2019 was a busy one for hackers. In the last year we saw globally-renowned businesses, public authorities, and even voting systems become victim to crippling instances of system outages, data theft and ransomware attacks. As a result, it’s no surprise that this year, Data Privacy Day has become Data Privacy Month!
The goal of the observation is to spread awareness of the hugely fundamental role that cybersecurity plays in the world, as digital technologies continue to permeate all aspects of our lives both in and outside of work. Here, industry experts delve into its importance further:
Increasing concern over our data privacy: what are the consequences?
“Data Privacy Day reminds us that customers are increasingly wary of how brands are using their data,” comments Nicola Pero, CTO at Engage Hub. “Research shows that 65% would stop using a brand that was dishonest about how it was using their data. This percentage seems poised to grow further and further in the years to come, driven by a core group of influencers for whom data privacy is a hot issue with political connotations, similar to climate change or gender inequality.”
Tim Hickman, Partner at White & Case, warns that “a clear trend has emerged in the past 18 months, with many of the ICO’s most high-profile investigations focusing on data breaches involving financial data.” Hickman continues, “it is always possible to report a data breach to the ICO with the option of providing additional information once an investigation has taken place. However, pre-emptively reporting a data breach can have serious adverse consequences because such a report effectively requires the company to admit that it has suffered a breach.”
David Higgins, EMEA Technical Director at CyberArk, explains “it’s now well-established that data is the world’s most valuable asset, and a tempting target for malevolent hackers with varying motivations. More often than not, they are pursuing credentials that they can use to infiltrate businesses and target sensitive and valuable data. Attackers seek ways to cause irreparable damage across a whole range of industries, from seizing companies’ administration logins to hacking into medical data so as to hold individuals to ransom over the disclosure of sensitive personal information. As a tragic, but potentially realistic scenario, this could even result in a doctor being unable to perform a life-saving operation due to a lack of availability of the patient’s records for example.”
The technology battle
It may seem ironic, but Andrew Tsonchev, Director of Technology at Darktrace, maintains that technology itself will also have a big part to play in working alongside humans. According to Tsonchev, “large-scale data breaches, from Capital One last year to Marriott in 2018, have opened consumers’ eyes to the importance of holding businesses accountable. The question now being asked of organisations is not “which data regulations are you compliant with?” but “what exactly are you doing to keep my data safe?”
“Data, and the systems that hold data, will always be vulnerable. If organisations are to truly protect consumer data, artificial intelligence (AI) will be critical, not just a nice-to have. Only AI can constantly monitor where critical data is and automatically stop it leaking out of an organisation and into the wrong hands,” Tsonchev continues.
“Data privacy is an aspect of security that has become increasingly important to businesses and consumers alike,” explains Chris Hodson, CISO at Tanium. “The enforcement of GDPR in 2018 followed by the CCPA in January of this year has shown that governments are prepared to proactively regulate organisations to implement higher standards of protection for personal data.
According to Hodson, “companies often fail in privacy and information protection because they simply don't understand the volume, breadth and sensitivity of information contained within their IT environments.” In an attempt to solve this issue, Hodson suggests that “understanding what is in an IT environment is a crucial step to ensuring data is effectively protected. It is the job of IT operations and security teams to unite to establish complete visibility of their ecosystem and implement the controls necessary to support data protection and information privacy.”
“An issue that is often overseen in terms of GDPR,” according to Chris Huggett, Senior Vice President for Europe and India at Sungard Availability Services, “is the result of an IT outage, which prevents businesses from keeping its services running. As a server or organisation’s infrastructure is down, data is then at risk to exposure and therefore a company is at risk of failing compliance. IT and business teams will need to locate and close any vulnerabilities in IT systems or business processes and switch over to disaster recovery arrangements if they believe there has been a data corruption.”
Huggett highlights that “an organisation’s speed and effectiveness of response will be greatly improved if it has at its fingertips the results of a Data Protection Impact Assessment (DPIA) that details all the personal data that an organisation collects, processes and stores, categorised by level of sensitivity. Data Privacy Day is a great opportunity to expose unknown risks that organisations face but moving forward it is vital that business leaders embed privacy into every operation. This is the only sustainable way to ensure compliance on an ongoing basis.”
The human touch
“In the age of social media and the over-sharing of personal information, many forget that privacy is our right. It is protected by laws such as Article 8 of the European Convention on Human Rights”, reminds David Warburton, Senior Threat Research Evangelist at F5 Networks.
As a one-stop piece of advice, Warburton suggests that “if you do anything this Data Privacy Day, make it a positive step to enhance your business’ privacy stance by reinforcing the importance of cybersecurity and the dangers of social engineering. This should include robust employee awareness programmes that evolve in line with new social platforms and ensure a culture of responsible sharing.
“But it isn’t just individual employees that need attention. Attackers can also target specific organisations via employee details on company and partner websites. Information such as ownership records, SEC filings for public companies, lawsuits, and social media, all provide insights that can be used maliciously. Every business should periodically review any information shared on associated websites and social media pages to determine if the content is essential.”
In addition to taking proactive steps to preventing cyber threats, Euan Davis, European Lead for Cognizant’s Center for the Future of Work notes that “over the coming years, we will see new roles within security departments emerge, requiring different capabilities to the jobs that we see on offer today. Some of these were outlined in a recent report by Cognizant called “21 More Jobs of the Future” and include: Cyber City Analysts, Cyber Attack Agents, Juvenile Cybercrime Rehabilitation Counsellors and Cyber Calamity Forecasters.”
Ensuring a secure future for our data
Data Privacy Day might sound like ‘just another awareness day’. But there is a reason that this year it is being observed for the entire month rather than just one day. Despite new security technologies and tightening regulations, the goalposts are constantly shifting as the tactics and targets of hackers become even more ambitious and sophisticated. To have any chance at winning the digital battle, business leaders must ensure that data privacy is embedded into every aspect of the organisation.