We’ve rounded up expert predictions and commentary on data privacy for Data Privacy Week this year. Here's a comprehensive set of recommendations.
Industry comment on Data Privacy Week.
Experts discuss the increased risks posed by cyberattacks to data privacy, as well as the important role employees play in an organization’s data protection, and best practices and solutions to improve data security posture.
Ransomware’s impact on data privacy.
Eric Bassier, Senior Director of Products at Quantum, notes the importance of a multi-layered approach to data protection in the wake of increased ransomware attacks:
“According to a recent study of IT and business executives, two out of five revealed that their organizations had suffered from successful ransomware attacks. Even worse, over 80% reported that they had paid ransoms to get their data back. That’s because cybercriminals are always on the hunt for new ways to trick users into clicking on links which open the door to ransomware infiltration. Ransomware is just one threat in the ever-growing cyber threat landscape. It is imperative that organizations have a documented plan on how they are protecting and recovering their data - in every stage of its lifecycle - from all manners of cyber threats.
“To ensure the resilience and rapid recoverability of data, it's essential to have a multi-layered approach in place that covers every stage of the data lifecycle from end to end. This includes maintaining multiple copies of data, using immutable snapshots, storing data offline, and employing encryption and other security measures to safeguard and recover data swiftly in any location.
“It is clear by now that it is no longer a matter of ‘if’ but ‘when’ an organization will be hit with a cyberattack. By following these guidelines and remaining vigilant, businesses can effectively strengthen their cybersecurity and reduce the risk of irreparable damage in the instance of a successful attack. It’s crucial that businesses prioritize the protection of their data, not just today, but every day. In 2023, data protection and recoverability are uncompromising, vital components to the success and sustainability of any business.”
Tilo Weigandt, COO and co-founder of Vaultree, discusses the need for an incident response plan and management team to protect in the event of ransomware attacks:
"Regularly testing the incident response plan and having an incident management team are important steps in preparing your organization for a ransomware or cyber incident. As a business leader, you must also ensure that appropriate security controls are in place and that employees know cybersecurity best practices. Backing up data regularly and having an outside incident management and cyber insurance company can help organizations quickly respond to a cyber incident and recoup its costs. Additionally, it is crucial to develop a cybersecurity incident response plan that outlines the steps that will be taken in the event of a ransomware or cyber incident. But most importantly is to have proper encryption in place so you don't even have to worry about the negative impacts of an incident."
Lisa Erickson, head of data protection product management at Veritas, discusses the growing ransomware threat and the challenges it poses to data privacy:
"Over the past couple of years, ransomware, once thought of as primarily a security threat, has evolved into one of the biggest data privacy challenges that businesses continue to face. Today, double and triple extortion tactics that up the ante by threatening to sell or otherwise leak sensitive data are table stakes. Data Privacy Day is a great reminder of the importance of keeping sensitive data protected against the ever-evolving threat landscape where ransomware is the attack du jour.”
Brian Dunagan, Vice President of Engineering at Retrospect emphasizes the continuing nature of ransomware attacks and their dangers to data:
“Every organization, regardless of size, faces the real possibility that they could be the next victim of a cyberattack. That is because today’s ransomware, which is easier than ever for even the novice cybercriminal to obtain via ransomware as a service (RaaS), strikes repeatedly and randomly without even knowing whose system it is attacking. Ransomware now simply searches for that one crack, that one vulnerability, that will allow it entry to your network. Once inside it can lock-down, delete, and/or abscond with your data and demand payment should you wish to keep your data private and/or have it returned.”
Christopher Rogers, technology evangelist, Zerto, a Hewlett-Packard Enterprise company describes the impact of data corruption as a result of ransomware and related attacks:
"In 2023, data is the most valuable asset any company owns. Whether it's the organization’s own data or its customers,’ the potential loss of revenue should this data be compromised is huge. Therefore, the primary concern for all businesses should be protecting this asset.
"Unfortunately, in the golden age of cybercrime, data protection is not such an easy task. In 2022, an IDC report, ‘The State of Ransomware and Disaster Preparedness’ found that 83% of organizations had experienced data corruption from an attack, and nearly 60% experienced unrecoverable data as a result. While it's clear there is a dire need for more effective data protection, it is also crucial that businesses have disaster recovery solutions in place should the worst occur.”
Protecting unstructured data.
