Securing data privacy starts with implementing best practices. Here are some the experts recommend.
Data Privacy Day: Best practices for protecting privacy.
This past week was Data Privacy Week, and Sunday, January 29th, marked the observance of Data Privacy Day. Experts discuss the increased risks posed by cyberattacks to data privacy, as well as the important role employees play in an organization’s data protection, and best practices and solutions to improve data security posture. In this article we see some advice from industry on best practices for securiing and protecting.
Privacy protection as an exercise in risk management.
Privacy protection is in part an exercise in risk management, and there’s no single solution that can be applied to every organization in every situation. Andrew Russell, Chief Revenue Officer at Nyriad, notes the need for cyber leadership to balance performance and cost-effectiveness with constructive security solutions:
“Data Privacy Day serves as a great reminder of the value and power of data. In addition to your people, data is without question the most strategic asset of virtually any organization. Data and the ability to fully leverage, manage, store, share, and protect it, enables organizations to be successful across virtually every facet – from competitive advantage, to innovation, the employee experience, and customer satisfaction, to legal and regulations compliance competency.
"Consequently, savvy data management professionals recognize that while a storage solution that is able to deliver unprecedented performance, resiliency, and efficiency with a low total cost of ownership is priority number one to fully optimize data and intelligence for business success; they likewise need to ensure they have the ability to protect against, detect, and restore data and operations in the event of a successful cyber-attack in order to protect their data, for business survival.”
Tilo Weigandt, COO and co-founder of Vaultree, discusses the importance of individualized approaches to data protection:
“It is important to note that data privacy is a complex issue and there is no one-size-fits-all solution. For example, a zero-trust framework powered by AI and machine learning is not the only solution to best protect your data. Other approaches include using encryption, implementing strict access controls, and regular monitoring and auditing systems.”
It’s worth bearing this complexity in mind as you consider the risk to data privacy in your oranization.
Best practices for protecting against business email compromise.
Tonia Dudley, CISO at Cofense, notes the impact of business email compromise (BEC) and phishing attacks, and highlights the need for actionable intelligence adoption to mitigate inbox threats:
“One of the most important things that people need to realize is that the actors behind business email compromise (BEC) are involved in multiple types of attacks. A recent report published by IBM shared that both BEC and phishing are the leading cause of data breaches.
"Business email compromise amounts to an estimated $500 billion-plus annually that’s lost to fraud. That’s billions lost to unemployment fraud. Billions lost to romance scams, real estate cons, advanced-fee fraud and dozens of other crimes affecting hundreds of thousands of victims. These victims not only lose money, but valuable private information is also stolen as a result of successful business email compromises.
"Data Privacy Day serves as a good reminder that organizations need to take necessary steps to protect inboxes, detect threats, and respond to attacks. Adopting actionable intelligence that gives visibility into the phishing attacks in your network, immediate and decisive responses to phishing threats, and a rapid and automatic quarantine of malicious emails will help keep threat actors at bay.”
Phishing, like business email compromise, is a special case of social engineering. Patrick Harr, CEO of SlashNext, highlights AI-based technology as a strong defense against phishing:
"New technologies, such as ChatGPT and other generative AI technologies, enable threat actors to supercharge their attacks. They can modify the attacks in millions of different ways in minutes and with automation, delivering these attacks quickly to improve compromise success.
"The best defense to protect against phishing is to be one step ahead of the attackers. New AI-based platforms use generative AI technology to auto-generate new variants of threats to predict millions of variations of new attacks that might enter the organization.”
Ransomware poses a threat to data privacy.
Double extortion ransomware attacks, in which data are not only encrypted, but stolen, now presents a threat to privacy. Lisa Erickson, head of data protection product management at Veritas, explains three steps to help reduce ransomware privacy risks:
“Here are three things organizations can do to reduce data privacy risks associated with ransomware and other threats:
"Organize and assess your data. Understanding what kinds of data you have enables you to assess what it’s worth and who needs access to it. These, in turn, inform where it should be stored and how access is managed. Limiting access to only those who need it limits exposure in the event of an attack.
"Have a cross-functional response plan in place so you’re prepared to respond to a ransomware attack that involves sensitive data. As part of this, test your ability to quickly and even automatically take compromised storage devices offline to prevent sensitive data from being exfiltrated.
