprised when learning that many SaaS providers offer a limited data retention period, where after such time, the data is permanently deleted.
That’s why the only true backup – and the last line of defense in SaaS data protection – is having granular, reliable, and fast backup and recovery capabilities, with the data stored separate from the SaaS vendor’s environment.”
Rob Futrick, EVP, Platform Engineering at Anaconda
How Enterprises Can Navigate Data Privacy and Security Challenges in AI Systems
“The rise of AI has introduced new, unique challenges for enterprise data privacy and security that must be addressed for the industry to safely harness this innovative technology. New concepts like data poisoning or “sleeper agents” inside the data used to train AI represent sophisticated threats that maliciously infiltrate AI models to alter their expected outcome. The implications for this kind of breach – only possible through AI – can be tremendously costly, but just as we’ve learned from handling data science pipelines, the solution involves robust security measures tied to the people and products that interact with data. Getting the most value from new AI systems requires a delicate balance between data utility and privacy, requiring enterprises to establish robust governance frameworks, deploy advanced cybersecurity measures, and harbor a culture that prioritizes data privacy. In doing so, they can navigate the complexities of AI environments while upholding the highest standards of security and privacy.”
Mark Houpt, CISO at DataBank
“As AI becomes more prevalent in the workplace, employees must be aware of the inherent privacy risks associated with using this technology. AI ingests and aggregates data to improve its functionality over time. However, proper data governance practices are not always in place to protect sensitive user information. When interacting with AI, employees may unwittingly provide sensitive, non-public information without realizing it is being collected. This may occur because employees are not aware of what is behind the software, data collection, retention, and analytical practices that are inherent and required in order for AI to function properly. Workers need to be educated on data collection policies and opt-out procedures before using this technology. It is up to cybersecurity teams and IT leaders to ensure proper awareness of the privacy concerns and legal implications of generative AI use in the workplace before allowing people access to them.“
Eric Cohen, CEO and Founder, Merchant Advocate: “No matter the industry, a key concern for any customer-facing business is providing a streamlined, easy payment experience that meets the needs of their customers. While businesses continue to offer newer and easier methods for consumers to use at the point of sale, they can’t afford to overlook their data security practices as a result. Data Privacy Week serves as a great reminder for businesses to review their compliance practices, starting with PCI compliance. Taking preventative measures to remain compliant will help businesses avoid several unnecessary costs, from small non-compliance fines to larger fraud-related charges in the event of a data breach. It’s also important to adhere to industry-specific guidelines, such as HIPAA compliance in the medical field, as they further bolster data protection and keep businesses a step ahead of potential bad actors.”
Brian Spanswick, CISO & CIO at Cohesity
“World Data Privacy Day is an excellent opportunity for public and private organizations to assess the effectiveness of their data security and management practices and this has never been more critical than it is now. The accelerated adoption of large language models (LLM), like ChatGPT, has added a significant threat to an already critical data security posture. The value of the data itself and the criticality of that data for an organization’s operations to function has never been more exposed to disruption and exfiltration. This increases the need for organizations to understand where their data are, ensure that data is encrypted in transit & at rest, and have the ability to recover that data minimizing disruption to operations.
Unfortunately, we live in a world where cyber threats and successful attacks are a challenge that all organizations face because of the disruptive impact they have to business continuity and the lucrative financial gains they can provide to threat actors when they can exfiltrate an organization’s data. By using this annual event as a catalyst to reassess, evaluate, and revise your data security & management best practices you’ll help set your organization up for success in the year ahead. Adopting modern technology platforms that help you protect, secure, and recover data is both fundamental and critical. In 2024 there are many solutions that are integrating AI to help turbocharge organizations IT & Security capabilities increasing the effectiveness of these fundamental data protection controls.”
Nick King, CEO and Founder at Data Kinetic
“This year’s Data Privacy Week serves as a reminder to organizations that the responsible development and deployment of AI requires proper governance, privacy standards, and self-regulation. AI engineers, business leaders, and influencers play a crucial role in shaping the future of AI, and the AI Impact Assessment Scale (AIIAS) is a key tool in this process.
