Top Security Experts Provide Insights on National Data Privacy Day

It’s National Data Privacy Day today. Gaps in security postures can weigh down businesses, marketing and sales companies and ad agencies. In an era when businesses are emphasizing on Big Data management and analytics, this holiday is a reminder for everyone to look into practices that make regulations all the more important. Every business owner is asking one or more of these questions to their data management and security teams:

What do Apple’s latest string of iOS security protocols mean for Marketing and Advertising teams?

What does a ‘post-cookie’ world mean for the industry?

How would Joe Biden’s election to power in the US help enhance privacy in an IoT world? For some, the headlines on President Joe Biden’s IoT devices in the Whitehouse such as Peloton and FitBit is causing controversy — why data privacy policy matters for IoT device makers and how it can drive market differentiation.

According to a new survey by iProov, three quarters of respondents have had to change their password due to a security or data breach. That’s up over 10% from last year.

Additionally, more than two thirds of respondents have had to change their password two or more times due to a data breach.

This is especially relevant now, as the global pandemic has forced people to live and work in a more digital centric world, where password and digital security are more important than they were in years before.

The survey also reveals that:

• 95% of respondents care about their data privacy
• 2/3 of respondents are annoyed by having to change their password
• 25% of respondents feel like they have no control over their data privacy

Despite tall efforts and honesty in policy enforcement, there is a lot that needs to be taken care of.

Amy Yeung, General Counsel & Chief Privacy Officer at Lotame, believes we’ve lost the plot on data privacy. Amy states that –

“Data Privacy Day turns 40 this year, and with every entry to a new decade, it offers a good time to reflect and rethink. The increased advocacy and education of data privacy worldwide deserves celebration, but, our policies are creating unintended outcomes. The emphasis on consumer consent, while good intentioned and important, neglects to account for the operational aspects of data definitions, collection and combination. This is where we’ve lost the plot as a privacy community. Disclosures don’t change industry behavior nor do they make it easier for consumers. We need more voices in our debate, outside the legal community, and within and across businesses to make real change and do right by consumer privacy.”

Security in the Age of Machine Learning Algos

Marc Laliberte, Sr. Security Analyst at WatchGuard Technologies said that;

“User privacy has been crumbling for years. Each new security breach and data dump further chips away at what little privacy does remain. Adding to the challenge is the fact that connected devices are far more intertwined in our lives than ever before. We rely heavily on digital assistants such as Alexa or Siri, smart home management products, wearables and more. While these technologies do make our lives easier, the privacy and security risks are undeniable.

Corporations use advanced machine learning algorithms to correlate the data that smart devices collect and amass troves of information about us. These algorithms help them quantify and analyze our behavior, and even influence our actions through advertisements and personalized social media feeds. Worse yet, they often sell our data to third parties behind the scenes. Cybercriminals present further risks. Attackers can leverage user data stolen from corporations, or collected from any number of public-facing pages on the internet, to mount effective spear phishing campaigns against us, crack our passwords and more.

How CCPA and GDPR put Pressure on Businesses

The risks are high and growing more so with each passing year. But society has realized that giving companies so much insight into our lives is neither healthy nor safe, and is beginning to turn the tide. GDPR and the CCPA are perfect examples of countries and states putting more pressure on businesses to protect users’ data and privacy. To expedite an even broader commitment to privacy, we believe users will finally revolt en masse and force into existence new privacy regulations for social media services, connected devices and more. In the meantime, everyday users should continue to acknowledge that privacy is a significant issue, restrict the type of information they share online or with smart devices, and keep an eye out for attacks that might leverage their own personal data.”

Remote Workplace and Devices Under Attack

Attackers know these weak password practices are widespread and, with so many employees working from home as a result of the COVID-19 pandemic, cybercriminals have targeted the less secure systems of these remote workers. Acronis analysts observed a dramatic increase in the number of brute force attacks during 2020 and found that password stuffing was the second most used cyberattack last year, just behind phishing.

Cloud-based Solutions Affected by Multi-Layered Security Attacks

“The sudden rush to remote work during the pandemic accelerated the adoption of cloud-based solutions,” explains Candid Wüest, VP of Cyber Protection Research at Acronis.