"Identify, categorize and remediate compromised data. With organized data and a response plan in place, you’ll be prepared to quickly identify what data, if any, has been compromised during an attack so you can make informed decisions about your next steps. You’ll be able to know, for example, if the bad actors took sensitive customer PII or simply next week’s lunch menu for the cafeteria."
The role of secure backup in data privacy.
The ransomware threat brings salience to the importance of secure backup. That’s not the only reason for backing up data, of course, but it’s easy to see the value of backup in the case of ransomware.
Steve Santamaria, CEO at Folio Photonics, describes the need for a secure and durable data storage solution:
“It is no secret that data is at the center of everything you do. Whether you are a business, a nonprofit, an educational institution, a government agency, or the military, it is vital to your everyday operations. It is therefore critical that the appropriate person(s) in your organization have access to the data they need anytime, anywhere, and under any conditions. However, it is of the equal importance that you keep it from falling in the wrong hands.
"Therefore, when managing current and archival data, a top concern must be data security and durability, not just today but for decades upon decades into the future. The ideal data storage solution must offer encryption and WORM (write-once, read-many) capabilities. It must require little power and minimal climate control. It should be impervious to EMPs, salt water, high temps, and altitudes. And, all archive solutions must have 100+ years of media life and be infinitely backward compatible, while still delivering a competitive TCO. But most importantly, the data storage must have the ability to be air-gapped as this is truly the only way to prevent unauthorized digital access.”
Surya Varanasi, CTO at Nexsan, highlights the usefulness of an Unbreakable Backup solution in protecting against attacks on data:
“Digital technology has revolutionized virtually every aspect of our lives. Work, education, shopping, entertainment, and travel are just a handful of the areas that have been transformed. Consequently, today, our data is like gravity – it's everywhere.
"On Data Privacy Day, we are reminded of this fact, and the need to ensure our data’s safety and security. Cyber criminals have become increasingly aggressive and sophisticated, along with their ransomware and other malware. And now, the threat isn’t just that they will hold your data until payment, cyber criminals are now threatening to make personal and confidential data public, if not paid. It is therefore critical that cyber hygiene must include protecting backed up data by making it immutable and by eliminating any way that data can be deleted or corrupted.
"This can be accomplished with an advanced Unbreakable Backup solution, which creates an immutable, object-locked format, and then takes it a step further by storing the admin keys in another location entirely for added protection. With an Unbreakable Backup solution that encompasses these capabilities, users can ease their worry about the protection and privacy of their data, and instead focus their expertise on activities that more directly impact the organization’s bottom-line objectives.”
Brian Dunagan, Vice President of Engineering at Retrospect, describes the usefulness of a backup solution in mitigating cyber threat actor activity:
"As an IT professional, it is therefore critical that beyond protection, steps be taken to detect ransomware as early as possible to stop the threat and ensure their ability to remediate and recover. A backup solution that includes anomaly detection to identify changes in an environment that warrants the attention of IT is a must. In order to ensure its benefit,, users must be able to tailor the backup solution’s anomaly detection to their business’s specific systems and workflows; with capabilities such as customizable filtering and thresholds for each of their backup policies. And, those anomalies must be immediately reported to management, as well as aggregated for future ML/analyzing purposes.”
Christopher Rogers, technology evangelist at Zerto, calls continuous data protection-based recovery solutions vital in the cyberattack-ridden landscape of today:
"When it comes to ransomware, the biggest financial killer is the downtime. Therefore, having a disaster recovery solution based on continuous data protection (CDP) in conjunction with backup is vital to equip companies with the ability to be resilient in the face of potentially catastrophic circumstances. Companies using CDP can limit downtime and restore operations in a matter of seconds or minutes, rather than days or weeks.
"This Data Protection Day, I want to encourage businesses to not only look at what they can be doing to protect themselves but also what solutions they have in place to recover should disaster strike."
Software-defined perimeters as an alternative to virtual private networks.
