Expert Commentary and Best Practices: Data Privacy Day 2021

Expert Commentary and Best Practices: Data Privacy Day 2021

Today is Data Privacy Day 2021. We spoke with several cybersecurity experts on what this day signifies and what best practices enterprises should embrace. 

According to an iProov survey, 95 percent of respondents care about their data privacy, and 25 percent of respondents felt like they have no control over their data privacy. Meanwhile, 75 percent of people have had to change their password due to a security breach and 66 percent of people are frustrated with having to do so. This could prove a significant obstacle to enterprises’ long term bottom line and reputations if not corrected. Cybersecurity focused on data privacy could help, but where to start? 

On this Data Privacy Day 2021, we speak to the experts on the first steps, next steps, and beyond. 

Expert Commentary and Best Practices: Data Privacy Day 2021

Anurag Kahol 

Anurag Kahol is CTO of Bitglass.

“Data Privacy Day serves as a reminder of one of the most important responsibilities for any organization: keeping sensitive data secure. Consumers are constantly discovering the information that is collected about them, how that data is used, and how daily breaches put that information at risk. Consequently, to maintain consumer trust (and remain compliant with regulations), it is imperative that companies make security a top priority.”

“This past year marked a pivotal change in how companies conduct business, with most being forced to rapidly shift to a remote workstyle of operations due to the global COVID-19 pandemic. Now that we have begun to see distribution of the vaccine, some may think it’s only a matter of time before ‘normal’ in-office work resumes. However, that is not likely to be the case. Instead, we are going to see a permanent blend of remote and in-office work, as well as mobile employees whose workspaces are constantly changing. Organizations must be prepared to continue to operate in this manner while ensuring that data is secure no matter where or how it is accessed.”

“Unfortunately, many organizations lack the ability to achieve the above and are relying on outdated tools that are designed for predominately on-premises operations and lack the granularity needed today. To address these challenges, there are a few steps that must be taken. First, organizations must have an accurate inventory of data. This step is critical for adhering to data privacy regulations including CCPA, because if companies don’t know the information they have or where it is going, then they cannot properly protect it. What’s needed is a set of comprehensive activity logs that track all file, user, app, and web activity to reveal everything that is happening with consumers’ data.”

“Next, companies need to protect access to consumer information as well as the various systems that store it. This can become more challenging for improperly equipped organizations that adopt cloud technologies and other remote work capabilities, as consumer data can then potentially be accessed across numerous applications and on various devices. To address this problem, organizations can require that employees attempting to access consumer data are authenticated via Single Sign-On (SSO) as well as multifactor authentication (MFA). This will aid in ensuring that only legitimate, authorized users can handle consumer information.

Finally, organizations need to have a thorough understanding of data jurisdictions and any security challenges they may present after migrating to the cloud. With respect to certain data privacy regulations like CCPA, data may only be stored or transferred where the state has jurisdiction or an agreement is in place. To ensure compliance, organizations should look for security solutions that allow them to encrypt cloud data (wherever it resides) while maintaining local control of encryption keys. Additionally, solutions that dynamically allow or deny access based on contextual factors like a user’s location, device type, or job function are highly helpful, along with data loss prevention (DLP) capabilities. For ease of management and cost-effective, consistent security, organizations should look for a single security platform that integrates all these capabilities into one offering.”

Saket Modi

Saket Modi is Co-Founder and CEO at Lucideus.

We are stepping into an era that is more digital-dependent than ever before. With PHI selling on the dark web for as little as a few hundred dollars, data is the new currency. 

While to date, the ethical and moral responsibilities that come with its abundance have rested with governments and the corporate world, the end-user (consumer) has to start sharing the onus. From being prudent about what kind of information they are making publicly available, to knowing exactly which website, platform, or service they are using has been breached – there is a lot the average person has to incorporate into their cyber-consciousness.

Consumers need to take control of their digital footprint and privacy. They must know, objectively and in real-time, what they expose through their online identities, devices they own, applications and services they use, along with staying updated with the modern trends leveraged by cyber-criminals to misuse data. To that end they can start safeguarding some of the most recurring pain points:

  • Take action over compromised credentials – While 72 percent of consumers frequently lose sleep over having their information stolen,  64 percent have never checked to see if they were affected by any major data breaches. Understanding the effects of a data breach is paramount to take the appropriate steps. From changing passwords and security questions to checking any other accounts where you might have used the same credentials.
  • Set up Two-Factor Authentication (2FA) or Multifactor Authentication (MFA) – Enabling MFA or 2FA where possible will add an extra layer of security to your accounts, no matter if you are logging in from a computer or a mobile device. It creates an extra barrier for those trying to break into your accounts.
  • Secure your mobile devices – Malicious actors can get to your devices through several ways, which is why we recommend closing the loop on the main characteristics of your device. Always keep the operating system up to date and be sure to use antivirus technology – it’s not just for your computer. When downloading applications only do so from the official stores (App Store/Google Play).  Never download something directly from the internet where hackers can embed malware in apps offered for free. Finally, enable the encryption option on your phone, which makes it difficult for cybercriminals to recover your data if you lose your phone. 
  • Protect your social media identity – With  50 percent of people using public and open social media accounts, the need for increasing cyber-consciousness has never been more important. Consumers need to understand where they are logging in from and which devices have access to their information impact their ability to keep their accounts safe. Enabling notifications for unrecognized login alerts can also help manage these risks better.