The AIIAS provides a standardized method for assessing and classifying AI applications, promoting responsible AI practices, and fostering trust. Adopting and promoting the AIIAS enables the AI industry to adapt quickly to emerging challenges.
As stakeholders, it’s essential to prioritize transparency, accountability, privacy, security, fairness, and human-centric design. By focusing on these principles, we can mitigate potential risks and unintended consequences.
Now is the time for AI stakeholders to unite and lead the charge for a responsible AI ecosystem. By embracing data privacy, governance, leveraging self-regulation, and implementing tools like the AIIAS, we can create a better future with AI that benefits everyone.”
Brian Weiss, Field CTO and SVP at Hyperscience
“Data is the building block for AI solutions, and the proprietary data used for training large language models (LLMs) is what makes organizations successful, but also vulnerable to malicious actors and beholden to new standards of stewardship of customer PII. As organizations sober up from the AI gold rush, they’ll find themselves in a field of landmines full of privacy and security challenges. In order to safely leverage enterprise AI solutions, CISOs must be prepared with a governance plan that covers areas of concerns such as data opt-out options, training data hygiene, and more. Unless these processes are locked down, organizations will be sacrificing security for innovation which will ultimately hinder success due to the lack of risk and compliance measures.”
Jason Eddinger, Senior Security Consultant – Data Privacy at GuidePoint Security
“This year, there are quite a few emerging data privacy trends businesses should expect to see in 2024.
If companies look at some of the maps of the US in particular, the Northeast is lighting up like a Christmas tree for privacy bills that are being introduced. One trend is the continuation of states adopting comprehensive privacy laws.
AI will be a significant trend for 2024 as businesses will see unintended consequences from AI, resulting in breaches and enforcement fines due to the rapid adoption of AI without any actual legislation or standardized frameworks.
On the US state privacy law front, there will be an increased area of enforcement from the Federal Trade Commission (FTC), which has been clear that they intend to be very aggressive about enforcement and follow through on that.
2024 is a presidential election year in the US, which will raise awareness and heighten attention to data privacy this year. People are still somewhat unraveled from the last election cycle about mail and online voting privacy concerns, which may trickle down to business practices.
For multinational companies, businesses should also anticipate seeing data sovereignty trending in 2024. While there’s always been that discussion about data localization, it’s still broken down into data sovereignty, meaning who controls that data, its residents, and where it lives. Multinationals must spend more time understanding where their data lives and the requirements under these international obligations to meet the data sovereignty requirements to comply with India and other international laws.”
Ani Chaudhuri, Co-Founder and CEO at Dasera
“As we observe Data Privacy Day 2024, it’s imperative to recognize that data privacy is not just a regulatory requirement but a fundamental aspect of building trust and integrity in the digital age. Privacy is the cornerstone of a secure and ethical data ecosystem. This day serves as a crucial reminder for businesses to not only comply with data protection regulations but also to embrace a culture of privacy that values and protects the personal information of individuals. By integrating privacy into every aspect of our operations, from product development to customer engagement, we safeguard data and foster a more transparent and responsible digital world. Let’s use this Data Privacy Day to reaffirm our commitment to upholding the highest data privacy standards and inspire others to do the same.”
Gil Dabah, Co-Founder and CEO at Piiano Security
“A year before the GDPR came into effect, a sense of anticipation hung in the air. A major change was on the horizon – data’s rightful owners were shifting from businesses to individuals. Everyone diligently laid the groundwork for GDPR compliance, tackling visible aspects like cookie consent, privacy policies, and basic data access rights. These shiny, easily achievable measures merely formed the tip of the iceberg. However, below the surface, the fundamental structure of our systems, broken in design of security and privacy, remained untouched. Sadly, 2024 promises a bleak landscape of heightened data breaches, (tripled between 2013 and 2022, Apple says) by cybercriminals, more widespread data misuse by large corporations, and increased exposure risks arising from novel AI applications. Brace yourselves.”