Don Boxley, CEO and Co-Founder at DH2i, describes a networking connectivity solution that may provide a possible shift away from outdated VPN use:
"Today, as organizations endeavor to protect data – their own as well as their customers’ - many still face the hurdle of trying to do so with outdated technology that was simply not designed for the way we work and live today. Most notably, many organizations are relying on virtual private networks (VPNs) for network access and security. Unfortunately, both external and internal bad actors are now exploiting VPN’s inherent vulnerabilities. However, there is light at the end of the tunnel. Forward looking IT organizations have discovered the answer to the VPN dilemma. It is an innovative and highly reliable approach to networking connectivity – the Software Defined Perimeter (SDP). This approach enables organizations to build a secure software-defined perimeter and use Zero Trust Network Access (ZTNA) tunnels to seamlessly connect all applications, servers, IoT devices, and users behind any symmetric network address translation (NAT) to any full cone NAT: without having to reconfigure networks or set up complicated and problematic VPNs. With SDP, organizations can ensure safe, fast and easy network and data access; while ensuring they adhere to internal governance and external regulations compliance mandates.”
Identity-based access control, and other ways of facilitating flexible work environments.
Almog Apirion, CEO and Co-Founder of Cyolo, explains the useful functionality of identity-based access control:
"Strong data privacy is more critical than ever — particularly in response to the recent growth of cyberattacks and the expansion of data perimeters due to hybrid work. One way of mitigating today's vulnerabilities is to provide rigorous identity-based access control. To safeguard themselves, enterprises' collaboration and communications tools require a robust zero-trust framework to protect all forms of user data. Identity-based access control enables businesses to strengthen their security posture while also gaining visibility and control over their most critical systems. The reality is that hackers today don’t break in, they log in. Enterprises can get complete control and visibility of their entire IT infrastructure while mitigating against advanced threats by implementing a modern zero-trust solution and adopting stringent authentication requirements. As more risks emerge, organizations will be more prepared than ever to counter threats and safeguard data and business-critical infrastructure.”
Chris Vaughan, VP, Technical Account Management at Tanium, notes the need for visibility into every corner of an organization’s data to prevent it from falling into the wrong hands:
"There are examples of recent data breaches that have had severe impacts, with some threatening the possible disclosure of sensitive information such as health records. It is vital that organizations have full visibility over the data they hold as well as an understanding of where it is located to reduce the possibility of costly breaches occurring - or, if they do occur, to minimize potential damage.
"It is also essential that IT teams have a clear strategy that they adhere to on the location of data and how it is secured, whether they are using a cloud or on-premise environment, so that any weak points and vulnerable devices can be identified and fixed before an incident takes place. Detecting unusual activity and unauthorized access to a company’s systems is only possible with a high level of visibility and control.
"In a world where people are very often working from home using their personal devices, every organization now needs a comprehensive zero trust model that assumes all new devices and users are considered suspicious until proven otherwise. However, this alone is not enough. Organizations often think that creating a zero-trust framework is a ‘one-and-done’ process. In reality, it is an interactive journey that must be reassessed at every step of the way. Cloud solutions often have a tool set that can continuously check the state of endpoints and attest to them much more readily, as long as they are switched on.
"Through a zero-trust approach and the use of effective tools to gain visibility of IT environments, organizations will give themselves the best chance of avoiding costly breaches in 2023."
Rehan Jalil, President & CEO at Securiti, highlights the necessity of an effective platform for employees to work from:
"As cyberattacks continue to evolve – in number, scope and sophistication – Data Privacy Day serves as a reminder to organizations to shore up their security strategies and ensure appropriate privacy controls are in place. To ensure the valuable data that organizations store in their internal ecosystems is properly protected, they must implement a thorough and effective approach to privacy. This starts with an accurate understanding of what personal data is stored across the various data systems within an organization. Next is understanding the privacy laws that apply to their employees and customers in any given region. It is further critical that organizations implement formal policies and procedures to properly govern this sensitive data and honor privacy rights of individuals.
"As we reflect on this year’s Data Privacy Day motto - ‘STOP. THINK. CONNECT.’ – organizations must pay special attention to their current cybersecurity controls and ensure their security teams have the tools they need to be successful. Robust platforms that offer sensitive data intelligence, data security posture management, data access governance, data breach management, data subject rights and a full suite of PrivacyOps capabilities are any organization’s best bet for a holistic and unified approach to comply with regulatory requirements."
Limit data sharing, and take a holistic approach to ensuring privacy.