Candid added, “In making that transition, however, many companies didn’t keep their cybersecurity and data protection requirements properly in focus. Now, those companies are realizing that ensuring data privacy is a crucial part of a holistic cyber protection strategy – one that incorporates cybersecurity and data protection – and they need to enact stronger safeguards for remote workers.”

Identity Access and Management is no Longer Separate from Cybersecurity 

According to Nathanael Coffing, CSO, of Cloudentity says, “Identity Access and Management (IAM) and security are no longer separate facets of an organization and must be treated holistically. According to 2019 data from the OWASP Foundation, seven out of the top 10 security vulnerabilities for APIs are related to identity. This shows that for the technology industry at large, the era of managing identity outside of cybersecurity is over. API security is a foundational element in today’s app-driven world and all of them need stronger more granular methods of transactional authorization. The risk is palpable as we’ve seen from the dozens of API breaches this, if an API is poorly written, Object or function level authorization issues provide programmatic data leakage to an attacker.  An example of this going wrong is Cambridge Analytica, where Facebook’s API exposed raw data from more than 87 million Facebook users which was then exploited by the political consulting firm. If organizations don’t take control of their API security, we will see more large-scale data breaches in 2021.

Phil Acton, Country Manager, UK & BeNeFrance, Adform says, “Chrome’s plan to switch off third-party cookies in the name of user privacy is definitely starting to loom on the horizon with the initial two-year window it suggested meaning sometime towards the end of 2021. Without a sustainable identity solution to replace the cookie when Google makes the change, large parts of the advertising ecosystem will cease to function as they do today. This year’s Data Privacy Day is a stark reminder that the industry has less than a year to scale a viable solution.

“There is a lot of noise around identity, but now is the time to stop talking and take action – we must collaborate to achieve a future-proof solution to the identity crisis.  Consumer-facing parties that can directly collect user consent and create first-party or log-in IDs provide the answer – it cannot be solved by intermediaries who only provide a technology or solution layer. With log-in IDs a challenge to scale, first-party IDs are the most effective way to utilise identity solutions, while still maintaining user privacy.

“At the end of 2020, the industry took a significant step forward with the announcement of the general availability of a neutral, community-owned, open-source identifier known as SharedID, which provides the first real substitute for the third-party cookie. Adform’s approach is to be agnostic in terms of working with all IDs, but we are fully supportive of the SharedID as an identifier and were one of the first providers to go live with it. That said, with other viable identity solutions likely to emerge, the industry needs fully flexible technology stacks that enable transactions on all compliant IDs without prejudice to one or the other.”

Apple and Google Set New Security Benchmarks

Nick Flood, Global Commercial Operations Director, Future Plc says,

“Last year the advertising industry saw the GDPR’s second anniversary, witnessed Apple diminish its IDFA, and started to prepare for Google’s impending removal of the third-party cookie from Chrome. Clearly, data protection will, and must, remain a priority in 2021. As the industry grapples to truly progress and to stay ahead of upcoming privacy regulations, publishers and brands must proactively provide clarity and transparency to their readers through a fair value exchange; providing them with relevant, engaging experiences in return for their data.

“Digital publishers must prioritize the diversification of their monetization strategies and seek alternative ways to support both advertiser and reader needs, such as utilizing first-party data, adopting universal IDs or exploring ecommerce and subscription-based content. Meanwhile, brands striving to deliver tailored and effective campaigns should look to transform their business models by utilizing data-driven insights and building strong media partnerships. Only then can publishers and brands help build a sustainable ecosystem with privacy at its core, while giving consumers quality experiences and complete control over their data.”

Filippo Gramigna, Strategic Advisor, Audiencerate says, “Data Privacy Day 2021 feels more important than ever before, coming amidst a tidal wave of changes around the privacy landscape. Cookies are still expected to be on their way out, but already in 2021 we are seeing changes in the conversation, brought on by several global regulatory investigations into competition concerns.

“With the increasing number of privacy committees and guidelines – from the CCPA and NYPA in the US, to the IAB TCF v2 framework in Europe, as well as the DMA, DSA and ePrivacy regulation –  there is a growing need for data players to take a more localised approach to their data assets on a regional or country basis. By doing this they reduce the increasing risk of non-compliance and maximize the use of data to the extent permitted by the law.