Nimai Sood, Director, Software Engineering at NetApp
“To stay ahead of the evolving security landscape, data privacy professionals need to be aware of emerging trends and constantly honing their skills to address them.
For example, the shift towards cloud computing is creating new security and privacy challenges, as organizations migrate data and applications from on-prem or between cloud environments. This, of course, requires security measures for data in motion, but also demands both security and IT teams to uplevel their understanding of data encryption to better protect that data, even at rest.
Ultimately, the most effective educational foundation is one that combines theoretical knowledge with practical experience.”
Christian Wieland, AVP of Healthcare Strategy & Innovation at LexisNexis Risk Solutions
“In healthcare, it is crucial to engage consumers throughout the data exchange process to optimize the use & value of their data. This requires the promise of vigorous data security and the delivery of robust consent management tools that give consumers the authority to decide how their data should be used. With the right transparency and incentives, consumers have a greater likelihood of sharing their fully identified data, which enables care givers to make more informed decisions and clinical researchers to explore richer datasets. This of course requires the data to be current and linked to the correct person prior to sharing, which emphasizes the importance of powerful data management and identify verification solutions.”
Andro Galinović, CISO at Infobip
“With the US elections approaching, I anticipate a potential increase in the misuse of personal data for political propaganda.
Those who possess stolen data sets may seek to exploit this situation. It is crucial that we renew our commitment to data security best practices and awareness to prevent our personal information from being compromised and misused without our consent.
Data Privacy Day serves as an important reminder of how crucial it is to protect personal data.”
Mike Kiser, Director, Strategy & Standards at SailPoint
“Data privacy is still a challenge for many enterprises, despite the availability of tools to assist them. Organizations often find themselves in a similar position to a parent who opens the refrigerator late in a busy week: they have questions about when items were obtained, and how unsafe they might be at this point:
“What food lies in the dark recesses of that back shelf? How old is this cheese? When did we cook (and store) that plastic container of beef stroganoff?”
These questions about food storage can be translated easily to data storage, and are no less answerable for most organizations: “What data lies in our repositories? When did we collect it? Should we eliminate it, or is it still useful to the business?” These questions can only be answered through an agreed upon set of guidelines, along with clear, timely communication with all relevant parties around what data is being collected and where it is being stored.
Technology and innovation will continue to advance, but without establishing and adhering to clear policy and notifications for data storage and retention, the piles of data lying around in the forgotten corners of our enterprises will continue to pose a larger threat than that 15-month-old serving of Aunt Gertrude’s Tuna Surprise.”
Joe Jones, Director of Research & Insights at International Association of Privacy Professionals
“The work of privacy professionals has never been more important to the flourishing and integrity of our increasingly data driven economy and digital society. And yet, the work has also never been more challenging. According to the IAPP-EY Privacy Governance Report 2023, 86 percent of privacy professionals reported that they regularly work with three or more teams within their organization while performing at least 10 different privacy functions. The dynamism and variety of globally proliferating privacy laws requires expert navigation and actionable translation. And still, there’s more. The industrializing of digital regulations that map, overlap, and expose important gaps for the work of privacy pros has added a new and complex dimension. Laws and policies targeting AI systems, content moderation, competition, intellectual property, digital advertising, and broader liability just some of the new realms in which privacy professionals are working. That combined with the eye-watering and existential consequences of litigation and enforcement firmly cements the strategic prioritisation of privacy, and the people that do the work of privacy.”
Tim Erlin, Head of Product at Wallarm
“Data Privacy Week is often filled with tips for individuals about how to better protect their data, but organizations can have the biggest impact on data privacy because they are the ones collecting, processing and storing data. Here are three data privacy tips for organizations:
Eliminate Data You Don’t Need
Collecting data is easy, but do you really need all the customer data you collect? Creating an inventory of the Personally Identifiable Information (PII) you collect, process and store is a basic practice for data privacy, but why not take the extra step of auditing that inventory for data you can eliminate. After all, if you don’t collect the data in the first place, it can’t be compromised.
