Data Privacy/ Data Protection comment
January 2021 by Experts
Expert comments for Data Privacy Day on how consumers and organisations can keep their data safe and secure.
· Joseph Carson comments on how citizens’ data is going to continue to be used and going forward.
· Ed Williams at SpiderLabs at Turstwave comments on data privacy best practices.
· Adam Brady at Illumio looks at the impact of ransomware.
· Sanjiv Cherian at A&O IT Group on IoT and smart devices in the home.
· Paul Dant at Digital.AI on how secuirty can be added into application pipeline so that data is secure when customer’s use an organisation’s app
Data privacy Day comment from Joseph Carson, chief security scientist at Thycotic:
“Data privacy will, and already is, evolving into a Data Rights Management issue.
Citizens’ privacy will continue to be under the spotlight in 2021. The end of privacy as we know it is closer than you may think. Privacy definitions are very different between nation states and cultures, however, one thing that is common is that privacy is becoming less and less of an option for most citizens. In public and online, almost everyone is being watched and monitored 24/7 with thousands of cameras using your expressions, fashion, walk, directions, interactions, and speech to determine what you need, what you might be thinking, who you are going to meet, who is nearby, and even algorithms that determine what your next action might be.
Regulations will continue to put pressure on companies to provide adequate cyber security measures and follow the principle of least privilege to protect the data they have been entitled to collect or process.
I believe the big question, when it comes to data privacy, is “How is citizens’ data being used, collected and processed?” Ultimately data privacy will evolve into Data Rights Management which means rather than giving up personal data for so called free use of internet services, citizens should and can get paid for allowing their personal data to be used for marketing purposes. It will become more about how the personal data will be used, and what monetization is resulting from the data. In the future everyone will become an influencer this difference is how much is it worth.”
Commentary from Ed Williams, EMEA Director of SpiderLabs at Trustwave
2020 was an incredibly impactful year for a number of reasons, one of which was data protection/data privacy. When I look at the work we’ve been conducting at Trustwave’s SpiderLabs, I see a specific emphasis on remote working solutions. While many organisations are being proactive with their assurance work, we’re seeing that this isn’t the case for all organisations.
When it comes to regulations, as we begin 2021, I believe that GDPR will still have an impact in the short term, regardless of Brexit. Coupled with the digital transformation we’re seeing with organisations moving to the cloud, there are plenty of areas for organisations to come un-stuck. Businesses must be sure to remember that the cloud has a ‘shared model of responsibility’, in that both parties must ensure the security and privacy of data.
Moving forward this year, if the strategy for privacy fell under my remit within my organisation, with my penetration test hat on, I’d focus on looking to ensure that appropriate security and privacy training is given to all staff. Given that many organisations are now working from home potentially using equipment that isn’t specifically work-related, and with threats and vulnerabilities abound, being able to identify these threats is imperative. Secondly, I’d focus on the data itself. Data is always valuable to the bad guys and ensuring that data is managed correctly should also be a focus. Having appropriate policy and procedures for data given the recent home working trend should be updated, with appropriate training and technical controls.
To round off, at a high level there are several broad security practices that can help with data privacy and protection however the two I’d prioritise are:
a. Enable multi factor authentication on services, especially those that you value, email being a good example of this, and I’d also consider using a password manager.
b. Always update software and operating systems to the latest versions available to prevent against the ever-growing threat of ransomware.
Commentary from Adam Brady, Director, Systems Engineering, EMEA, at Illumio
“With this Thursday being named as a day to recognise data privacy or data protection, it’s a great reminder that data protection should be something that should be a top priority for organisations every single day. And a big part of that should be stopping the spread of breaches to prevent access to PII.
Ransomware is in the news almost daily, and that’s only going to continue for the foreseeable future. Organisations need to take the more pragmatic approach of assuming breach and consequently maintain an ongoing focus on protecting the data they store. Privacy and consumer data is such a high-value currency that if an attacker knows what they have, they’ll exploit it for every last penny.
For organisations looking to secure PII, micro-segmentation as part of a Zero Trust approach is a critical control. Traditional segmentation of the network is no longer enough to prevent the kind of lateral-movement-based threats we see. Forward thinking enterprises need to be thinking about visibility, and micro-segmentation - where they can easily isolate high-value applications and environments, prevent lateral movement, enforce granular security policies, and apply the Zero-Trust posture of “never trust, always verify”.
Although we hope measures are already in place, today is a good reminder for organisations to pause, take stock and ensure they are protecting data to the best of their ability.”
Sanjiv Cherian, Head of Business Development at A&O IT Group
“As businesses and their employees have adapted to the need to work from home, for many organisations the question on how to secure their networks and ensure the integrity and protection of their critical information and data is one that many may now believe they have solved through the implementation of a variety of tools and solutions such as SD-WAN, VPNs, 2FA and a myriad of other products. Yet, there is a threat that many won’t have considered and is, to a degree, slightly out of their hands – IoT and smart devices in the home that are all connected to the same WiFi.
While a connected fridge, for example, may not seem like the most obvious threat to data and an individual’s privacy, these kinds of devices don’t tend to have a high-level of security built in from the outset. This means that once deployed and installed within a home, they aren’t held to account in the same way our computers and mobile devices are with regular patches and software updates automatically being pushed through.
As a result, these devices are the equivalent of an open backdoor for even the lowest skilled hacker, providing them with the means to get onto the network and stealthily move laterally until they find the data they are seeking and a whole lot more. While some of the onus should be placed on manufacturers of smart devices to ensure security is a priority, it is also important for organisations to make their employees aware of the potential threat to their privacy and data. If employees are to host everything on the same home network, organisations must enforce stricter security policies and practices to ensure that the business network is sufficiently segmented and protected from threats.”
Paul Dant, Vice President - Product Management at Digital.AI
“Companies that require access to our data need to take responsibility and ensure they are putting all the relevant measures in place to secure this data as much as they possibly can. Apps often hold the most amount of data and they are tools everyone around the world uses every single day so we need to start at the beginning of this process and consider how we can ensure data privacy when handling applications.
Any company that requires its customers to use an app needs to implement Agile development methodologies with a DevSecOps model, leading to system security with operational visibility, that can identify and thwart hackers from attacking and disrupting the privacy of the company’s data. Allowing the entire software development team to have a fully integrated view into the product development lifecycle and allowing them to have the understanding and knowledge of the importance of securing and testing a device will go a long way in helping organisations do their utmost to providing excellent data privacy. This will ensure the company are on track to achieving their business outcomes because consumer trust is intact and their customers are retained - with the proper security measures in place, the chance of a data breach is less likely and therefore, their data remains secure and private and the integrity of the company itself remains intact.”