Carl D’Halluin, CTO at Datadobi, describes the need for an unstructured data management platform as the creation of unstructured data continues to grow:
“A staggering amount of unstructured data has been and continues to be created. In response, a variety of innovative new tools and techniques have been developed so that IT professionals can better get their arms around it. Savvy IT professionals know that effective and efficient management of unstructured data is critical in order to maximize revenue potential, control costs, and minimize risk across today's heterogeneous, hybrid-cloud environments. However, savvy IT professionals also know this can be easier said than done, without the right unstructured data management solution(s) in place. And, on Data Privacy Day we are reminded that data privacy is among the many business-critical objectives being faced by those trying to rein-in their unstructured data.
"The ideal unstructured data management platform is one that enables companies to assess, organize, and act on their data, regardless of the platform or cloud environment in which it is being stored. From the second it is installed, users should be able to garner insights into their unstructured data. From there, users should be able to quickly and easily organize the data in a way that makes sense and to enable them to achieve their highest priorities, whether it is controlling costs, CO2, or risk – or ensuring end-to-end data privacy.”
Securing your data in the cloud.
Brad Jones, CISO and VP of Information Security at Seagate Technology, explains the features posited by cloud platforms to assist in data privacy, and the need for multifaceted security approaches:
"Cloud misconfiguration is a key challenge to data privacy in 2023. Organizations need to prioritize compliance across their entire cloud infrastructure. An error in a cloud’s configuration could mean that an employee is just a click away from accidentally exposing an entire database – and opening the organization up to regulatory risk and reputation damage.
"Good data privacy is good for business and not just because it enhances an organization’s reputation. Compliance helps unlock innovation by driving efficiency. The common systems and controls that come with good data security and privacy strategies help enable knowledge sharing across an organization, which gives employees the information they need to be more efficient and make better decisions.
"A comprehensive data classification strategy is essential for maintaining data privacy but implementing one is easier said than done. Many organizations don’t fully understand where all of their data is, let alone how it should be classified. Organizations need to establish simple, clear data classification standards and should foster close collaboration between their security teams and stakeholders across the organization to maintain data privacy and security.
"Cloud platforms offer various native features for data classification that can help maintain privacy. This could be as simple as a tag on a server or storage location mapped to the most sensitive level of data that an application contains, or a more granular object or database level of classification offered by some Platform as a Service providers. Organizations starting a new cloud journey should build data classification into the design and leverage the capabilities of the platform. Organizations that are already in the cloud should understand what features they are not yet leveraging and make a plan to maximize control.
"Organizations must maintain different layers of security in their architecture, and data encryption is a key factor that should not be overlooked along with other access controls. Ensuring that data is encrypted at rest and that the keys are maintained securely (and not with the data itself) can help ensure data confidentiality and integrity when other controls fail."
Amitabh Sinha, Co-Founder and CEO of Workspot, describes the benefit of Cloud PCs:
“Today’s attack surface has expanded exponentially. With cybercrime positioned as the fastest-growing crime in the U.S., attacks are increasing in number, scope, and sophistication. Data Privacy Day serves as a reminder that security posture is paramount for every organization, and a zero-trust security model is a critical line of defense. In this context, a multi-layer approach is needed. Cloud PCs bring an extra level of security to help ensure no one is trusted without verification, either inside or outside the organization.
"Many Cloud PC solutions have integrated control and data planes, which can expose customer data. A true zero-trust architecture can be a gamechanger for company security, as it requires separation between control and data planes, which isolates and secures company data from the control elements of the Cloud PC platform. After all, zero trust means trusting no one with your corporate data, not even your Cloud PC vendor!
"As we look beyond Data Privacy Day, enterprises need to implement future-proof end user computing solutions that also fortify security policy. Cloud-native Cloud PCs are the modern way to achieve the agility and security enterprises need today. When evaluating Cloud PC solutions, IT leaders should consider the following:
- "Where will my data live? Who will be able to see it? How is it protected?
- "How will my cloud desktop architecture impact information security?
- "Where will my Active Directory run?
- "What systems will be shared between users?
- "What are the regulatory and compliance implications of the solution?
- "How quickly can I add Cloud PCs?
- "How can I deliver the best performance to my end users?”
Amit Shaked, CEO and co-founder at Laminar, explains the advantages of cloud-native security platforms:
“As the world celebrates Data Privacy Day, it’s important to remember that there is no data privacy without data protection.
“This problem is becoming more acute as organizations adopt hybrid cloud infrastructures without ensuring effective security, privacy and governance for the data stored across vendors and clouds. Two statistics paint the story. Two-thirds (66%) of organizations store between 21%-60% of their sensitive data in the cloud and nearly half (45%) experienced a cloud-based data breach or failed audit in the last 12 months.