“As the industry adapts to regulations and plans beyond the third party cookie, there will be a growing focus on first party data; brands and publishers can expect evolved solutions  that can help and support them through the data onboarding, modelling, activation and analytics stages, all in one centralised platform. Of course, the post-cookie landscape is still developing, but being able to utilise tools like these could provide a surefire way to activate and act upon granular data, in addition to the rise of contextual targeting. The demise of the cookie doesn’t mean the end of user targeting, it signals a new opportunity for data activation with privacy at its core.”

Jürgen Galler, CEO and Co-Founder of 1plusX  says, “The shift from cookie-based targeting reaffirms the industry’s efforts to keep consumers in control over their data, and businesses that prioritize compliance through their offering will be better placed to build trustworthy relationships with their consumers. Strengthening first-party data strategies and processes will be crucial in a cookieless environment. This includes ensuring transparent mechanisms for user consent are in place and leaning on technologies that can secure the integrity of data collection and sharing through best practice such as anonymization, making sure that different data sets are not merged and are fully traceable by their sources.

Ultimately, consumer data is a vital commercial asset for every organization that operates in the digital space, and safeguarding this asset is not only a necessity from a “good business” perspective but also for supporting a more responsible and accountable approach to digital innovation.”

Data Privacy Critical to Digital Lives

Mike Kiser, Senior Identity Strategist, SailPoint says, “In the past year, consumers and enterprises alike elevated data privacy to a critical requirement for their digital lives—rising as an indicator of health and a safeguard against the risk of exploitation. This ‘assessment of health’ currently plays a role on both the individual and societal levels:

• On the individual level, users are shifting rapidly to systems and applications that ensure their privacy. Enterprises such as Apple are beginning to emulate nutrition labels with their online store applications, providing end-users the opportunity to make ‘healthy’ choices. If there was any question about individual’s desire for privacy, the recent shift from WhatsApp to other messaging platforms such as Signal and Telegram (as many as 1.3 million in a single day) demonstrates that how identity data is protected is a key feature for the public at large.
• On the societal level, while nations such as the United States wait on the creation of national privacy regulation, the discussion around data privacy is currently being driven by the worldwide pandemic. Covid19 and the subsequent vaccination initiatives raise new questions about the intersection of societal health and individual privacy. Covid19 contact-tracing applications present challenges for privacy; a trade-off is being made that exchanges some individual data to protect the population at large. A similar choice exists as vaccination becomes more widespread: how do you prove that you’ve been vaccinated without revealing more identity data than necessary? Organizations such as the Vaccine Credential Initiative seek to answer these questions in a standardized way (but these solutions raise questions of fairness and access to technology, which were already issues that surfaced by the pandemic). Data privacy, then, has expanded its impact over the last twelve months, rising to become a ‘vital sign’ for the health of both society and individuals.”

Calum Smeaton, CEO, TVSquared says, “With viewers watching across different platforms and devices, “TV” is now the convergence of linear and OTT – it’s a digital channel. The information available through smart TVs, subscription services and other platforms also makes the TV industry an important player in the move toward greater protection of personal data. Encompassing linear and streaming, TV is in a unique position to lead the narrative around consumer choice and control, as well as the way data, especially personal information, is managed, processed and accessed.”

Phil Acton, Country Manager, UK & BeNeFrance, Adform says, “Chrome’s plan to switch off third-party cookies in the name of user privacy is definitely starting to loom on the horizon with the initial two-year window it suggested meaning sometime towards the end of 2021. Without a sustainable identity solution to replace the cookie when Google makes the change, large parts of the advertising ecosystem will cease to function as they do today. This year’s Data Privacy Day is a stark reminder that the industry has less than a year to scale a viable solution.

“There is a lot of noise around identity, but now is the time to stop talking and take action – we must collaborate to achieve a future-proof solution to the identity crisis.  Consumer-facing parties that can directly collect user consent and create first-party or log-in IDs provide the answer – it cannot be solved by intermediaries who only provide a technology or solution layer. With log-in IDs a challenge to scale, first-party IDs are the most effective way to utilize identity solutions, while still maintaining user privacy.