Jamie Boote, Associate Principal Security Consultant, Synopsys Software Integrity Group, advises limited data sharing:
“We should all take this Data Privacy Day to reflect on what data we are disclosing and to who. In this age where hacks and data leaks make headlines every week, it’s important to be aware of what data we trust with third parties. The best way to not suffer data loss when third parties get breached is to not share it in the first place. If you do have to share your data, ensure that the company or website you are sharing it with absolutely has to have it to provide services to you. It’s also important to limit what applications you install on your phone as the latest face morphing app or free game will make more money selling your data than it does selling services to you. As always, enable 2FA wherever possible, don’t reuse passwords, and be mindful of what can happen on the internet.”
Justin McCarthy, co-founder and CTO at StrongDM, advises a holistic approach to data privacy:
“Data Privacy Day is the perfect opportunity to take a step back and consider your data privacy initiatives holistically. That means asking yourself questions like, ‘are we maintaining the highest standards of data privacy?’ ‘are we taking the right steps to protect data against data leaks?’ ‘have we done our due diligence to ensure that unauthorized access–whether from internal or external individuals–is prevented?’
"For example, you've set up data classifications. You've determined who needs access.
But are you validating that credentials have not been put into code? Do you have credentials sitting in your repos that might not have the same level of access scrutiny as admins or privileged users? Is production data going into dev or staging environments that have loose access oversight? How long would it take for you to determine all the people who have had the ability to access a database, who accessed it, and what they did? Can you even do that?
"Data privacy also means protecting how data is accessed, and data privacy initiatives must also account for that. That means ensuring that only authorized users have secure access to sensitive data and systems, and that you’re moving towards just-in-time access or Zero Standing Privileges–across network resources, provisioning and deprovisioning, and especially for temporary users that have access to sensitive information. All of this requires fine-grained observability and auditability across all your systems.”
Matt Rider, VP of Security Engineering EMEA at Exabeam, encourages organizations to see data privacy as part of the larger cybersecurity picture:
“Today, data protection is inextricably entwined with cybersecurity. With the average number of attacks per organisation worldwide reaching over 1,130 weekly in Q3 2022, sensitive personal data has never been more at risk. And, while cybersecurity typically focuses on keeping systems secure against attacks, data protection has a vital part to play. It brings together efforts from across an organisation to ensure that data is kept safe as well as compliant with the latest regulations – regulations which take centre stage in the event of a successful cyber attack, bringing us back to cybersecurity.
"Part of having strong data protection measures in place involves knowing where your data is stored and who is accessing it at any given time. IT teams can use tools such as User and Entity Behaviour Analytics (UEBA) to monitor these patterns and learn what a normal day looks like for their organization when it comes to the data flowing within it. If access is attempted by a malicious actor – whether internal or external – the IT team can be alerted to this anomaly and work quickly to shut down systems and prevent the attacker from digging any deeper. This can be further supported by employees being aware of and following the latest data protection best practices, which makes it easier for the IT team to spot any unexpected behavior.
“Data protection and cybersecurity – you can’t have one without the other. So, when considering how to bolster your cybersecurity defenses, make sure that data protection is top of mind, otherwise, you’re leaving an open goal for any skilled attackers taking advantage of a blindspot.”
And some general reflections on safeguarding personal data.
(Added, 5:15 PM ET, January 30th, 2023. Raffael Marty, EVP and GM of Cybersecurity at ConnectWise, summed up an approach to privacy that gives due regard to security threats:
“Data privacy continues to impact businesses and individuals on a daily basis, with the complexity of these challenges increasing. Almost half of all American adults have had the experience of their personal information being exposed in some way by cybercriminals while well over half of Americans have received an online scam offer, trying to lure them into disclosing their most private information. One in three American homes with computers experience being infected with malicious software and over a half million social media accounts are hacked every day. These sobering statistics are courtesy of the United States government’s Cybersecurity & Infrastructure Security Agency (CISA). Thinking about passwords, cybersecurity issues, MFA (multi-factor authentication), clearing browser cashes, keeping software up to date, and the like, might not be very much fun. Still, what’s even less fun is having your personally identifiable information or the information of your workplace or school breached or compromised to potentially detrimental or catastrophic effects.
“This Data Privacy Day, we want to draw much-needed attention to how security threats can impact data privacy issues. Companies will need to remain responsive and agile to the rapidly evolving cyberthreat landscape in order to keep the data of their organization, their customers, and their users safe. We can expect to see an increased demand from customers demanding greater transparency about how business is keeping their private data secure and safeguarded. This will usher in a new model for cybersecurity that is reliant on continuous verification instead of just hardening systems and networks.”)