Part 2: Top Cybersecurity Experts Raise Awareness for Responsible Data Privacy Practices

This year’s initiative on Data Privacy Practices highlighted the state of the global data privacy landscape, examining it through the lens of the pandemic and other major events that have impacted and disrupted the way people live, work and interact.

Key themes for Data Privacy Day 2021 encourage consumers to “Own Your Privacy,” while urging businesses to “Respect Privacy.” Both themes reinforce NCSA’s focus on raising awareness about data privacy best practices through messaging, content and speaking engagements that will educate consumers about owning and controlling the data they generate, while advising businesses about the importance of respecting consumers’ privacy and keeping their personal information safe.

As part of our extended coverage for National Data Privacy Day, we spoke to leading cybersecurity and data management experts. These experts shared their views on how people can keep themselves and their data safe, and how to build a culture of accountability, transparency, and a commitment to fair and legitimate data collection practices that will ultimately lead to enhanced public trust and better brand reputation.

Tim Wade, Technical Director, CTO Team at Vectra:

“It is not by accident that social considerations of privacy have been at the center of the pursuit of justice, equity, and freedom as it relates to civil liberties and rights.  And as organic and digital existence converge, this continued frontier increasingly becomes anchored to how the data and digital footprints created by individuals are both respected and protected – by individuals themselves, and the awareness they bring to the importance of this matter, and by the organizations and institutions that come to steward what ultimately must still belong to its creator.

Too often, discussions of personal privacy tend to inject tension between the protections of an individual against the protections of society at large.  In reality, the erosion of personal protections for privacy are also erosions against the protections of society at large; undermining the protection, safety, and security of individual privacy degrades the cultural and social fabrics of trust, liberty, and fairness to the detriment of that society.  And as such, the erosion of the privacy of others around us is, in effect, erosion of our own wellbeing.

If there is a call to action on this topic, it is that we must be open eyed about the importance of data privacy – for ourselves, and for others – and that the choices we make will directly affect our lives and our livelihood, and the social fabrics we pass to the next generation.”

Rita Gurevich, Founder and CEO, SPHERE Technology Solutions 

“In the enterprise world, there is an increased focus on protecting data from internal and external threats, especially across highly regulated corporations. Safeguarding sensitive data, including your employee and customer data, is not a “should do” concept anymore but a “must do” directive coming from the top. Whether its regulatory bodies or internal auditors enforcing the proper data privacy and data protection practices, the repercussions financially and from a reputation perspective, are reason enough for companies to focus their attention to implementing a Least Privileged Access model.

Proactive measures, such as ensuring only the appropriate personnel have access to only the data they need to perform their job functions, is a central theme. Cleaning up the mountains of inappropriate entitlements is step 1 and many organizations are recognizing that this foundational requirement is not as easy as it may superficially seem but a mandate that must be achieved.

We predict that organizations will start to go back to the basics and fine tune their practices for basic inventory of all their data repositories with more in-depth analytics on the state of their access controls. Remediation and ongoing certification of entitlements will expand in coverage, automation will be critical, and the onus on the business to partake in these processes will be more of a business-as-usual expectation. This is actually a positive effect and forces not just IT and Security teams to accept this onus and will create a culture of Security First across all business units within an organization.”

Dirk Schrader, Global Vice President at New Net Technologies (NNT):

“Users, consumers have far too often that notion of “I have nothing to hide” or “How much can they do with my data?” The inconvenient answer is “a lot” as there are many ways of using the gender, the age, the location (inferred from the IP address) can influence what kind of services are marketed, how often a user sees an ad just to name some less nefarious examples. This kind of profiling might seem harmless but overall it enables businesses to select which products, which services they offer and a what price levels. That is why the call to action for individuals “Own You Privacy” deserves a lot of Kudos.

For businesses analyzing the data they collect about users and consumers, the calls for Protection and Transparency should ring loud in the ears of those at the top. If data is the verbatim ‘new oil’ for digitalized business models, should a business not be doing its utmost to protect that from being stolen, copied, encrypted for a ransom. And if it is transparent about those data processing processes in place (the how’s and why’s), it not only earns some trust, but it also enables itself to protect the different processes according to their criticality for the business. And they should not stop to dig deeper in that transparency – at least for their internal purposes – and collect information about the systems in use for that processing, the status of these, how vulnerable they are, how often unexpected changes happen to them. That will build the solid base needed to protect the business process, which will help to protect the data of consumers, which will increase the trust of those consumers in the company, and – finally – make it easier for them to share more details with a trusted organization.”