Conduct a Penetration Test
A good penetration test is scoped to specific systems and targets. Information security practitioners often scope a pen test to a specific application or business function, but you can plan and conduct a pen test targeted at PII. Sometimes the best way to drive positive change is to illustrate the potential negative consequences of the status quo. Demonstrating how your PII can be compromised can be a catalyst for change.
Audit Your Vendors and Partners
The growth in the API economy has driven more and more integrations with vendors and partners. Those integrations run on data, some of which is PII. When your data is compromised through a third party, it’s your name in the headline, so you should audit those third parties to ensure they’re protecting your customers’ data. “
Lakshmikant Gundavarapu, Chief Innovation Officer at Tredence
“In an era dominated by big data, businesses are increasingly harnessing the power of AI models such as ChatGPT to revolutionize efficiency and elevate customer service standards. However, this surge in AI adoption comes hand in hand with substantial data privacy concerns, particularly prevalent in data-intensive sectors like banking and consumer goods. The pivotal challenge lies in effectively leveraging these advanced AI tools without compromising the confidentiality of sensitive information or violating stringent privacy regulations.
Enterprises must embrace robust data privacy strategies to navigate this complex landscape successfully. This involves meticulous data classification to identify and safeguard sensitive information, minimizing the data input into AI models and implementing advanced techniques like data masking and encryption. Equally essential are stringent access controls and secure data-sharing practices to thwart unauthorized access attempts.
A standout solution in this intricate ecosystem is synthetic data. By crafting data that mirrors authentic patterns yet contains no sensitive information, businesses can confidently train and test AI models without risking privacy breaches. This innovative approach presents a dual advantage: It not only fortifies privacy safeguards but also preserves the utility of data for diverse AI applications.
In essence, businesses must strike a delicate balance—capitalizing on the vast potential of AI while safeguarding data privacy. The incorporation of synthetic data emerges as a prudent step in this direction. In our digitally-driven world, responsible AI usage is not just a strategic choice but a technical necessity. It forms the bedrock for upholding customer trust and maintaining industry reputation in an increasingly interconnected and privacy-conscious landscape.”
Rob Price, Director, Field Security Office at Snow Software
“Cybersecurity is an increasingly difficult field, especially as AI is already carving out new paths for cybercrime. While proactive vigilance against threat actors is an undeniable priority, the security industry is plagued with a significant skills shortage. These issues, along with many other contributing factors, are increasing the challenge of data protection.
Due to these factors, there is a much larger role for individual responsibility to protect individuals and organizations. Humans are the weakest link when it comes to cybersecurity; social media engineering in particular has created a false sense of security in sharing personal information online, which can have serious negative impacts on maintaining the security of personal data. It is imperative for individuals to think before they act when it comes to sharing any information.
Social engineering is also a very real threat, which has become more sophisticated with the assistance of AI. The effects of AI are already impacting the cybersecurity world, and maintaining privacy online is key for protecting your personal data.”
Phil Blackwell, Director, CTO at Whyze Health
“Elevating healthcare security in the digital age, where health data is increasingly interconnected, safeguarding patient privacy is paramount. At WHYZE Health, we recognize the critical importance of data privacy and have established robust measures to ensure the confidentiality and integrity of healthcare information.. One cornerstone of our security architecture is implementing a Zero Trust model, an innovative approach that transforms how we view and enforce security within our healthcare ecosystem.
Understanding zero trust, a paradigm shift in security. Traditionally, security models assumed that once within a network, entities could be trusted. However, the evolving threat landscape demands a more proactive approach. WHYZE Health has embraced the Zero Trust model, which fundamentally challenges the concept of inherent trust and operates on the principle of “never trust, always verify.” Regardless of location, every user, device, or application is subject to continuous verification before being granted access to sensitive healthcare data.
Tokenization is an unassailable fortress for patient data; one of the keystones in our commitment to data privacy is the implementation of tokenization. In healthcare, where the stakes are high, safeguarding patient information is non-negotiable. WHYZE Health leverages tokenization to render sensitive patient data indecipherable, replacing it with unique tokens. Even in the unlikely event of data interception, the tokenized information is essentially useless to unauthorized entities, providing an additional layer of security.
