Workplaces have changed in response to the pandemic, and new technologies have arrived even as organizations cope with a global health crisis. The changes this has made to data privacy aren't temporary.
Data Privacy Day: Changing workplaces and changing technologies.
Industry leaders contacted us to offer their views on how the workplace is changing, and what that means for data privacy.
A changing workplace and new technology drive changes in privacy management.
Avi Raichel, VP at Zerto GTM, a Hewlett Packard Enterprise company, looks to the risk and sees no single solution:
“Data Privacy Day serves as a critical reminder that data privacy and protection are increasingly challenging matters and organizations have no other choice than to take them seriously. Ransomware attacks are here to stay as they continue to rise in both volume and severity and as cybercriminals keep developing new and unexpected methods to encrypt data. It is estimated that by 2031, ransomware is expected to attack a business, consumer, or device every two seconds.
“According to research from IDC, 95.1% of organizations suffered a malicious attack in the past 12 months and 43% of those organizations have experienced unrecoverable data loss, proving the devastating impacts of ransomware and other cyberattacks. Organizations must understand that protecting your data from ransomware is no longer about if you can recover, but rather how quickly you can get your business back up and running.
“Since no single solution can offer protection from ransomware attacks with 100% certainty, having a disaster recovery and backup solution based on continuous data protection (CDP) offers companies the ability to be resilient in the face of potentially catastrophic circumstances. Companies using CDP can resume operation at scale in minutes and recover to a state a few seconds before an attack. Ultimately, having continuous data protection will put the power back in the hands of the organizations who are prepared.”
Geoff Bibby, SVP of Small and Medium-sized Business and Consumer Strategy at OpenText, thinks it’s too easy for organizations to overlook the risks to data inherent in file-sharing:
“Another common activity that many don’t consider risky is file sharing. Often when a file is too large to share securely over email, many instead use a simple and convenient file sharing platform that is a part of their current workflow like Google Drive, a personal file sharing account like Box, or just sending the files over Zoom chat. This leads to an increased risk of malware, hacking, and loss or exposure of sensitive information. Organizations should stress the importance of securely sharing files with their employees and use solutions that allow for easy and secure file sharing.
“Organizations should also make it a habit to deploy regular security audits to identify vulnerabilities and other suspicious behavior, allowing them to ensure sensitive data is routinely being backed up. Backing up data ensures businesses and individuals have access to current versions of critical data and can keep business going in case of an attack.
The remote work that’s increasingly become the norm during the pandemic also carries challenges for data privacy. Mike Wood, CMO at Versa Networks, wrote:
“Following the explosive shift to the work-from-anywhere approach over the past couple of years, organizations’ people, technology, and data are spread across unlimited locations around the world. Coupled with that is our ever-increasing demand to be connected to everything and everyone all the time which has resulted in a push for emerging technologies such as 5G and IoT. Despite the rapid adoption of 5G, IoT and other new technologies, their popularity far outweighs their security. Zero-day attacks are a huge threat to IoT and 5G applications. What’s more, 5G is not a private network, so when IoT devices are connected to it, the attack surface expands, and they and the data they store become vulnerable. In the short time that 5G has been globally deployed, it has become a natural component of IoT devices and is also in the perfect position to help transform business networking and the interconnection of infrastructure environments, be those on-premises, hybrid-cloud, or multi-cloud. However, as a market, it has not undergone enough research for experts to be confident in its security. While convenience, connectivity and flexibility are key to our current working environment, so too should be the security of our devices and the privacy of our data.”
Dottie Schindlinger, Executive Director, Diligent Institute, also pointed to the implications the changing nature of the workplace has for data privacy:
"Today’s workplace is no longer limited to traditional definitions or boundaries. Companies are constantly adapting to new working models and exploring innovative ways to tailor them to the needs of their organisation. The adoption of collaboration tools has skyrocketed as companies try to ensure that productivity and efficiency remain high, whether in a remote, in-office, or hybrid work environment.
“Many of these tools are general-purpose solutions that meet the requirements of employee communication and collaboration well enough. But they may not be appropriate for the top layer of your organisation — the board and executives.
“Boards and executives deal with information that is often highly sensitive and that consequently has higher costs of exposure. Think of the reputational, legal and financial repercussions if a classified document leaked because it was shared by executives on a general-purpose communication tool. The impact could be catastrophic. Additionally, recent cyberattacks have highlighted — not just for shareholders, but for all stakeholders — the importance of protecting an organisation’s most sensitive data. General-purpose collaboration tools are unable to offer the level of protection that stakeholders expect.
“Organisations need secure environments and workflows that allow the board and executives to communicate highly sensitive information safely, without worrying that it might accidentally be misrouted, forwarded, leaked or even stolen. And, the system must be intuitive and convenient, so executives remain within its workflows and processes without straying to other systems and creating security gaps."