“IT and security teams risk exposing customers and losing intellectual property, strategic advantage, and revenues if they don’t shore up data protection as well as data privacy. Fortunately, by adopting cloud-native data security platforms, these teams can regain visibility into – and control over – their valuable data and keep it private and protected. Using a cloud data security platform provides autonomous and continuous discovery, classification, monitoring and protection of all data stored and used across platforms like AWS, Microsoft Azure, Google Cloud, and Snowflake.”
Data privacy sees continually increasing compliance regulations worldwide.
Don Boxley, CEO and Co-Founder, DH2i, notes increasing regulations around data privacy globally:
“The perpetual concern around data privacy and protection has led to an abundance of new and increasingly stringent regulations around the world. According to the United Nations Conference on Trade and Development (UNCTAD), 71% of countries now have data protection and privacy legislation, with another 9% having draft legislation.
"This increased scrutiny makes perfect sense. Data is being created and flowing not just from our business endeavors, but countless personal interactions we make every day - whether we are hosting an online conference, making an online purchase, or using a third party for ride-hailing, food delivery, or package transport.”
Tilo Weigandt, COO and co-founder of Vaultree, emphasizes the need to remain compliant with growing regulations:
“It is important to note that data privacy is a complex issue and there is no one-size-fits-all solution. For example, a zero-trust framework powered by AI and machine learning is not the only solution to best protect your data. Other approaches include using encryption, implementing strict access controls, and regular monitoring and auditing systems.
“Organizations should consult experts to determine the best approach for their specific needs and requirements, especially with data privacy rules certain to get more strict. State-level momentum for privacy bills is at an all-time high to regulate how consumer data is shared. Recent developments such as the California Privacy Rights Act, the quantum computing security legislation, and Virginia Consumer Data Protection Act clearly show that protecting consumer privacy is a growing priority in the U.S.
“Compliance with relevant data privacy regulations such as GDPR or HIPAA is also crucial. One tactic able to support all of the above and the essential basis of all cybersecurity practices is data-in-use encryption because working with data in a fully encrypted format opens up numerous possibilities for companies. Data Privacy is a complex and ongoing process, but it is worth it. Protecting your data properly will mitigate a data breach's financial, cyber, legal, reputational, and business risk.”
Almog Apirion, CEO and Co-Founder of Cyolo, discusses the development of government data privacy regulations over time:
"Data Privacy Day aims to increase awareness over the need to protect employee and customer data while adhering to regulatory laws such as GDPR or CCPA. Even if newer regulations are highlighting today's major need for data protection, this is not something new - in fact, the first legally binding international privacy and data protection treaty, Convention 108, was signed well before today’s regulations in 1981. Because of our greater reliance on digital technology to govern most of both individual and organization facets, it is important to reconsider what, when and where as well as with whom it is shared with others. Data Privacy Day is a component of the worldwide ‘STOP. THINK. CONNECT.’ campaign for online privacy, security and safety.”
Jeff Sizemore, chief governance officer at Egnyte, highlights the momentum garnered in US government for data privacy legislation:
“Data Privacy Day reminds us that personal privacy is being viewed more and more as a global human right—by 2024, it’s predicted that 75% of the world’s population will be protected under modern data privacy regulations. We will continue to see data privacy gain significant traction across industries and business disciplines, such as with personal financial data rights. Company trust will increasingly have a larger impact on customers’ buying decisions as well.
"In the U.S., five states (California, Virginia, Colorado, Connecticut and Utah) have already enacted or plan to enact data privacy legislation this year. And the movement toward a federal law is only a matter of time, as we have seen positive momentum with the American Data Privacy and Protection Act (ADPPA).
"Without a doubt, as government entities and regulatory bodies show increased interest in data privacy, we can anticipate stronger enforcement mechanisms. Enforcement of regulations will become more strict, with fines and litigation for noncompliance expected to increase.
"There’s no time like the present to prepare for these business-impacting regulations, especially with more on the horizon. Organizations can take proactive steps like keeping data privacy policies up-to-date and gaining visibility into structured and unstructured data. Ultimately, companies that respect data privacy and understand the short- and long-term benefits of compliance will be well-positioned for the future.”
Chris Lehman, CEO of Safeguard Cyber, describes the California Consumer Privacy Rights Act, which went into effect at the start of this year:
"This Data Privacy Day could not come at a better time as state privacy regulations such as the California Consumer Privacy Rights Act (CPRA) which succeeds the California Consumer Privacy Act went into effect on January 1, 2023. The CPRA enhances user right over data with the rights to correct inaccurate personal information; and the right to limit use and disclosure of sensitive personal information.”