“At the end of 2020, the industry took a significant step forward with the announcement of the general availability of a neutral, community-owned, open-source identifier known as SharedID, which provides the first real substitute for the third-party cookie. Adform’s approach is to be agnostic in terms of working with all IDs, but we are fully supportive of the SharedID as an identifier and were one of the first providers to go live with it. That said, with other viable identity solutions likely to emerge, the industry needs fully flexible technology stacks that enable transactions on all compliant IDs without prejudice to one or the other.”

Ross Nicol, VP EMEA, Zefr says,

“Conversations around data protection and privacy have gained considerable momentum over the last year, with tougher browser restrictions and consumer concern over the use of their personal data hitting the headlines. Advertisers are therefore re-evaluating how they target consumers online in the long term, ahead of a cookie-less future.

“Contextual ad-targeting tools are fast adapting to the more nuanced needs of brands, who are increasingly unsatisfied with the limited engagement traditionally achieved through the use of block lists – despite the brand safety benefits. Today, there exists a greater understanding about finding a balance between brand safety and data privacy, and maximizing reach and ROI. A focus on finding placements that are suitable for ads rather than overzealous constraints on inventory has proven to be a highly effective means of low-risk targeting.

“What’s more, the application of brand suitable targeting technology doesn’t always have to leverage personal data and third-party cookies in order to be effective. Instead, we are seeing other robust measures emerge, such as additional reviewing processes utilizing human cognition and machine learning; allowing for relevant advertising based around content, rather than relying solely on user preferences.”

Trevor Bidle, CISO, US Signal says, “A major boost in remote workforces over the past year was accompanied by a substantial rise in cybercriminal activity. In 2019, a survey revealed that 83% of organizations were hit with a cyberattack. In 2020, that greatly increased, with more cyberattacks reported in the just the first half of 2020 than the entirety of 2019. This Data Privacy Day is a great opportunity for companies to take heed of these cyber risks and implement a robust data management solution — or update their current one.

Modern data management solutions in 2021 should include disaster-recovery-as-a-service (DRaaS) and automatic data backup archive-as-a-service (AaaS). AaaS benefits from the ability to render data immutable to protect it from cyberattacks — and securely store data without increasing bandwidth costs.

These solutions should also incorporate vulnerability management tools. Traditionally, these tools were programmed to be reactive. However, best-of-breed solutions should utilize threat intelligence to become proactive and identify and prioritize vulnerabilities dependent on their criticality. This allows companies to recognize their systems’ weak points and rectify them before the cybercriminals spot them.

In 2021, data center providers should provide data management solutions that offer an array of features, including the traditional and the innovative, to ensure that a company’s data is protected regardless of the attack method the cybercriminal chooses. As the danger of cyberattacks continues to grow in the new year, it is important to revisit your data management and security approaches to keep one (or more steps ahead) of digital adversaries — and ensure data privacy for your employees and customers.”

Laurent Fanichet, VP of Corporate Communications, Sinequa says, “We understand that for some organizations, data privacy requirements like GDPR and CCPA can feel like a burden, however necessary. Still, we caution businesses to avoid the trap that compliance requirements are antithetical to using enterprise data to gather valuable business insights. As privacy and protection regulations continue to evolve, Data Privacy Day is a reminder to companies that creating a comprehensive view of all enterprise data is necessary to maintaining compliance. You cannot protect what you cannot see. Especially in a remote work environment, it is imperative to recognize the differences between strong governance practices that protect data, and the insight mechanisms needed to leverage the data into broader insights that have direct benefit to business growth. This is exactly where technologies like intelligent search and natural language processing are even more critical in helping workers to consistently find, evaluate, associate, and retrieve information across business units, while protecting and sustaining the highest levels of data privacy.”

New Legislation Such as California’s AB685 Order

Sam Humphries, security strategist, Exabeam says, “With organizations considering ‘immunity passports’ to get employees safely back to work, companies are going to have to maintain a delicate balance between protecting the health and privacy of their teams. New legislation such as California’s AB685 order – which mandates employers must tell workers in writing that they may have been exposed to the virus – requires businesses to establish an exposure notification system or face a fine. Naturally, some employees might be concerned about data privacy in the workplace and personal health data being exposed. On this year’s Data Privacy Day, I would encourage employees to tackle this problem head on as we all look forward to getting employees back into the office. In order to alleviate an employee’s worry about health information being revealed, be sure to be transparent about data monitoring and craft policies for employees that are accessible either through paper or digital training. Reassure the team that exposure notification will not violate HIPAA and all names will remain anonymous. Content on the process should avoid confusing jargon and feature an appropriate contact person who can answer all questions.