Patient empowerment through blockchain. We recognize that patients are the ultimate owners of their health data. To underscore our dedication to patient-centric privacy, we utilize WHYZE blockchain technology. This decentralized ledger empowers patients with control over their health information, allowing them to decide when, where, and to whom their data is shared. This innovative approach respects patient autonomy and ensures that healthcare data is exchanged securely and transparently.
Setting a new standard for healthcare security in the dynamic healthcare landscape, WHYZE Health sets new data privacy and security standards. Our commitment to the Zero Trust model, coupled with advanced technologies like tokenization and Blockchain, reflects our dedication to fortifying the confidentiality and integrity of healthcare data. As we continue to innovate, our unwavering focus on data privacy ensures that patients, healthcare professionals, and organizations can trust WHYZE Health as a secure and reliable custodian of sensitive health data and information. Our journey toward a safer, more private healthcare future is powered by cutting-edge security measures and a commitment to the well-being of individuals and the broader healthcare ecosystem.”
Sreedharan K S, Director, Director of Compliance at ManageEngine
“Safeguarding data is always an important priority for business, as well as for individuals. With every new technology, the risk profile changes, and with it, fresh challenges arise. The widespread use of AI/ML technology has pushed the boundaries of the amount of personal data that can be collected and analyzed. This has led to the possibility of algorithms learning the behavior of a person and making decisions that impact the individual’s rights. Large-scale data collection increases the risk of surveillance. Therefore, regulators in various geographies have developed guidelines on the responsible use of AI/ML technologies. It is in the best interest of businesses to follow these guidelines.
Another risk is that of decisions made by AI/ML technologies based on models trained on specific types of data in the form of images, videos, text, and numbers that pertain to the model. Such data, though carefully curated for training purposes, will still likely carry inaccurate information. There should always be a process requiring that a human element review the automated decisions made by technology so corrective actions can be taken. There have been instances where employees using AI technologies to simplify tasks for their jobs have inadvertently leaked sensitive company information. Organizations should educate employees about these risks and build controls to address them. Those organizations that intend to use customer data for training AI models to improve their quality of service should communicate a clear and transparent policy. Furthermore, there should be controls on the use of this collected data so that the purpose for processing it does not transgress – the published mandate. The processing of this data should be beneficial in terms of improving productivity, but should absolutely not infringe on an individual’s rights.”
Ammar Bandukwala, Director, CTO and Co-Founder at Coder
“In their day to day, developers are not measured by how their workflows and processes reduce corporate risk. By and large, they’re measured on software delivery, and minimizing corporate risk is usually at odds with this main goal. The front line of this battle between protecting data privacy and maintaining developer productivity is the development environment.
The status quo is for developers to stream data into their local environments for analysis and testing, causing IT and security teams to heavily lock down these environments. However, the organization remains exposed to great risk as customer data, business applications, and unvetted software dependencies co-exist on decentralized devices.
CDEs flip this problem on its head by centralizing all development activity into the organization’s cloud infrastructure. By moving the development environment into the cloud, security teams can shift their focus into creating a secure barrier around the environment instead of within, unleashing developer productivity, while improving the overall security posture of the organization. It’s a rare win-win for both security teams and developers.”
Carl D’Halluin, CTO at Datadobi
“On January 28, we celebrate Data Privacy Day. Initiated in the United States and Canada in 2008 by the National Cyber Security Alliance, its aim is to raise awareness and promote privacy and data protection best practices.
I would say the number one data privacy best practice is pretty simple: make sure you can get the right data to the right place at the right time. Wherever the data is in its lifecycle, it should be protected and only accessible as needed. Of course, this tends to be easier said than done. But, there is perhaps nothing more critical and imperative than implementing the right strategies and technologies to do so. After all, while data is an organization’s most valuable asset (in addition to its people), it also represents its greatest potential risk.