Brendan O’Connor, CEO and Co-Founder at AppOmni:

The way organizations store data has shifted rapidly to the cloud. At the same time, SaaS vendors that house sensitive data have grown in scope and complexity. They have evolved into complex platforms that provide access not only to internal users, but also to external users, 3rd party apps, contractors, and managed service providers. In short, there are now many more access points to data housed in the cloud. Unfortunately, these relatively new access points are often unknown, or simply overlooked, by enterprise security teams. This has created a massive opportunity for attackers to exploit these applications, which is why we’ve seen so many successful hacks in recent weeks and months. To ensure data privacy for everyone, security teams need to take ownership of data governance in cloud applications.

Specifically, organizations need to:

• Have visibility to which 3^rd party applications have access to their data, and actively manage that access on a continuous basis
• Ensure that external users have the appropriate level of access to data. AppOmni has found that external users are over-provisioned and have access to sensitive data in over 95% of enterprises
• Continuously review the permissions for internal users and ensure that they are not able to inadvertently expose sensitive data

Mohit Tiwari, Co-Founder and CEO at Symmetry Systems:

“You need not give up data privacy so that organizations can thrive off of personalized advertising or by hosting customer data in a Software-as-a-Service (SaaS) application. Road safety is a great example where protocols and training sets appropriate expectations among drivers, bikers, pedestrians, etc. Similarly, there is considerable research and new commercial tools for organizations to measure how customer data is used internally and safeguard it — and the recent exodus towards Signal shows that respecting customer privacy can actually be good for business.

Imposing reasonable fines is indeed a good way to make measuring and improving data risk a board-level priority. And this can only be good for both customers and enterprises that host their data.”

Joseph Carson, chief security scientist and Advisory CISO at Thycotic:

“Data privacy will, and already is, evolving into a Data Rights Management issue.

Citizens’ privacy will continue to be under the spotlight in 2021. The end of privacy as we know it is closer than you may think. Privacy definitions are very different between nation states and cultures, however, one thing that is common is that privacy is becoming less and less of an option for most citizens. In public and online, almost everyone is being watched and monitored 24/7 with thousands of cameras using your expressions, fashion, walk, directions, interactions, and speech to determine what you need, what you might be thinking, who you are going to meet, who is nearby, and even algorithms that determine what your next action might be.

Regulations will continue to put pressure on companies to provide adequate cyber security measures and follow the principle of least privilege to protect the data they have been entitled to collect or process.

I believe the big question, when it comes to data privacy, is “How is citizens’ data being used, collected and processed?” Ultimately data privacy will evolve into Data Rights Management which means rather than giving up personal data for so called free use of internet services, citizens should and can g******* for allowing their personal data to be used for marketing purposes. It will become more about how the personal data will be used, and what monetization is resulting from the data.  In the future everyone will become an influencer this difference is how much is it worth.”

Heather Paunet, Senior Vice President at Untangle:

“Data Privacy Day is a date well worth noting for businesses of all sizes.  It is easy to let a whole year go by after performing an assessment of data access privileges and user access privileges. Having a ring on the calendar is a reminder that puts the importance of this assessment back top of mind once a year.

Software providers can use this day to review new features they are planning to deliver within the next six to twelve months and make sure that GDPR and similar requirements are included as part of the implementation.

Businesses can also review their own IT policies.  IT departments should review who has access to different types of data and remove access from anyone that doesn’t have to have that access. In a year, employees’ roles within a company can change and their responsibilities and what they need access to may also change.

Data privacy is not only about stopping data from being stolen, but it’s also about trust of the information that we access and use in good faith.  If someone’s personal information can be stolen and used such that that person’s identity could be misrepresented, that can cause widespread knock on effects of misinformation.  For example, the Twitter accounts of Barack Obama, and Jeff Bezos were hacked in 2020.  Someone with their Twitter accounts would have the ability to reach and influence millions of people who have trust in the things they tweet.”

