Industry experts discuss the current threats facing data privacy.
By Jay Ryerse, VP of Cybersecurity Initiatives, ConnectWise
The age of data privacy and security is now. It is essential to continue to educate colleagues and customers that data privacy should be built into everything we do. Additionally, service providers need to fully immerse themselves into the threat landscape and the best practices associated with securing data. Without cybersecurity, there is no such thing as privacy. This deep dive includes the governance aspect of data protection as well as the technical and physical controls necessary for the confidentiality, integrity, and availability of data.
Consumers and businesses need to start asking the tough questions of their vendors. They need to understand the supply chain for the services they outsource and what those companies are doing to provide the best in class cybersecurity protections. If those vendors don’t believe they are at risk, then it may be time to find a new provider.
With mounting cyberthreats facing distributed workforces, vendors have had to pivot their business needs to support remote work while maintaining business continuity for customers as cyberthreats continue to plague industries during the pandemic. As more data and sensitive information is shared across communications platforms and between different vendors, data privacy and protection has never been more important.
Below, eight experts discuss the current threats facing organizations of all sizes and across industries, while also providing advice on maintaining data privacy in an era of digital transformation.
Lex Boost, CEO, Leaseweb USA
“2020 saw a boom in remote workforces for companies spanning most industries and sub sectors. Businesses shifted, en masse, from having a system in place for remote work as the exception, to remote work as the rule. This shift caused many businesses to solve immediate issues of business continuity, on both the large and minute scale. Data Privacy Day comes as we all begin settling into the comfort of normalcy of remote working, and provides an opportunity for business leaders to consider whether their current hosting solutions are meeting business needs.
Companies should take this opportunity to reassess their current office environment and corresponding data strategies. Organizations leveraging an on-prem data strategy should consider restructuring to a data center model. As office spaces continue to remain largely unoccupied, the security of data housed on-premises increases in vulnerability–both to malicious actors and to unforeseen events like natural disasters. A hosting provider can offer a variety of solutions and configurations (i.e. dedicated servers, hybrid cloud, colocation, etc.) that moves your data to an offsite location with enhanced physical and cybersecurity measures.
Many hosting providers have the extra layer of protection by offering 24/7 security-related support services to guarantee your data is secure at all times. Hosting providers are required to comply with critical and stringent standards such as ISO 27001, SOC type 1, HIPAA, GDPR and CCPA. The physical buildings where the data centers are located are also typically gated, and require identification to enter.
During Data Privacy Day this year, it’s important for organizations to remember that protecting data doesn’t have to be a job done alone. As we continue to telecommute, it is important to rely on hosting providers for an extra layer of protection and peace of mind.”
Trevor Bidle, CISO, US Signal
“A major boost in remote workforces over the past year was accompanied by a substantial rise in cybercriminal activity. In 2019, a survey revealed that 83% of organizations were hit with a cyberattack. In 2020, that greatly increased, with more cyberattacks reported in the just the first half of 2020 than the entirety of 2019. This Data Privacy Day is a great opportunity for companies to take heed of these cyber risks and implement a robust data management solution — or update their current one.
Modern data management solutions in 2021 should include disaster-recovery-as-a-service (DRaaS) and automatic data backup archive-as-a-service (AaaS). AaaS benefits from the ability to render data immutable to protect it from cyberattacks — and securely store data without increasing bandwidth costs.
These solutions should also incorporate vulnerability management tools. Traditionally, these tools were programmed to be reactive. However, best-of-breed solutions should utilize threat intelligence to become proactive and identify and prioritize vulnerabilities dependent on their criticality. This allows companies to recognize their systems’ weak points and rectify them before the cybercriminals spot them.
In 2021, data center providers should provide data management solutions that offer an array of features, including the traditional and the innovative, to ensure that a company’s data is protected regardless of the attack method the cybercriminal chooses. As the danger of cyberattacks continues to grow in the new year, it is important to revisit your data management and security approaches to keep one (or more steps ahead) of digital adversaries — and ensure data privacy for your employees and customers.”
Laurent Fanichet, VP of Corporate Communications, Sinequa
“We understand that for some organizations, data privacy requirements like GDPR and CCPA can feel like a burden, however necessary. Still, we caution businesses to avoid the trap that compliance requirements are antithetical to using enterprise data to gather valuable business insights. As privacy and protection regulations continue to evolve, Data Privacy Day is a reminder to companies that creating a comprehensive view of all enterprise data is necessary to maintaining compliance. You cannot protect what you cannot see.
Especially in a remote work environment, it is imperative to recognize the differences between strong governance practices that protect data, and the insight mechanisms needed to leverage the data into broader insights that have direct benefit to business growth. This is exactly where technologies like intelligent search and natural language processing are even more critical in helping workers to consistently find, evaluate, associate, and retrieve information across business units, while protecting and sustaining the highest levels of data privacy.”
Sam Humphries, security strategist, Exabeam
“With organizations considering ‘immunity passports’ to get employees safely back to work, companies are going to have to maintain a delicate balance between protecting the health and privacy of their teams. New legislation such as California’s AB685 order – which mandates employers must tell workers in writing that they may have been exposed to the virus – requires businesses to establish an exposure notification system or face a fine. Naturally, some employees might be concerned about data privacy in the workplace and personal health data being exposed. On this year’s Data Privacy Day, I would encourage employees to tackle this problem head on as we all look forward to getting employees back into the office.
In order to alleviate an employee’s worry about health information being revealed, be sure to be transparent about data monitoring and craft policies for employees that are accessible either through paper or digital training. Reassure the team that exposure notification will not violate HIPAA and all names will remain anonymous. Content on the process should avoid confusing jargon and feature an appropriate contact person who can answer all questions.