The employee’s role in data protection.
W. Curtis Preston, Chief Technical Evangelist, Druva, breaks down responsibilities of staff in staying protected:
“Privacy is now at the forefront and one of the top concerns for consumers, making it the responsibility of everyone in IT. On Data Privacy Day, organizations have the opportunity to reflect and commit to a holistic approach within their IT teams to ensure data privacy standards are upheld and data resiliency is achieved.
"In an IT team, it's the web developer's job to ensure that any personal data received via the web is stored directly in a special database designed for personal information.
"It's the database administrator (DBA)’s job to ensure that database is treated differently, judiciously applying the process of least privilege to it, to ensure only a select few are granted access, and everyone else (including bad actors) sees encrypted nonsense.
"It's the system administrator's job to apply the same concepts to wherever that database resides. It is the backup person's responsibility to ensure the backups of this database follow best practices, and are encrypted and air gapped.
"Finally, it is, of course, the security person's job to check in with everyone else to help them understand their responsibilities and ensure they are meeting them.
"When all of these pieces of the team are aligned, organizations can be certain that they’ve done everything possible to keep their data resilient in the face of unexpected threats and adversity.”
Clar Rosso, CEO of (ISC)2, notes the importance of collaboration among privacy and cybersecurity professionals:
“The intersection of security and privacy has been evident for years – and in the end, you can’t have one without the other. As we continue to interact, process and consume data at an exponential rate, there needs to be a clear understanding of where data is located, managed and accessed to avoid getting into the wrong hands. With privacy and cybersecurity functions becoming increasingly synergistic, privacy and cybersecurity professionals must work collaboratively to ensure strong and effective data stewardship. Not only will it improve security and privacy postures, but the collaboration will help alleviate resource challenges.”
SlashNext CEO Patrick Harr cites the increasing prevalence of employees’ personal data as major gaps in security postures:
“The biggest gaps in security postures come from the personal data of employees in the newly hybrid workforce. These blind spots are becoming more readily apparent as organizations adopt new channels for personal messaging, communications, and collaboration. Attackers are targeting employees through less protected personal communication channels, like WhatsApp, Signal, Gmail, Facebook Messenger to perpetrate an attack.”
"In a phishing attack, the bad guys use emails, social media posts, or direct messages to trick people into clicking on a bad link or downloading a malicious attachment. When a phishing attack succeeds, the cybercriminals capture private data and personal information, or they may even install malware directly onto the device to facilitate ongoing attacks.”
There are some surprising points of vulnerability with respect to protecting data. Stacey English, Director of Regulatory Intelligence at Theta Lake, said, “Modern communication platforms have become integral in today’s workplace, but there’s a lot of catching up to do when it comes to the compliance and security tools currently being used. The more than $2bn in fines is the biggest wakeup call yet that Compliance and Unified Communications teams need to be in lockstep to ensure a comprehensive approach to record-keeping and supervision.” Theta Lake recently surveyed compliance and security professionals about risks to data privacy, and the respondents expressed concerns over risks collaboration tools pose:
- "Chat. Content shared in chat conversations, including in-meeting, is viewed as the biggest threat to compliance, security and privacy. The transfer of files via chat (52%) and the ability to share links in chat or on screen (41%) are considered the riskiest features."
- "Video conferencing and webcams. Not only is camera functionality the number one feature disabled in organizations, 36% of respondents from all industries believe video conferencing and webcams create the greatest risks in terms of data privacy and employee misconduct."
- "Record retrieval. 85% of organizations experience challenges in retrieving records, exposing them to potential fines and sanctions for not being able to provide timely, complete data for investigations, data privacy or other compliance purposes."
Best practices to protect your data in today’s day and age.
Rebecca Krauthamer, C-Founder and CPO from QuSecure, explains the importance of making security solutions quantum-safe:
“Ahead of Data Privacy Day January 28, it is advisable that federal agencies, commercial organizations and other infrastructure providers begin to immediately assess potential vulnerabilities in their current encryption and cybersecurity practices and start planning for post-quantum encryption.
"Some believe that building a quantum computer powerful enough to break encryption is a decade or more away. Others believe it’s already too late. While quantum computers powerful enough to crack RSA are not yet available, hackers are seizing and storing sensitive data knowing they will be able to use quantum technology to access it soon.
"We know that well-funded hacking organizations and governments are constantly working on novel ways to accelerate quantum development including advance error correction, combinations of individual quantum processors, and advanced physical architectures to become the first to wield the power of quantum decryption. We are most likely closer to more quantum power and the subsequent associated threats to standard encryption than expected.