Balancing these two aspects is key. In other words, effective data management enables you to optimize your business intelligence, make faster and smarter decisions, and gain a competitive edge, as well as better meet business requirements such as internal governance and legal mandates, external regulations, and financial obligations and goals.”
Don Boxley, CEO and Co-Founder at DH2i
“Data privacy isn’t just important for businesses – it is a matter of corporate survival. A company can make just one small mistake, neglect one small security check-box, and the consequences can be catastrophic. One small mistake could lead to a data breach that causes legal and regulatory fines, as well as irreparable damage to the company’s reputation — a nightmare from which recovery is near-impossible.
A software-defined perimeter (SDP) solution could be the answer! Many SDP solutions are engineered to provide secure network connectivity across on-prem, cloud, and hybrid environments. SDP enables its users to transform their traditional network-based perimeter security with a more sophisticated one that creates micro-perimeters around data. SDP enables secure connections between data centers and across private and public cloud platforms without needing a VPN or direct connect, thereby significantly reducing security vulnerabilities even further. In addition, for those focused on data protection and privacy, SDP enables the ability to create secure tunnels for specific applications, as opposed to entire network access. Ideally, such a solution would be streamlined and straightforward to manage, equipped with an intuitive interface that eases the configuration, and ongoing management of secure connections. This combination — increased security, ease-of-use, and adaptability – makes SDP the ideal choice for protecting data and ensuring data privacy.”
Steve Santamaria, CEO at Folio Photonics
“On Data Privacy Day, we are reminded of the business-critical importance of safeguarding sensitive information – both professional and personal – at a time when data breaches and cyber threats have become all too common. For data protection professionals, this should not be viewed as a gentle nudge but rather a polite – yet strong shove toward reviewing and fortifying the technology and policies that serve as the underpinnings of your data protection strategy.
How can anyone not admire those responsible for their organization’s data protection? As we in the business know – it’s no walk in the park! The good news is of course, that smarter and more powerful technology solutions continuously enter the marketplace, ready to take their place in the data protection professional’s arsenal. Active archives built on an optical storage foundation can offer an ideal data protection solution for several compelling reasons. Firstly, they provide a high level of security as data stored on optical discs is read-only, rendering it resistant to cyber threats like ransomware. Optical storage is also highly durable — able to withstand physical damage from factors like magnetic fields, moisture, and temperature fluctuations, ensuring the safety of critical data. What’s more, optical storage media boasts a long lifespan, making it ideal for data archival and compliance requirements while also being cost-effective in the long term. And last but certainly not least, it can be easily air-gapped – adding a virtually impenetrable defense against a cyber-attack.
Retrieving data from optical storage is quick and reliable due to fast read speeds, making archived data readily accessible. And if that isn’t enough — it is environmentally friendly, consuming less energy and having a lower carbon footprint compared to alternative storage options.”
Aron Brand, CTO at CTERA
“The extensive data-processing capabilities of AI, crucial for its sophisticated functions, often involve handling sensitive personal data, heightening risks of breaches and privacy issues. The inherent complexity and lack of transparency in AI models can inadvertently lead to biases and ethical dilemmas, making it harder to comply with regulations. In response, there is a clear trend towards private AI solutions in enterprises, spurred by the need for data control and regulatory compliance. Private AI frameworks allow businesses to tailor AI models to their specific needs while retaining control of sensitive data. This strategy not only aligns more closely with privacy laws but also ensures strict internal management of data processing and storage, improving data security and adherence to regulatory standards.
A key development in private AI infrastructures is the integration of Retrieval Augmented Generation (RAG) pipelines. RAG merges the generative power of AI with data retrieval from databases or unstructured data repositories, making it ideal for applications that demand accuracy and factual correctness. Implementing RAG pipelines within an enterprise’s own infrastructure is vital for maintaining privacy and compliance, particularly in sectors like healthcare and finance. It guarantees that AI outputs derive from secure and relevant data sources, upholding necessary transparency and control for regulatory compliance and public trust.”