Companies also need to make sure that exposure notification systems are compliant with not only AB685, but  data privacy regulations such as CCPA, GDPR and HIPAA. Utilizing existing technologies in their arsenal such as security analytics, organizations can establish exposure notification without the need for additional investment or worry about breaking compliance laws.

This particular approach will help organizations identify individuals’ movement around the physical office based on Wi-Fi connections, scans, etc. – and determine who may have been exposed.

Without naming the individual who has the virus, companies can make sure employees know when to quarantine and w*************. The path forward back to the office from COVID-19 must include data privacy.

Data Privacy Day should serve as a reminder that even when things go back to some semblance of ‘normal,’ it is good to be open and honest with employees on current privacy policies.

Regular audits should also be conducted during this time, like when new laws such as the AB685 extension emerge. This will reassure skeptical employees that both their health and digital data are protected, while the organization is also being safeguarded.”

Jay Ryerse, VP of Cybersecurity Initiatives, ConnectWise says, “The age of data privacy and security is now. We are continuing to educate colleagues and our customers that data privacy should be built into everything we do. Service providers need to fully immerse themselves into the threat landscape and the best practices associated with securing data. Without cybersecurity, there is no such thing as privacy. This deep dive includes the governance aspect of data protection as well as the technical and physical controls necessary for the confidentiality, integrity, and availability of data. Consumers and businesses need to start asking the tough questions of their vendors. They need to understand the supply chain for the services they outsource and what those companies are doing to provide the best in class cybersecurity protections. If those vendors don’t believe they are at risk, then it may be time to find a new provider.”

As Email Marketers, We Need to Shift Our Understanding of Consent From Permanent to Dynamic

Josh Odom, CTO, Mailgun says, “In honor of Data Privacy Day 2021, it’s time we broke down the most prominent privacy regulations and how they play into the data-saturated world of email marketing.  The EU’s General Data Protection Regulation (GDPR) covers several lawful bases for data processing, and consent is one of them.

As email marketers, we need to shift our understanding of consent from permanent to dynamic. This means that consent under GDPR is specific to the activity. We must ask ourselves: do I have permission to send marketing messages to them? Are they expecting my emails?

Even a scammer would need my explicit consent to continue sending me spam. While this might frustrate email marketers, customers must also have the option to withdraw consent (objecting to use of information for d***************) if they decide they don’t want to hear from you anymore. But why would you want to talk to someone who isn’t interested in what you have to say anyway? The requirements for the U.S.’s California Consumer Privacy Act (CCPA) echo the importance of consent.

Email marketers must be explicit about any information collected or sold from the exchanges with the California-based contact — and work with their sales teams to ensure that contact receives the same quality service at the same price as all prospects, regardless of their privacy decisions. Whether you’re looking to optimize your GDPR and CCPA compliance or just getting started in email marketing and want to ensure you’re on the right path, prioritizing steps into actionable pieces is the way to go. Confirming consent with existing contacts and protecting data with proper security measures can seem overwhelming, but when in doubt don’t hesitate to reach out for advice or to a lawyer that specializes in data protection.

At the end of the day, what matters is keeping your contacts informed at all times of what’s being done with their information. Having a trail of documentation that you can show to prove this will prepare you in case you’re audited for compliance purposes. There is no one-stop shop for achieving compliance, but we hope these tips will help our email marketing friends this Data Privacy Day — and far beyond.”