"Every day we don’t convert our security posture to a quantum-safe one, there’s no recovering from the damage that will be done.”
Tonia Dudley, CISO at Cofense, notes the impact of business email compromise (BEC) and phishing attacks, and highlights the need for actionable intelligence adoption to mitigate inbox threats:
“One of the most important things that people need to realize is that the actors behind business email compromise (BEC) are involved in multiple types of attacks. A recent report published by IBM shared that both BEC and phishing are the leading cause of data breaches.
"Business email compromise amounts to an estimated $500 billion-plus annually that’s lost to fraud. That’s billions lost to unemployment fraud. Billions lost to romance scams, real estate cons, advanced-fee fraud and dozens of other crimes affecting hundreds of thousands of victims. These victims not only lose money, but valuable private information is also stolen as a result of successful business email compromises.
"Data Privacy Day serves as a good reminder that organizations need to take necessary steps to protect inboxes, detect threats, and respond to attacks. Adopting actionable intelligence that gives visibility into the phishing attacks in your network, immediate and decisive responses to phishing threats, and a rapid and automatic quarantine of malicious emails will help keep threat actors at bay.”
Adam Marrè, CISO at Arctic Wolf, acknowledges the importance of vigilance in data privacy and protection, and provides a few steps for securing your data:
"It’s critical for consumers to stay vigilant as online platforms and social media apps, especially those that are free, still do come with a cost. Algorithms designed to direct users to apps, and keep them there longer, often work in manipulative ways that do not align with users’ best interests, collecting detailed and sensitive data that can be used to target people via phishing emails, propaganda, and/or controlling/accessing devices.
"Here are a few steps you can take to protect your data:
"Practice good cyber hygiene: use strong passwords, use a password manager, enable two-factor authentication, download security updates for apps and devices, and regularly check your accounts for suspicious logins or unrecognized devices.
"Beware of phishing, fraud, and other scams online. Not all attacks come through sophisticated techniques or malware. Stay alert and vigilant for phishing attempts through email, text message, phone calls, and direct messaging in apps.
"Know what information your apps and devices are collecting and where they are sending it. Examine terms and conditions, read reviews of the apps' privacy, or use the privacy features on your device. If the app is collecting information that you don’t want it to, be disciplined: delete the app and use the browser version instead. Or avoid the app entirely.
"Demand legislative action. We can use these current heightened data privacy concerns to motivate us to take collective action that will have a much more lasting and holistic effect than merely banning one specific app. Bills like the ADPPA have been proposed; contact your state legislators and demand they hold these data collectors accountable or prevent them from collecting data they don’t need.
"By implementing these best practices, consumers can take action to help maintain control over their own personal data privacy.”
Tilo Weigandt, COO and co-founder of Vaultree, discusses the importance of individualized approaches to data protection:
“It is important to note that data privacy is a complex issue and there is no one-size-fits-all solution. For example, a zero-trust framework powered by AI and machine learning is not the only solution to best protect your data. Other approaches include using encryption, implementing strict access controls, and regular monitoring and auditing systems.”
Lisa Erickson, head of data protection product management at Veritas, explains three steps to help reduce ransomware privacy risks:
“Here are three things organizations can do to reduce data privacy risks associated with ransomware and other threats:
"Organize and assess your data. Understanding what kinds of data you have enables you to assess what it’s worth and who needs access to it. These, in turn, inform where it should be stored and how access is managed. Limiting access to only those who need it limits exposure in the event of an attack.
"Have a cross-functional response plan in place so you’re prepared to respond to a ransomware attack that involves sensitive data. As part of this, test your ability to quickly and even automatically take compromised storage devices offline to prevent sensitive data from being exfiltrated.
"Identify, categorize and remediate compromised data. With organized data and a response plan in place, you’ll be prepared to quickly identify what data, if any, has been compromised during an attack so you can make informed decisions about your next steps. You’ll be able to know, for example, if the bad actors took sensitive customer PII or simply next week’s lunch menu for the cafeteria."