Matt Ninesling, Senior Director of Tape Portfolio at Spectra Logic
“With the acceleration of ransomware attacks perpetrated by bad actors intelligently using AI to wreak havoc, enterprises see that data can be misplaced, tampered with or even lost in the cloud. This year, more than ever, data privacy emerges as a paramount security concern. However, when an organization opts to write its data to onsite, air-gapped tape storage the risk of data loss diminishes significantly. Using this method, data is protected from ransomware, software failure, even natural disasters and its privacy is maintained, potentially forever. Tape stands out as the preferred storage medium for achieving the utmost cyber resilience, and to keep information long term. Tape is Fort Knox for your data, preserving its privacy and security.”
Lance Hayden, Vice President, Chief Information Security Strategist at Vericast
“In reflection of Data Privacy Week, it’s important to state upfront that data drives success and it is the fuel for our engines. Because of this, it must be managed carefully to maximize its value and efficiency and to minimize the risks involved. I think about three core objectives that are necessary to achieve these goals: data stewardship, data governance, and data privacy and security.
Data stewardship involves recognizing the value that data brings not only to ourselves, but the value of data to other stakeholders. These may include clients, partners, and of course individuals. Privacy today is typically understood as the rights individuals have to understand and control their own data, with new privacy laws about enforcing those rights. Being a good data steward means taking a stakeholder approach to collecting, processing, and controlling data. At the individual level, this means treating people’s data as we would want to see our own data treated. At the level of clients and partners it is about treating the data they entrust with the same concern we would treat our own corporate data assets. Good stewardship is about looking beyond our own immediate concerns and taking the concerns of others into account.
Data governance is all about what we do with data once we have it, whether we are acting as the stewards of someone else’s data, or when we have created it ourselves. Governance is about more than just managing data as a resource to achieve certain ends or goals. It’s about ensuring that those goals make strategic sense and are beneficial to us, both as data owners and as stewards of data owned by others. Data governance requires us to understand what data we have, where it lives and moves through the organization, and how we process it. Without effective data governance, it’s impossible to be an effective data steward.
Finally, privacy and security are about controlling and protecting data in accordance with our obligations as stewards and our strategic governance objectives. Privacy and security are intertwined, with privacy often defining what must be controlled and why, and security implementing and enforcing those protections. This year’s Data Privacy Week theme is “Take Control of Your Data,” which nicely encapsulates the challenge. Whether that control is exercised on the part of an individual working to protect their identity, or a company safeguarding a sensitive enterprise asset, taking control is a call to action. And the challenge will only grow as individuals and organizations alike produce and rely on ever increasing amounts of data and information to thrive.
I think data privacy will continue to be one of the biggest challenges our society faces. How much privacy is required and what are the consequences of failing to be good data stewards? The proliferation of data breaches will, as more people and organizations experience the resulting damage, drive greater demand for effective stewardship, governance, and privacy. Companies and organizations that understand this stand to differentiate themselves in the eyes of their customers, partners, and regulators.”
Dr. Johannes Ullrich, Dean of Research at SANS Technology Institute
“Current prevalent threats to data security include password spraying attacks, “living of the cloud” methods to exfiltrate passwords, and new vulnerabilities in perimeter security devices.
A notorious recent example of password spraying jeopardized personal data from Microsoft executives and their cybersecurity team. Unlike other brute force attacks, hackers avoid login attempt lockout policies by obtaining a list of usernames and pairing one password against a large volume of accounts. Hackers are staying informed on password patterns; your organization should be too.
Data exfiltration is yet another critical issue. Attackers often use legitimate services, like mailtrap.io, for exfiltrating data from compromised organizations. Such ‘living off the cloud’ attacks are particularly challenging to detect as they exploit valid resources that are often allowlisted and not actively monitored.
Ivanti’s connect secure VPN solution is widely used for controlling access to personal data. Recent severe vulnerabilities within this solution, taking advantage of CVE-2023-46805, have transformed it from a protective tool into a potential gateway for attackers, undermining organizational data controls. Looking ahead, security researchers should be inspecting the code with the expectation that additional vulnerabilities are likely to follow.”
