Data Privacy Day: They really are after your personal data.

We’ve received many comments on Data Privacy Day from industry leaders and experts. Here are some reflections on the threat to privacy.

The threat to privacy: they really are coming after your data.

Gorka Sadowski, chief strategy officer, Exabeam, points out that this is a good time to reflect on the threat criminals pose to privacy:

“Every year, Data Privacy Day is a timely reminder that organizations are custodians of our private information and that they must do everything in their power to protect our data from misuse and unauthorized leaks. Right now, information exfiltration via ransomware and insider threat seems to be rampant. The security community must better work together and prioritize innovation and collaboration above competition to fight our shared cyber enemies.

“As global ransomware payments skyrocket, it proves that cybercriminals are willing to collaborate and pool resources with other threat actors to develop new ways to breach organizations around the world. Our greatest hope in defeating such highly coordinated cyberthreats is to become united in fending off their multifaceted attacks. To that end, I’m pleased to see governments finally mobilizing against cyber adversaries to prevent devastating consequences on companies in both the public and private sectors.

“In addition to the various laws and mandates that preserve privacy and data standards for individuals, we remain committed to showing the world that cybersecurity is really a team sport. Our XDR Alliance was created to foster an open approach to extended threat detection, investigation and response (TDIR) for security teams everywhere. As the founding organization, we believe that a unified approach to fighting cybercrime is the future to stopping the adversaries from gaining new ground.”

Lex Boost, CEO of Leaseweb USA, notes the cost of data breaches: 

“IBM recently reported that 2021 saw the highest average cost of a data breach in 17 years, with the cost rising from $3.86 million in 2020 to $4.24 million. As a result, data protection has been getting more attention than it ever has before. The headlines consistently permeating the news might be a source of dread for IT administrators and their teams, but luckily, they are not alone. Choosing the right hosting provider can help tremendously. 

“Many hosting providers are picking up their proverbial swords and helping the fight against cyber adversaries. The right hosting provider can deliver extra protection by offering 24/7 security-related support services to act as an extra set of eyes against attackers. In addition, hosting providers can also provide standard security training for employees so that they can become more cyberaware. 

“Data Privacy Day should serve as a reminder to choose hosting providers who are willing to enter the battle against adversaries and safeguard your data.”

Doug Dooley, COO at Data Theorem, hopes assaults on personal data move organizations to address the risk:

“There is hope that Data Privacy Day brings added attention to what organizations can or should do to protect sensitive information from data breaches. During the lockdown periods of the pandemic, we have witnessed the growing number of several high-profile attacks including software supply chain, ransomware, cloud hacks, and the most common Enterprise data breach vector of web-app and API attacks. In 2022, organizations are likely to see that API-centric attacks will represent the most significant loss of privacy and large-scale (1M+ records) data breaches. Modern applications are mobilizing and monetizing data most often through the use of APIs and attackers are exploiting the lack of observability and protection controls most APIs have today. Every new cloud service, mobile application and modern web application are enabled through APIs. However, most Enterprises have no ability to generate an inventory of all their APIs, much less the privacy and security controls necessary to protect their data. This is a time of opportunity for hackers to exploit large amounts of data and violate privacy. Let today be a reminder that we have plenty more to do to protect our data privacy.”

And this comment  Pete Starr, Director of Customer Engineering at Cyren, came in late Friday, 1.28.22:

“Phishing and other forms of social engineering attacks represent great opportunities for cyber criminals. The primary motivation behind every phisher is the procurement of credentials that unlock an organisation’s vault of sensitive information or gains access to critical systems. With standard phishing attacks, attackers can easily access data with very minimal effort, but with very high reward. With that being said, we have also recently seen an increase in adversaries directly pursuing the high-value information such as bank details or social security numbers, rather than going for the easy targets like usernames and passwords. This information may be harder to access, but the profitable rewards are well worth some additional effort."

"While phishing is often deployed as a single step attack, it also features in more complex, multistage attacks. Phishing is usually the first step – as the technique used to gain initial access to the network- but it is then followed by a second stage with a different objective, like the launch of a ransomware attack for example. The main purpose of these attacks is to steal data and credentials and use the stolen information for monetary gain. These multi-stage attacks can be extremely damaging for businesses, but it all starts with a simple phishing email. So how do they even gain access?

"We are often told that the weakest link in an organisation is its people. Unfortunately, cyber criminals know this, and employees are a great vector for the cyber criminals to launch a phishing attack in order to gain access to the organisation’s data and sensitive information. Teaching employees how to recognise the signs of a phishing attack with security awareness training and then equipping them to apply those learnings in practice will be highly effective against criminals’ social engineering techniques.

"Organisations need to learn that their employees will be the target of phishing attacks, and that some may get through. So instead of focusing on prevention, they need to know how to remediate and further protect their network and future employees from falling victim to the same attack. There are several other forms of protection against phishing attacks that organisations can deploy as well to ensure data is protected. As a starting point, businesses should consider deploying an email security solution that analyses the email content to determine whether it’s genuine. The in-built email filters can deliver high-speed detection for a wide selection of incoming threats, such as malware, spam, and any well-known phishing URLs. These defences can be strengthened with specialist layers of detection that learn and identify more advanced threats by using machine learning and natural language processing. 

"By adopting measures, investing in the right solutions, and ensuring our employees understand the value of our data, we can make the difference between a contained phishing email, and a serious cyber attack that causes significant damage with customer data leaked for all to see.”