Robert Meyers

Robert Meyers is the Channel Solutions Architect at One Identity.

“2020 was a very tumultuous year, and in privacy, some good things happened, and some bad things happened. On the good side, we had the NIST Privacy Framework 1.0, and on the bad side, breach after breach, let alone things that aren’t directly privacy related. The problem with privacy programs is there is too much that comes under the category of privacy, and a lot of people don’t understand what that means. 2021 is a year starting with hope: privacy professionals finally have some simple tools.”

“When building privacy programs it’s imperative to utilize the new tools, like the NIST Framework to build a privacy program, and build strong cybersecurity programs around privileged accounts, control data access, and implementing least privilege management tools. While doing this, remember this is part of the privacy program too. With good things on the horizon and the tools available to make understanding privacy easier, 2021 starts as a year of hope. With the NIST Framework privacy programs, privacy professionals and people who are interested in privacy now have a checklist. This is something we’ve never had at this level before, which makes the future look clear for the first time since privacy programs began.” 

Adrian Moir

Adrian Moir is Technology Strategist and Principal Engineer at Quest Software.

“With a change in working practices comes an opportunity to look closer at the impact of data privacy and privilege. With a distributed workforce, there are issues surrounding differing threat vectors and data usage that may compromise data privacy. While an organization can have a robust data protection and privacy policy, a substantial change in work practices can, overnight, impact that policy such that it’s no longer effective. Consider, now that you may have hundreds or thousands of workers at home sharing their network with devices that do not meet corporate standards: Where do they store corporate data so it’s kept from prying eyes? How do they transfer that data, share data with other homeworkers? What’s the exposure of ‘just use a cloud storage solution to share data’? Sharing data and data use become simpler to do, but that can lead to not only data breaches but breaches in privacy policies too. Who can access what data, who can use what data, and how can be changed with just a few clicks. Human involvement has a lot to do with a level of data or privacy breach.” 

“As your home workers become more adept at using new services and techniques to share data, they increasingly become a target for bad actors. Now your threat vectors are distributed like your workforce, except your workforce are unlikely to have enterprise-grade protection of their home infrastructure. It’s important to educate your workers and reinforce your data protection and privacy policies, and provide the solution deemed suitable to sustaining the new working culture, so workers don’t need to or will not fall outside of your desired policy. Make this an easy thing for your workers so that the uptake is swift but controllable.”

Steve Grewal

Steve Grewal is CTO, Federal, at Cohesity.

“To better address the challenges of data privacy regulations and customer concerns, organizations need to adopt a data-first mindset. This means prioritizing and investing in the management and protection of data in a manner that effectively balances the intrinsic business value of data with the needs and rights of customers and consumers.” 

“Consumers and customers expect to be informed of how their data is being used and protected. This is a significant challenge for all organizations, and it will require greater collaboration between the individuals tasked with providing data security, privacy, and compliance to meet these expectations and enhanced regulations.” 

“Greater levels of collaboration, scrutiny, and the adoption of modern data management technologies and strategies will be needed to better protect the data organizations have been entrusted with.” 

Marc Laliberte

Marc Laliberte is Sr. Security Analyst at WatchGuard Technologies.

“User privacy has been crumbling for years. Each new security breach and data dump further chips away at what little privacy does remain. Adding to the challenge is the fact that connected devices are far more intertwined in our lives than ever before. We rely heavily on digital assistants such as Alexa or Siri, smart home management products, wearables, and more. While these technologies do make our lives easier, the privacy and security risks are undeniable.

Corporations use advanced machine learning algorithms to correlate the data that smart devices collect and amass troves of information about us. These algorithms help them quantify and analyze our behavior and even influence our actions through advertisements and personalized social media feeds. Worse yet, they often sell our data to third parties behind the scenes. Cybercriminals present further risks. Attackers can leverage user data stolen from corporations, or collected from any number of public-facing pages on the internet, to mount effective spear-phishing campaigns against us, crack our passwords, and more.

The risks are high and growing more so with each passing year. But society has realized that giving companies so much insight into our lives is neither healthy nor safe, and is beginning to turn the tide. GDPR and the CCPA are perfect examples of countries and states putting more pressure on businesses to protect users’ data and privacy. To expedite an even broader commitment to privacy, we believe users will finally revolt en masse and force into existence new privacy regulations for social media services, connected devices, and more. In the meantime, everyday users should continue to acknowledge that privacy is a significant issue, restrict the type of information they share online or with smart devices, and keep an eye out for attacks that might leverage their own personal data.”

Thank you to these experts on Data Privacy Day 2021! To learn more and get started, download the Identity Management Buyer’s Guide.  Also, keep an eye out for more content related to Data Privacy Day 2021. 

Ben Canner