Jason Kemmerer, Solutions Architect at Forcepoint
“As we celebrate Data Privacy Day in 2024, it’s important to shine a light on the potential cybersecurity risks that come with the integration of Generative AI in enterprise operations. With this cutting-edge technology becoming an essential part of business processes, we cannot ignore the threats to data privacy. The world of cybersecurity is evolving at a breakneck pace, and Generative AI is a prime culprit behind sophisticated data breaches, malware, and phishing attacks.
To combat these risks, security teams must adopt a comprehensive mitigation strategy that involves raising employee awareness, implementing robust Zero Trust frameworks, and leveraging advanced technologies like DLP and RAP. Combining these aspects with Secure Access Service Edge (SASE) can give organizations a better handle on their data across managed and unmanaged devices. In this new era, enterprises must be agile and continuously refine their security strategies to tackle the unique challenges posed by Generative AI.”
“As we observe Data Privacy Day in 2024, it’s crucial to acknowledge that with the rise of remote work, our email channels have become the weakest link in our data security measures. The usage of emails has surged by 83% since the pandemic, which, according to the Egress Data Loss Prevention Report 2021, has increased the risk of data breaches, potentially damaging the reputation and financial stability of companies. Not only are emails a prime target for malware delivery, but they are also a direct route for significant fraud and business email compromises.
To counter these threats, it’s essential to deploy advanced Data Loss Prevention (DLP) technologies. These systems provide critical oversight and control, safeguarding intellectual property from both targeted and accidental exposures. On this Data Privacy Day, let’s pledge to strengthen our defenses by adopting the latest DLP technology, ensuring our email channels are secure and our data remains protected.”
“On Data Privacy Day 2024, it is important to acknowledge that hybrid work security is now an essential aspect of successful businesses worldwide. As the concept of a traditional office extends into homes, a new approach to cybersecurity is necessary to safeguard data wherever it is. To achieve this, it is imperative to address the key challenges of securing both cloud-based and internal web applications, combatting threats in a Bring Your Own Device (BYOD) workforce, and unifying data security policies across multiple platforms.
The emergence of technologies such as Zero Trust and Secure Access Service Edge (SASE) marks a transformative era in cybersecurity. These advanced security measures offer scalable and dynamic solutions to safeguard our ever-evolving work environments. As we embrace this era of digital transformation, integrating such advanced security measures is crucial for protecting our workspaces.”
Jim McGann, VP of Strategic Partnerships at Index Engines
“Today, securing data and ensuring data privacy requires more than creating copies; it demands active validation of the integrity of that data.
Due to the sheer volume of enterprise data, continuous manual validation doesn’t work. This is where AI can be a game changer. AI can play a pivotal role in scrutinizing data integrity across the enterprise, with training from new ransomware variants, and insight from analysis of data content – important components in securing and protecting data in today’s threat landscape.
An AI-driven approach will be increasingly important for consistent data validation, ensuring data integrity, rapid recovery, and minimizing data loss in the face of evolving cyber threats. Just as adversaries now exploit AI to create increasingly sophisticated threats, organizations must now utilize AI proactively to safeguard their data.”
Shawn Rosemarin, VP, R&D, Customer Engineering at Pure Storage
Increased Scrutiny on Connected and Embedded Devices:
“All 3rd party connected and embedded devices will come under strict security standards before accessing internal networks.”
Focus on Estate Security and Increased Use of Proactive Security Tools:
“Organizations will continue to invest in proactive, predictive security tools and technologies to better detect vulnerabilities and security gaps. IT Currency (patching and updates of data center assets) will continue to be a major focus area for large enterprises. Ethical hacking and penetration test services will continue to mature to keep pace with evolving threats.”
Data Resiliency strategies will evolve:
“Enterprises will evolve their data protection strategies continuing to look beyond traditional backup/recovery holistically ensuring that their key data is available 7x24x365 regardless of the circumstance. This strategy will include encryption, replication, snaps/clones, backup and rapid restoration of backup data sets in the event of an unrecoverable breach.”