Expect more requirements for informed consent.
Data Privacy Day: Where's privacy protection heading?
So where is privacy heading? Expect some familiar data collection methods to fade away, and expect informed consent to become increasingly the norm. We heard from industry leaders who shared their thoughts on the direction of data privacy protection.
Like it or not, consent is the future of data availability.
Rohini Sen, Global Head of Audience Intelligence at Quantcast, wrote a brief obituary for the cookie:
“Current and future data privacy policies, along with the death of the third-party cookie, will have a major impact on the availability of consumer data that most digital advertising campaigns are built on today. As a result, brands will have no choice but to rely on first-party data fueled by consumer consent.
“Prior to the deprecation of third party cookies, marketers were reliant on third-party data, which was often stale and unreliable. A privacy-first approach requires marketers to embrace the opportunities offered by first-party data, as well as cohorts, contextual and more. Those who seize these solutions can reap the competitive advantage of access to new audiences, more inventory, and more scaled advertising results”
Ricardo Amper, CEO and founder of Incode takes up one particular biometric technology. Expect to see the growing importance of consent to the use of facial recognition::
“There are a lot of misconceptions about how facial recognition technology is currently used. However, despite the reported privacy mishaps and concerns, there is a true inclination among consumers to embrace this technology. Trust is essential and is often missing when consumers aren’t in the forefront of the conversation around privacy.
“The individual must be put first, which means getting their consent. The more an individual feels that they can trust the technology, the more open they will be to using it in additional capacities.”
Where is data privacy heading?
Juan Perez-Etchegoyen, CTO of Onapsis, looks to the past as foreshadowing the near future:
“There was one headline-grabbing data breach after another last year, as the value placed on data continued to rise. Data Privacy Day serves as an important reminder for organizations across industries to ensure they are taking a proactive approach to governance, risk and compliance to keep employee and customer data out of the hands of bad actors. This includes making certain security teams have complete visibility into business-critical application security, including apps delivered through SaaS, PaaS, and IaaS cloud service models.
“Business-critical applications, like those from SAP, Oracle, and Salesforce, contain vital data (customer, financial, product, employee, etc.) that keep organizations running. While these apps have revolutionized how businesses worldwide operate, they can introduce unnecessary risk if not properly managed and secured. Misconfigurations, unauthorized or excessive privileges, and other vulnerabilities can lead to data breaches that take company operations offline, put employees and customers at risk for further compromise and tarnish a company’s reputation.
“What’s more, a number of reasons are contributing to making these business-critical applications are more vulnerable than ever:. (a)Diverse stages of Digital transformation processes, These applications are in various stages of transformation,(b) Remote work and availability from anywhere made have become them more accessible from outside of the organization’s four walls, and (c) These applications are being increasingly connected to an increasing number of applications on-premises and in the cloud and finally (d), the new technologies that support these applications are increasingly complex and if not properly managed, could introduce additional risks .
“As organizations continue to move applications to the cloud or third-party services, they must recognize their attack surface is expanding. These apps share sensitive information with other applications, which leads to interconnected risk. In an interconnected risk environment, one misconfigured system or security vulnerability can put the entire enterprise at risk. Companies should adopt a comprehensive vulnerability management solution to protect their business-critical applications by providing deeper visibility, automated assessments, detailed solutions, and descriptions of associated risk and business impact. Timely patching is critical for ensuring business applications and data aren’t compromised.
“It’s also important to note that the data stored in business-critical applications like SAP is heavily regulated, which means that we are not just talking about cyber risks, but compliance and legal risks, including potential fines and liability to the company and in some cases its executives.
“Additionally, organizations traditionally must invest significant resources for audits to ensure they are protected and in compliance. Organizations should seek out automated solutions to streamline the auditing of IT controls. This process will reduce the overall risk profile of business-critical applications and, thereby, the organization, as well as free up valuable employee resources. It will also help organizations achieve more accurate risk reporting (eliminating human error) and avoid surprises by proactively assessing systems against regulatory requirements.”
Wherever it goes, it’s not going to be getting any easier. Adrian Moir, Technology Strategist and Principal Engineer at Quest Software, provided an extended take on an increasingly important and increasingly ramified challenge:
“Data privacy is becoming more important due to the increase in data risk and loss of business information. With Microsoft Exchange, Kaseya, and even Log4j at the end of the year, organizations are recognizing the business need for data privacy. The very widespread adoption of vulnerable technology throughout the information and data industry causes ripples everywhere like a boulder being dropped into a lake. The ensuing responses seemed to happen very quickly with a distinct pattern of ‘inform, fix, patch, re-assure’. But, maybe there is some light at the end of the tunnel.
“Regulatory elements such as the privacy of data itself and the levels of intrusion, data scraping and ransomware events seem to continue unabated. However, we have seen traction in the right direction this year including multiple new policies emerging affecting privacy in different areas of the globe such as CPRA, China’s Personal Information Protection Law, ColPA and next year is likely to bring some simplification to the UK GDPR policy and deal with cross border data movement. Looking toward the future, we’re likely to see the way data is perceived, used, and regulated increase and become more refined.
“Attack vectors are constantly evolving, so these regulatory changes are driving a more involved process around security. An increasing number of organizations have a dedicated security team assessing technology before it is purchased and deployed. Recently the REvil team was arrested for their alleged activities and gave us some hope for a light at the end of the tunnel. Ransomware actors' favorite payment method also came under a little attack recently from both India and Russia, so perhaps we’ll see cryptocurrencies come under regulation from nation state banking. Depending on whether this trend increases or matures into full blown regulation might be the first warning signs that potential hackers may not have the level of anonymity in ransom transactions that they have been used to.
“This leads businesses to recognize the need for cyber-insurance to help the nature of uncertainties that can impact data at any time. However the insurance companies are also stepping up their game by insisting on certain protective measures. Backup now must be ‘immutable’, have multiple copies, have air gapped solutions, and have multi-factor authentication (MFA). The insurance companies are asking their customers to adequately demonstrate their policies and technologies they have deployed. Without these, businesses will either not be able to get cyber-insurance or their premiums will be substantially higher due to increased risk.
“These changes are driving organizations to invest in their security posture to assess technology before it is purchased and deployed. Simple business need discussions are no longer enough, since everything has to go through the security team, proving data privacy and protection are an essential business need.
“As 2022 begins, it’s not time to let up, sit back or think you’re done protecting your data and users' privacy. In the words of Jean Luc Picard, ‘Shields Up’.
(We’d have quoted James Tiberius Kirk, but Monsieur Picard is OK by us, too. Engage.)