Data Privacy Day: What individuals can do to protect data.

This past week was Data Privacy Week, and Sunday, January 29th, marked the observance of Data Privacy Day. Experts discuss the increased risks posed by cyberattacks to data privacy, as well as the important role employees play in an organization’s data protection, and best practices and solutions to improve data security posture. In this article we see some advice from industry on the individual’s role in privacy protection.

The employee’s role in data protection.

W. Curtis Preston, Chief Technical Evangelist,Druva, breaks down responsibilities of staff in staying protected:

“Privacy is now at the forefront and one of the top concerns for consumers, making it the responsibility of everyone in IT. On Data Privacy Day, organizations have the opportunity to reflect and commit to a holistic approach within their IT teams to ensure data privacy standards are upheld and data resiliency is achieved.  

"In an IT team, it's the web developer's job to ensure that any personal data received via the web is stored directly in a special database designed for personal information.   

"It's the database administrator (DBA)’s job to ensure that database is treated differently, judiciously applying the process of least privilege to it, to ensure only a select few are granted access, and everyone else (including bad actors) sees encrypted nonsense.  

"It's the system administrator's job to apply the same concepts to wherever that database resides. It is the backup person's responsibility to ensure the backups of this database follow best practices, and are encrypted and air gapped.   

"Finally, it is, of course, the security person's job to check in with everyone else to help them understand their responsibilities and ensure they are meeting them. 

"When all of these pieces of the team are aligned, organizations can be certain that they’ve done everything possible to keep their data resilient in the face of unexpected threats and adversity.” 

Clar Rosso, CEO of (ISC)2, notes the importance of collaboration among privacy and cybersecurity professionals:

“The intersection of security and privacy has been evident for years – and in the end, you can’t have one without the other. As we continue to interact, process and consume data at an exponential rate, there needs to be a clear understanding of where data is located, managed and accessed to avoid getting into the wrong hands. With privacy and cybersecurity functions becoming increasingly synergistic, privacy and cybersecurity professionals must work collaboratively to ensure strong and effective data stewardship. Not only will it improve security and privacy postures, but the collaboration will help alleviate resource challenges.”

Vulnerabilities are found in the tools employees use.

There are some surprising points of vulnerability with respect to protecting data. Stacey English, Director of Regulatory Intelligence at Theta Lake, said, “Modern communication platforms have become integral in today’s workplace, but there’s a lot of catching up to do when it comes to the compliance and security tools currently being used. The more than $2bn in fines is the biggest wakeup call yet that Compliance and Unified Communications teams need to be in lockstep to ensure a comprehensive approach to record-keeping and supervision.” Theta Lake recently surveyed compliance and security professionals about risks to data privacy, and the respondents expressed concerns over risks collaboration tools pose:

• "Chat. Content shared in chat conversations, including in-meeting, is viewed as the biggest threat to compliance, security and privacy. The transfer of files via chat (52%) and the ability to share links in chat or on screen (41%) are considered the riskiest features."
• "Video conferencing and webcams. Not only is camera functionality the number one feature disabled in organizations, 36% of respondents from all industries believe video conferencing and webcams create the greatest risks in terms of data privacy and employee misconduct."
• "Record retrieval. 85% of organizations experience challenges in retrieving records, exposing them to potential fines and sanctions for not being able to provide timely, complete data for investigations, data privacy or other compliance purposes."

The consumer’s role in privacy protection.

Adam Marrè, CISO at Arctic Wolf, acknowledges the importance of vigilance in data privacy and protection, and provides a few steps for securing your data:

"It’s critical for consumers to stay vigilant as online platforms and social media apps, especially those that are free, still do come with a cost. Algorithms designed to direct users to apps, and keep them there longer, often work in manipulative ways that do not align with users’ best interests, collecting detailed and sensitive data that can be used to target people via phishing emails, propaganda, and/or controlling/accessing devices.  

• "Here are a few steps you can take to protect your data: 
• "Practice good cyber hygiene: use strong passwords, use a password manager, enable two-factor authentication, download security updates for apps and devices, and regularly check your accounts for suspicious logins or unrecognized devices. 
• "Beware of phishing, fraud, and other scams online. Not all attacks come through sophisticated techniques or malware. Stay alert and vigilant for phishing attempts through email, text message, phone calls, and direct messaging in apps. 
• "Know what information your apps and devices are collecting and where they are sending it. Examine terms and conditions, read reviews of the apps' privacy, or use the privacy features on your device. If the app is collecting information that you don’t want it to, be disciplined: delete the app and use the browser version instead. Or avoid the app entirely. 
• "Demand legislative action. We can use these current heightened data privacy concerns to motivate us to take collective action that will have a much more lasting and holistic effect than merely banning one specific app. Bills like the ADPPA have been proposed; contact your state legislators and demand they hold these data collectors accountable or prevent them from collecting data they don’t need. 

"By implementing these best practices, consumers can take action to help maintain control over their own personal data privacy.”

Jonathan Knudsen, Head of Global Research at the Synopsys Cybersecurity Research Center (CyRC), encourages consumers to adjust their expectations as necessary:

“Privacy can only happen when the confidentiality and integrity of data are protected. In software, the only way to effectively protect data is by making security part of every phase of development, from design through implementation, testing, and deployment—thus, building trust directly into the software they build, rely on, and offer to customers.

"For consumers, making informed decisions about privacy can be daunting. It’s nearly impossible to know if the creator of a particular piece of software was careful about privacy when they were designing and building the software. Furthermore, a software vendor’s desire to monetize user data might mean that user expectations around privacy will far exceed what’s laid out in the terms and conditions.

"One of the best ways consumers can protect themselves is by adjusting their expectations. For many applications, especially social media and other “free” services, users should not assume any level of privacy. When services are free, consumers are the product, and any data they enter into such a service is likely to be used and monetized as much as the terms and conditions allow.

"When circumstances call for a higher assurance of privacy, consumers will need to conduct their own research to assess the risks of different vendors.”

Chris Lehman, CEO of Safeguard Cyber, provides steps consumers can take to reclaim data privacy:

"SafeGuard Cyber believes the steps that users should take to reclaim their privacy and their data on this Data Privacy Day are:

1. "Double down on transparency: Enterprise teams need to prioritize clarity in articulating their plans for monitoring business communications on apps like WhatsApp and Telegram. Where possible, employees should be involved as stakeholders in the planning process. Some companies and employees may agree on managed corporate devices, while smaller, more nimble teams may decide personal devices are fine.
2. "Establish clear guardrails: From the planning and buy-in stages, companies need to set clear policies on what can and should be communicated on mobile messaging channels. This should also include clear guidance on what will be monitored and how. Will the information be archived? If so, for how long.
3. "Give employees the choice to opt IN. Transparency is the foundation of trust. After articulating the plan, after negotiating the terms, finally employees must be given a choice."

And it’s not just the customers: employees have personal data, too.

SlashNext CEO Patrick Harr cites the increasing prevalence of employees’ personal data as major gaps in security postures:

“The biggest gaps in security postures come from the personal data of employees in the newly hybrid workforce. These blind spots are becoming more readily apparent as organizations adopt new channels for personal messaging, communications, and collaboration. Attackers are targeting employees through less protected personal communication channels, like WhatsApp, Signal, Gmail, Facebook Messenger to perpetrate an attack.”

"In a phishing attack, the bad guys use emails, social media posts, or direct messages to trick people into clicking on a bad link or downloading a malicious attachment. When a phishing attack succeeds, the cybercriminals capture private data and personal information, or they may even install malware directly onto the device to facilitate ongoing attacks.”