Companies also need to make sure that exposure notification systems are compliant with not only AB685, but data privacy regulations such as CCPA, GDPR and HIPAA. Utilizing existing technologies in their arsenal such as security analytics, organizations can establish exposure notification without the need for additional investment or worry about breaking compliance laws. This particular approach will help organizations identify individuals’ movement around the physical office based on Wi-Fi connections, scans, etc. – and determine who may have been exposed. Without naming the individual who has the virus, companies can make sure employees know when to quarantine and work from home.
The path forward back to the office from COVID-19 must include data privacy. Data Privacy Day should serve as a reminder that even when things go back to some semblance of ‘normal,’ it is good to be open and honest with employees on current privacy policies. Regular audits should also be conducted during this time, like when new laws such as the AB685 extension emerge. This will reassure skeptical employees that both their health and digital data are protected, while the organization is also being safeguarded.”
Josh Odom, CTO, Mailgun
“In honor of Data Privacy Day 2021, it’s time we broke down the most prominent privacy regulations and how they play into the data-saturated world of email marketing.
The EU’s General Data Protection Regulation (GDPR) covers several lawful bases for data processing, and consent is one of them. As email marketers, we need to shift our understanding of consent from permanent to dynamic. This means that consent under GDPR is specific to the activity. We must ask ourselves: do I have permission to send marketing messages to them? Are they expecting my emails?
Even a scammer would need my explicit consent to continue sending me spam. While this might frustrate email marketers, customers must also have the option to withdraw consent (objecting to use of information for direct marketing) if they decide they don’t want to hear from you anymore. But why would you want to talk to someone who isn’t interested in what you have to say anyway?
The requirements for the U.S.’s California Consumer Privacy Act (CCPA) echo the importance of consent. Email marketers must be explicit about any information collected or sold from the exchanges with the California-based contact — and work with their sales teams to ensure that contact receives the same quality service at the same price as all prospects, regardless of their privacy decisions.
Whether you’re looking to optimize your GDPR and CCPA compliance or just getting started in email marketing and want to ensure you’re on the right path, prioritizing steps into actionable pieces is the way to go. Confirming consent with existing contacts and protecting data with proper security measures can seem overwhelming, but when in doubt don’t hesitate to reach out for advice or to a lawyer that specializes in data protection.
At the end of the day, what matters is keeping your contacts informed at all times of what’s being done with their information. Having a trail of documentation that you can show to prove this will prepare you in case you’re audited for compliance purposes. There is no one-stop shop for achieving compliance, but we hope these tips will help our email marketing friends this Data Privacy Day — and far beyond.”
JG Heithcock, GM, Retrospect, a StorCentric company
“According to IBM, the average cost of a data breach in 2020 was $3.86 million. After a year rife with economic uncertainty, massive shifts of data to the cloud and an increase in remote workers, ransomware and phishing attacks have grown exponentially. Cybercriminals have leveraged information about COVID-19 testing, research and vaccine rollout to lure victims with phishing attacks, increasing the attack surface faced by organizations who might be operating with lean teams and limited resources.
As business leaders look to secure their data, an arsenal of standard practices will protect sensitive and important information from ransomware and other cyberattacks. By maintaining proper password hygiene and vigilance around suspicious email addresses, requests and links, employees can reduce the risk of phishing and other data privacy violations. When organizations incorporate the added layer of maintaining an effective backup strategy with a 3-2-1 backup rule, organizations are better equipped to store sensitive information, which can be recovered quickly, easily and safely to avoid disruption.”
Surya Varanasi, CTO, Nexsan, a StorCentric Company
“In 2020, organizations were forced to rapidly shift to remote work models in response to COVID-19. As we contemplate safe returns to the office, many organizations will explore either full or hybrid remote work options for this year and into the future. With an increased reliance on the cloud and a distributed enterprise, new challenges are brought on by an expanding threatscape spurred by cybercriminals looking to exploit the pandemic for their gain.
In order to fight the mounting threats and protect their data, organizations must combine known best practices with modern technology. Once those are in place, incorporating unbreakable backup solutions will serve as a last line of defense, allowing organizations the ability to recover, maintain uninterrupted operations and avoid paying ransoms should they be attacked. This way, sensitive information is kept safe and business continuity remains intact.”
David McNeely, Chief Strategy Officer, Centrify
“Beginning the year by observing Data Privacy Day serves as an excellent reminder for organizations to explore the mounting threats to their data and systems, and review the security of their credentials. This year, it’s imperative to note that the exponential growth of non-human identities means human users are not the only identities that can or will have access to sensitive data, often leaving credentials with broad privileges open to compromise. As the threatscape continues to expand, organizations must realize the importance of securing all identities including humans, machines, services, APIs, etc., which often provide privileged access to sensitive data.
Complexities around protecting and securing identities have been compounded by the industry’s mass shift to remote work and disbursement of security teams. Additionally, as modern organizations continue to expand automation’s role in DevOps and cloud environments, organizations must protect their credentials by following best practices to reduce the use of shared passwords, implement multi-factor authentication, strive for zero standing privileges, and adopt a centralized privileged access management (PAM) solution.
Authentication methods such as federation, ephemeral tokens, and delegated machine credentials can also help to reduce the overall attack surface and seamlessly incorporate PAM into the DevOps pipeline. When combined with a least privilege approach, these best practices and modern solutions can improve an organization’s security posture, minimize the risks of compromised credentials, and ensure data privacy for both the organization and its customers, throughout 2021 and for the long term.”