Don Boxley, CEO and Co-Founder at DH2i, describes a networking connectivity solution that may provide a possible shift away from outdated VPN use:
"Today, as organizations endeavor to protect data – their own as well as their customers’ - many still face the hurdle of trying to do so with outdated technology that was simply not designed for the way we work and live today. Most notably, many organizations are relying on virtual private networks (VPNs) for network access and security. Unfortunately, both external and internal bad actors are now exploiting VPN’s inherent vulnerabilities. However, there is light at the end of the tunnel. Forward looking IT organizations have discovered the answer to the VPN dilemma. It is an innovative and highly reliable approach to networking connectivity – the Software Defined Perimeter (SDP). This approach enables organizations to build a secure software-defined perimeter and use Zero Trust Network Access (ZTNA) tunnels to seamlessly connect all applications, servers, IoT devices, and users behind any symmetric network address translation (NAT) to any full cone NAT: without having to reconfigure networks or set up complicated and problematic VPNs. With SDP, organizations can ensure safe, fast and easy network and data access; while ensuring they adhere to internal governance and external regulations compliance mandates.”
Steve Santamaria, CEO at Folio Photonics, describes the need for a secure and durable data storage solution:
“It is no secret that data is at the center of everything you do. Whether you are a business, a nonprofit, an educational institution, a government agency, or the military, it is vital to your everyday operations. It is therefore critical that the appropriate person(s) in your organization have access to the data they need anytime, anywhere, and under any conditions. However, it is of the equal importance that you keep it from falling in the wrong hands.
"Therefore, when managing current and archival data, a top concern must be data security and durability, not just today but for decades upon decades into the future. The ideal data storage solution must offer encryption and WORM (write-once, read-many) capabilities. It must require little power and minimal climate control. It should be impervious to EMPs, salt water, high temps, and altitudes. And, all archive solutions must have 100+ years of media life and be infinitely backward compatible, while still delivering a competitive TCO. But most importantly, the data storage must have the ability to be air-gapped as this is truly the only way to prevent unauthorized digital access.”
Surya Varanasi, CTO at Nexsan, highlights the usefulness of an Unbreakable Backup solution in protecting against attacks on data:
“Digital technology has revolutionized virtually every aspect of our lives. Work, education, shopping, entertainment, and travel are just a handful of the areas that have been transformed. Consequently, today, our data is like gravity – it's everywhere.
"On Data Privacy Day, we are reminded of this fact, and the need to ensure our data’s safety and security. Cyber criminals have become increasingly aggressive and sophisticated, along with their ransomware and other malware. And now, the threat isn’t just that they will hold your data until payment, cyber criminals are now threatening to make personal and confidential data public, if not paid. It is therefore critical that cyber hygiene must include protecting backed up data by making it immutable and by eliminating any way that data can be deleted or corrupted.
"This can be accomplished with an advanced Unbreakable Backup solution, which creates an immutable, object-locked format, and then takes it a step further by storing the admin keys in another location entirely for added protection. With an Unbreakable Backup solution that encompasses these capabilities, users can ease their worry about the protection and privacy of their data, and instead focus their expertise on activities that more directly impact the organization’s bottom-line objectives.”
Andrew Russell, Chief Revenue Officer at Nyriad, notes the need for cyber leadership to balance performance and cost-effectiveness with constructive security solutions:
“Data Privacy Day serves as a great reminder of the value and power of data. In addition to your people, data is without question the most strategic asset of virtually any organization. Data and the ability to fully leverage, manage, store, share, and protect it, enables organizations to be successful across virtually every facet – from competitive advantage, to innovation, the employee experience, and customer satisfaction, to legal and regulations compliance competency.
"Consequently, savvy data management professionals recognize that while a storage solution that is able to deliver unprecedented performance, resiliency, and efficiency with a low total cost of ownership is priority number one to fully optimize data and intelligence for business success; they likewise need to ensure they have the ability to protect against, detect, and restore data and operations in the event of a successful cyber-attack in order to protect their data, for business survival.”
Brian Dunagan, Vice President of Engineering at Retrospect, describes the usefulness of a backup solution in mitigating cyber threat actor activity:
"As an IT professional, it is therefore critical that beyond protection, steps be taken to detect ransomware as early as possible to stop the threat and ensure their ability to remediate and recover. A backup solution that includes anomaly detection to identify changes in an environment that warrants the attention of IT is a must. In order to ensure its benefit,, users must be able to tailor the backup solution’s anomaly detection to their business’s specific systems and workflows; with capabilities such as customizable filtering and thresholds for each of their backup policies. And, those anomalies must be immediately reported to management, as well as aggregated for future ML/analyzing purposes.”