Ransomware and Phishing Attacks Have Grown Exponentially

JG Heithcock, GM, Retrospect, a StorCentric company says, “According to IBM, the average cost of a data breach in 2020 was $3.86 million. After a year rife with economic uncertainty, massive shifts of data to the Cloud and an increase in remote workers, ransomware and phishing attacks have grown exponentially. Cybercriminals have leveraged information about COVID-19 testing, research and vaccine rollout to lure victims with phishing attacks, increasing the attack surface faced by organizations who might be operating with lean teams and limited resources.  As business leaders look to secure their data, an arsenal of standard practices will protect sensitive and important information from ransomware and other cyberattacks. By maintaining proper password hygiene and vigilance around suspicious email addresses, requests and links, employees can reduce the risk of phishing and other data privacy violations. When organizations incorporate the added layer of maintaining an effective backup strategy with a 3-2-1 backup rule, organizations are better equipped to store sensitive information, which can be recovered quickly, easily and safely to avoid disruption.”

Surya Varanasi, CTO, Nexsan, a StorCentric Company says, “In 2020, organizations were forced to rapidly shift to remote work models in response to COVID-19. As we contemplate safe returns to the office, many organizations will explore either full or hybrid remote work options for this year and into the future. With an increased reliance on the cloud and a distributed enterprise, new challenges are brought on by an expanding threatscape spurred by cybercriminals looking to exploit the pandemic for their gain.  In order to fight the mounting threats and protect their data, organizations must combine known best practices with modern technology. Once those are in place, incorporating unbreakable backup solutions will serve as a last line of defense, allowing organizations the ability to recover, maintain uninterrupted operations and avoid paying ransoms should they be attacked. This way, sensitive information is kept safe and business continuity remains intact.”

Protection of Sensitive Data Has Become More of a Shared Responsibility Across the Company

James Carder, CSO of LogRhythm says, “In the wake of COVID-19 remote work cybersecurity concerns and the high-profile SolarWinds hack, we’ve seen security elevate in importance and the protection of sensitive data has become more of a shared responsibility across the company. Organizations are realizing that IT and security teams aren’t the only ones with something to lose in the event of a breach; the whole business is at stake. The board doesn’t want to risk a security breach or be found negligent based on a lack of investment in security.

With more and more companies experiencing breaches and people’s personal information being shared with so many businesses, Data Privacy Day serves as an important reminder for organization leaders to acknowledge their shared responsibility for cybersecurity and effective data protection across the entire business. For companies that aren’t currently operating in this way, it is a time for them to take a step back and make a plan to prioritize it in 2021.

For consumers, it is a time to develop a better understanding of how companies are using their data. Just a few weeks ago, WhatsApp updated its privacy policy to state that the company r***************** to share data such as phone numbers, IP addresses, and payments made through the app with Facebook and other Facebook-owned platforms like Instagram. Consider this: if it’s free or low priced, then you (and your information) are the payment.

As we’ve seen with the recent additions and revisions to the California Consumer Privacy Act or CCPA), a U.S. privacy statute that governs residents of California, states are beginning to place more stringent requirements on themselves and businesses operating within their borders to protect their residents’ data. While there is currently no federal data privacy law in the U.S. that compares to the European Union’s General Data Protection Regulation (GDPR), we can expect to see more states step up to lead change in privacy policy in 2021 and beyond that ultimately could influence federal privacy laws.”

Replicating a Secure Environment for Remote Working Devices

Richard Montbeyre, Chief Privacy Officer (DPO), BMC Software says, “In the past year, COVID-19 has had a major impact on privacy and security. With vast majorities of the workforce now logging on to enterprise systems remotely, businesses must maintain confidentiality and ensure that the company is protected from unauthorized access. Replicating a secure environment for remote working devices has therefore become crucial to protecting an autonomous digital enterprise’s assets – such as creating containers within devices that meet company security standards, allowing employees to safely access enterprise systems with personal devices.

Technical means, including VPNs and multi-factor authentication, can also help to protect devices at home, while services and tools such as reporting tools, help lines, and escalation mechanisms, can support employees when it comes to data security. With these adaptive cybersecurity measures in place, any vulnerabilities, breaches or hacks can be detected almost as quickly as if everyone was working in the office.

Ultimately, having strong, adaptive security practices in place can ensure the company’s data privacy is optimized and all sensitive enterprise data is securely stored.

Unfortunately, employees often feel less bound by company security and data protection policies when not in the office – however, it’s vital that they stay vigilant.

Having the right awareness training in place can help improve data security and help employees recognize attacks that target individuals, such as phishing attempts. With a combination of technical measures and situational training, employers can keep awareness levels high and transform the capabilities of remote employees to ensure they still comply with data privacy regulations while working from home.”