Tom Pendergast, Chief Learning Officer, MediaPRO 

“The essence of Data Privacy Day to me is the realization that data privacy is everyone’s responsibility. From the boardroom to the loading dock, everyone has a role to play. From a training and awareness perspective (where I come from), one of the best ways to do this is to provide education that employees can use both at work and at home.

For the majority of employees, many of the attributes of the sensitive data they handle as part of their job should be recognizable when it comes to keeping their own information secure. When an organization goes about educating their employees on their own data privacy requirements, I’ve seen success using a “golden rule” approach. That is, telling employees to treat the data they handle as part of their job the same way they’d want their own data treated. This more personal approach makes privacy more “real” and less theoretical.  Most employees do need to know the letter of the law. What’s often best is taking a principles-based approach to data privacy that they can use both at work and at home.

Whether you plan to recognize Data Privacy Day on just Thursday, January 28, or extend it into the entire week, this occasion is the perfect opportunity to reinforce the importance of handling sensitive data with respect, no matter where it’s found.”

Isabelle Dumont, Vice President of Market Engagement at Cowbell Cyber

“The digital footprint of people and businesses has expanded exponentially over the past year because of the pandemic and remote work. We spend more time online, connecting through video conferences, shopping on e-commerce sites, or sharing stories in online communities. Data Privacy Day in 2021 is a great reminder and an opportunity for all to assess and fine-tune how they engage online so that both personal and professional information remain safe.”

NCSA has compiled a set of tips and best practices for consumers and businesses alike to keep in mind ahead of, during and beyond this year’s Data Privacy Day:

ADVICE FOR CONSUMERS: OWN YOUR PRIVACY:

• Personal info is like money: Value it. Protect it. Personal information, such as your purchase history, IP address, or location, has tremendous value to businesses – just like money. Make informed decisions about whether or not to share your data with certain businesses by considering the amount of personal information they are asking for, and weighing it against the benefits you may receive in return.
• Keep tabs on your apps. Many apps ask for access to personal information, such as your geographic location, contacts list and photo album, before you can use their services. Be thoughtful about who gets that information, and wary of apps that require access to large amounts of personal information. Delete unused apps on your internet-connect devices and keep others secure by performing updates.
• Manage your privacy settings. Check the privacy and security settings on your websites and apps and set them to your comfort level for information sharing. Each device, application or browser you use will have different features to limit how and with whom you share information. Get started with NCSA’s Manage Your Privacy Settings page: https://staysafeonline.org/stay-safe-online/managing-your-privacy/manage-privacy-settings/

ADVICE FOR BUSINESSES: RESPECT PRIVACY

• If you collect it, protect it. Data breaches can not only lead to great financial loss, but a loss in reputation and customer trust. Follow reasonable security measures to keep individuals’ personal information safe from inappropriate and unauthorized access. Make sure the personal data you collect is processed in a fair manner and only collected for relevant and legitimate purposes.
• Conduct an assessment of your data collection practices. Understand which privacy laws and regulations apply to your business. Educate your employees of their and your organization’s obligations to protecting personal information.
• Consider adopting a privacy framework. Build privacy into your business by researching and adopting a privacy framework to help you manage risk and create a culture of privacy in your organization. Get started by checking out the following frameworks:
  • NIST Privacy Framework
  • AICPA Privacy Management Framework
  • ISO/IEC 27701 – International Standard for Privacy Information Management
• Transparency builds trust. Be open and honest about how you collect, use and share consumers’ personal information. Think about how the consumer may expect their data to be used and design settings to protect their information by default. Communicate clearly and concisely to the public what privacy means to your organization and the steps you take to achieve and maintain privacy.
• Maintain oversight of partners and vendors. If someone provides services on your behalf, you are also responsible for how they collect and use your consumers’ personal information.

Becoming a Champion

The Data Privacy Day Champion program is a way to show support. Champions represent those dedicated to empowering individuals and encouraging businesses to respect privacy, safeguard data and enable trust. Being a Champion is easy and does not require any financial support. Champions include:

• Companies and organizations of all sizes
• Schools and school districts
• Colleges and universities
• Nonprofits
• Government organizations
• Individuals

[To share your insights with us, please write to sghosh@martechseries.com]