Almog Apirion, CEO and Co-Founder of Cyolo, explains the useful functionality of identity-based access control:
"Strong data privacy is more critical than ever — particularly in response to the recent growth of cyberattacks and the expansion of data perimeters due to hybrid work. One way of mitigating today's vulnerabilities is to provide rigorous identity-based access control. To safeguard themselves, enterprises' collaboration and communications tools require a robust zero-trust framework to protect all forms of user data. Identity-based access control enables businesses to strengthen their security posture while also gaining visibility and control over their most critical systems. The reality is that hackers today don’t break in, they log in. Enterprises can get complete control and visibility of their entire IT infrastructure while mitigating against advanced threats by implementing a modern zero-trust solution and adopting stringent authentication requirements. As more risks emerge, organizations will be more prepared than ever to counter threats and safeguard data and business-critical infrastructure.”
Christopher Rogers, technology evangelist at Zerto, calls continuous data protection-based recovery solutions vital in the cyberattack-ridden landscape of today:
"When it comes to ransomware, the biggest financial killer is the downtime. Therefore, having a disaster recovery solution based on continuous data protection (CDP) in conjunction with backup is vital to equip companies with the ability to be resilient in the face of potentially catastrophic circumstances. Companies using CDP can limit downtime and restore operations in a matter of seconds or minutes, rather than days or weeks.
"This Data Protection Day, I want to encourage businesses to not only look at what they can be doing to protect themselves but also what solutions they have in place to recover should disaster strike."
Patrick Harr, CEO of SlashNext, highlights AI-based technology as a strong defense against phishing:
"New technologies, such as ChatGPT and other generative AI technologies, enable threat actors to supercharge their attacks. They can modify the attacks in millions of different ways in minutes and with automation, delivering these attacks quickly to improve compromise success.
"The best defense to protect against phishing is to be one step ahead of the attackers. New AI-based platforms use generative AI technology to auto-generate new variants of threats to predict millions of variations of new attacks that might enter the organization.”
Chris Vaughan, VP, Technical Account Management at Tanium, notes the need for visibility into every corner of an organization’s data to prevent it from falling into the wrong hands:
"There are examples of recent data breaches that have had severe impacts, with some threatening the possible disclosure of sensitive information such as health records. It is vital that organizations have full visibility over the data they hold as well as an understanding of where it is located to reduce the possibility of costly breaches occurring - or, if they do occur, to minimize potential damage.
"It is also essential that IT teams have a clear strategy that they adhere to on the location of data and how it is secured, whether they are using a cloud or on-premise environment, so that any weak points and vulnerable devices can be identified and fixed before an incident takes place. Detecting unusual activity and unauthorized access to a company’s systems is only possible with a high level of visibility and control.
"In a world where people are very often working from home using their personal devices, every organization now needs a comprehensive zero trust model that assumes all new devices and users are considered suspicious until proven otherwise. However, this alone is not enough. Organizations often think that creating a zero-trust framework is a ‘one-and-done’ process. In reality, it is an interactive journey that must be reassessed at every step of the way. Cloud solutions often have a tool set that can continuously check the state of endpoints and attest to them much more readily, as long as they are switched on.
"Through a zero-trust approach and the use of effective tools to gain visibility of IT environments, organizations will give themselves the best chance of avoiding costly breaches in 2023."
Rehan Jalil, President & CEO at Securiti, highlights the necessity of an effective platform for employees to work from:
"As cyberattacks continue to evolve – in number, scope and sophistication – Data Privacy Day serves as a reminder to organizations to shore up their security strategies and ensure appropriate privacy controls are in place. To ensure the valuable data that organizations store in their internal ecosystems is properly protected, they must implement a thorough and effective approach to privacy. This starts with an accurate understanding of what personal data is stored across the various data systems within an organization. Next is understanding the privacy laws that apply to their employees and customers in any given region. It is further critical that organizations implement formal policies and procedures to properly govern this sensitive data and honor privacy rights of individuals.
"As we reflect on this year’s Data Privacy Day motto - ‘STOP. THINK. CONNECT.’ – organizations must pay special attention to their current cybersecurity controls and ensure their security teams have the tools they need to be successful. Robust platforms that offer sensitive data intelligence, data security posture management, data access governance, data breach management, data subject rights and a full suite of PrivacyOps capabilities are any organization’s best bet for a holistic and unified approach to comply with regulatory requirements."
Jonathan Knudsen, Head of Global Research at the Synopsys Cybersecurity Research Center (CyRC), encourages consumers to adjust their expectations as necessary:
“Privacy can only happen when the confidentiality and integrity of data are protected. In software, the only way to effectively protect data is by making security part of every phase of development, from design through implementation, testing, and deployment—thus, building trust directly into the software they build, rely on, and offer to customers.
"For consumers, making informed decisions about privacy can be daunting. It’s nearly impossible to know if the creator of a particular piece of software was careful about privacy when they were designing and building the software. Furthermore, a software vendor’s desire to monetize user data might mean that user expectations around privacy will far exceed what’s laid out in the terms and conditions.