People Are Encouraged by GDPR to Challenge the Services They Get, Even Where Provided for Free

Despite the global pandemic, data protection remained a vivid matter for autonomous digital enterprises in 2020, with persistent activism from independent watchdogs and regulators. Data breaches make the news every week, and the order of magnitude of regulatory fines is now in the dozens of millions. People are encouraged by GDPR to challenge the services they get, even where provided for free.

Major political changes such as the Brexit added to the complexity of international data flows, as well as the invalidation of the EU-US Privacy Shield Framework and emerging regulations around the world. As a consequence, privacy risks became a key decision criterion for organizations entrusting personal data to critical services providers, and not just a competitive differentiator.

On top of a mature due diligence process and regular verifications, organizations rely more and more on recognized standards that not only demonstrate their providers’ ability to sustain privacy compliance, but also help in expediting procurement processes. Customers should remain vigilant about the scope of certifications and make sure those effectively apply to the services they’ve subscribed to, as well as anticipating the eventual expiration or loss of such certification.

Widely-recognized standards and certifications include:

• Data Processor Binding Corporate Rules (BCR-P) officially approved by EU regulators;
• ISO Standards for Security and Privacy, such as ISO 27701 for Privacy Management, 27017 for Cloud Security and 27018 for Cloud Privacy;
• System and Organization Controls (SOC) reports for Cloud-based data hosting.

Neil Correa, Cyber Strategist, Micro Focus says, “The willing erosion of personal privacy – Privacy controls will continue to erode, especially among young adults/teenagers. Given that social interactions will be primarily online for the foreseeable future – social media accounts, online d***** portals, location tagging, online banking etc. will provide a wealth of information to build a digital profile of users for businesses and bad guys alike. Users will willingly give up their personal information for a seamless online experience as well as connect their accounts to ease authentication and account/password management.

David McNeely, Chief Strategy Officer, Centrify says, “Beginning the year by observing Data Privacy Day serves as an excellent reminder for organizations to explore the mounting threats to their data and systems, and review the security of their credentials. This year, it’s imperative to note that the exponential growth of non-human identities means human users are not the only identities that can or will have access to sensitive data, often leaving credentials with broad privileges open to compromise.

As the threatscape continues to expand, organizations must realize the importance of securing all identities including humans, machines, services, APIs, etc., which often provide privileged access to sensitive data. Complexities around protecting and securing identities have been compounded by the industry’s mass shift to remote work and disbursement of security teams. Additionally, as modern organizations continue to expand automation’s role in DevOps and cloud environments, organizations must protect their credentials by following best practices to reduce the use of shared passwords, implement multi-factor authentication, strive for zero standing privileges, and adopt a centralized privileged access management (PAM) solution.

Authentication methods such as federation, ephemeral tokens, and delegated machine credentials can also help to reduce the overall attack surface and seamlessly incorporate PAM into the DevOps pipeline. When combined with a least-privilege approach, these best practices and modern solutions can improve an organization’s security posture, minimize the risks of compromised credentials, and ensure data privacy for both the organization and its customers, throughout 2021 and for the long term.”

Acronis and other cybersecurity experts recommend the following best practices:

Multifactor authentication (MFA), which requires users to complete two or more verification methods to access a company network, system, or VPN, should be the standard for all organizations. By combining passwords with an additional verification method, such as a fingerprint scan or randomized PIN from a mobile app, the organization is still protected if an attacker guesses or breaks a user’s password.

Zero trust model should be adopted to ensure data security and privacy. All users, whether they are working remotely or operating inside the corporate network, are required to authenticate themselves, prove their authorization, and continuously validate their security to access and use company data and systems.

User and entity behavior analytics, or UEBA, helps automate an organization’s protection. By monitoring the normal activity of users with AI and statistical analysis, the system can recognize behavior that deviates from normal patterns – particularly those that indicate a breach has occurred and data theft is underway.

While Data Privacy Day 2021 is an ideal opportunity to bring attention to the risks to data privacy, the researchers at the Acronis CPOCs have identified additional cyberthreat trends that will challenge sysadmins, managed service providers (MSPs), and cybersecurity professionals during the coming year.