"One of the best ways consumers can protect themselves is by adjusting their expectations. For many applications, especially social media and other “free” services, users should not assume any level of privacy. When services are free, consumers are the product, and any data they enter into such a service is likely to be used and monetized as much as the terms and conditions allow.
"When circumstances call for a higher assurance of privacy, consumers will need to conduct their own research to assess the risks of different vendors.”
Chris Lehman, CEO of Safeguard Cyber, provides steps consumers can take to reclaim data privacy:
"SafeGuard Cyber believes the steps that users should take to reclaim their privacy and their data on this Data Privacy Day are:
"1. Double down on transparency: Enterprise teams need to prioritize clarity in articulating their plans for monitoring business communications on apps like WhatsApp and Telegram. Where possible, employees should be involved as stakeholders in the planning process. Some companies and employees may agree on managed corporate devices, while smaller, more nimble teams may decide personal devices are fine.
"2. Establish clear guardrails: From the planning and buy-in stages, companies need to set clear policies on what can and should be communicated on mobile messaging channels. This should also include clear guidance on what will be monitored and how. Will the information be archived? If so, for how long.
"3. Give employees the choice to opt IN. Transparency is the foundation of trust. After articulating the plan, after negotiating the terms, finally employees must be given a choice."
Jamie Boote, Associate Principal Security Consultant, Synopsys Software Integrity Group, advises limited data sharing:
“We should all take this Data Privacy Day to reflect on what data we are disclosing and to who. In this age where hacks and data leaks make headlines every week, it’s important to be aware of what data we trust with third parties. The best way to not suffer data loss when third parties get breached is to not share it in the first place. If you do have to share your data, ensure that the company or website you are sharing it with absolutely has to have it to provide services to you. It’s also important to limit what applications you install on your phone as the latest face morphing app or free game will make more money selling your data than it does selling services to you. As always, enable 2FA wherever possible, don’t reuse passwords, and be mindful of what can happen on the internet.”
Justin McCarthy, co-founder and CTO at StrongDM advises a holistic approach to data privacy:
“Data Privacy Day is the perfect opportunity to take a step back and consider your data privacy initiatives holistically. That means asking yourself questions like, ‘are we maintaining the highest standards of data privacy?’ ‘are we taking the right steps to protect data against data leaks?’ ‘have we done our due diligence to ensure that unauthorized access–whether from internal or external individuals–is prevented?’
"For example, you've set up data classifications. You've determined who needs access.
But are you validating that credentials have not been put into code? Do you have credentials sitting in your repos that might not have the same level of access scrutiny as admins or privileged users? Is production data going into dev or staging environments that have loose access oversight? How long would it take for you to determine all the people who have had the ability to access a database, who accessed it, and what they did? Can you even do that?
"Data privacy also means protecting how data is accessed, and data privacy initiatives must also account for that. That means ensuring that only authorized users have secure access to sensitive data and systems, and that you’re moving towards just-in-time access or Zero Standing Privileges–across network resources, provisioning and deprovisioning, and especially for temporary users that have access to sensitive information. All of this requires fine-grained observability and auditability across all your systems.”
Matt Rider, VP of Security Engineering EMEA at Exabeam:
“Today, data protection is inextricably entwined with cybersecurity. With the average number of attacks per organisation worldwide reaching over 1,130 weekly in Q3 2022, sensitive personal data has never been more at risk. And, while cybersecurity typically focuses on keeping systems secure against attacks, data protection has a vital part to play. It brings together efforts from across an organisation to ensure that data is kept safe as well as compliant with the latest regulations – regulations which take centre stage in the event of a successful cyber attack, bringing us back to cybersecurity.
"Part of having strong data protection measures in place involves knowing where your data is stored and who is accessing it at any given time. IT teams can use tools such as User and Entity Behaviour Analytics (UEBA) to monitor these patterns and learn what a normal day looks like for their organization when it comes to the data flowing within it. If access is attempted by a malicious actor – whether internal or external – the IT team can be alerted to this anomaly and work quickly to shut down systems and prevent the attacker from digging any deeper. This can be further supported by employees being aware of and following the latest data protection best practices, which makes it easier for the IT team to spot any unexpected behavior.
“Data protection and cybersecurity – you can’t have one without the other. So, when considering how to bolster your cybersecurity defenses, make sure that data protection is top of mind, otherwise, you’re leaving an open goal for any skilled attackers taking advantage of a blindspot.”