Chad McDonald, Chief of Staff and CISO of Radiant Logic, sees sprawl as contributing to the challenge of identity protection:
“With the number of cyberattacks substantially increasing during the pandemic, organisations must put in measures which can stop identity sprawl by ensuring they have a unified global profile which has all the attributes of a user irrespective of which source it’s located in. Organisations that fail to manage identity data will suffer from further data breaches as threat actors know that data is not secure and easy to get hold of. Whilst this sounds like a complicated problem to solve, it can be easily done thanks to Identity Data Fabric.”
Ryan Abraham, virtual CISO of Wisetail, wrote to draw attention to the particular responsibility human resources professionals have for data privacy:
“Data privacy is incredibly important in the HR industry. HR professionals are entrusted with employees’ sensitive data—from social security numbers to phone numbers to home addresses and more—so it’s vital that every company takes the proper steps to ensure that data is safe.
“One important step here is to certify your organization as SOC 2 compliant. SOC 2 is based on five factors—security, availability, processing integrity, confidentiality, privacy—and the certification tells users that your organization maintains a high level of information security and handles their data responsibly. Additionally, SOC 2 compliance ensures that your organization has implemented security practices to defend itself from cyberattacks and breaches.
“Another great way to honor Data Privacy Day this year is to start regular employee training on data privacy best practices, which can be easily created and assigned to your team through a learning experience platform (LXP). These training courses can educate employees on how to spot a phishing attack, create strong passwords, avoid suspicious and dangerous websites, and more. Your employees are your first line of defense against data privacy threats, so it’s essential that they are equipped to keep themselves and your business safe.”
Carl D’Halluin, CTO at Datadobi, takes note of changes in technology, and particularly the growing importance and use of unstructured data. This brings with it some particular challenges:
“No one can deny that unstructured data is growing exponentially. With the creation of so much data, a wide range of new management tools and processes to oversee it have emerged — from global data availability, data protection, data archival, and more. In this multi-vendor, multi-platform world spanning from on-premises to the cloud it cannot be denied that management, visibility, and reporting software are indispensable for a business to run efficiently and to optimize revenue. It is up to IT administrators and their teams to take on the important job of protecting its arsenal of data against threats by choosing the right data management software.
“To safeguard data, organizations must use a platform that understands what data is stored where, what data needs to be relocated, be able to relocate that data, and ensure the validity of that data as it is relocated. On this year’s Data Privacy Day, I would like to issue a call to action for organizations across every industry to reevaluate what data management platform they are using in order to protect against today’s modern threats as best as possible.”
Amit Shaked, CEO of Laminar, sees the cloud as requiring new approaches to data protection:
- “Data Privacy Day is a critical reminder for every organization to ask: where is our sensitive data? In recent years, we’ve seen new security tooling and practices for cloud infrastructure emerge, but oftentimes, the usage and prioritization of such tools ignore the actual treasure that needs protecting – the data itself.
- “Compared to corporate networks and services, there is a massive amount of data in cloud application environments. When building a cloud application, data is still managed and housed in a single database during the early stages. However, as developers and data scientists advance the application and continue utilizing the data, where it resides and who has access to it can become uncontrollable. At this point, it is known as ‘shadow data.’
- “To combat these increasingly common cloud data protection challenges, security teams need a new set of cloud-native tools that are always on and continuously monitoring their environments. Trust is not enough. The solutions must allow a ‘trust but verify’ stance towards data security – this helps those handling the data get their jobs done while ensuring it is managed and protected properly.
- “These always-on and automated solutions allow data protection teams to finally shift left and adjust from being gatekeepers to being business enablers. This allows company productivity to be paired with data security and privacy.”
Brian Pagano, Chief Catalyst and VP at Axway, agrees that there’s no single solution:
“There is no one solution for optimized data privacy. Cloud has the same problems around data-in-motion (you have to get data to and from the cloud) and data-at-rest (storing information in the cloud). What the cloud gives you is industrial-strength physical and digital security of the cloud provider. So it is a good step, a piece of the solution.”
He also adds some recommendations for the new environment:
“Abandon the old faith in passwords. You can tell if an IT department is not evolving if you are required to frequently change your password (this practice has been shown to decrease security and has largely been abandoned). Keeping data private involves data-at-rest and data-in-motion as mostly ensuring that whoever is trying to access the info has the proper entitlements to that data. If privacy is a top concern, the organization should adopt a need-to-know check for any document. Prove you need this information. Keep logs and audit them randomly. This is similar to Apple’s posture. For new companies, open, fast communication is often more important than absolute privacy. Just remind team members that anything written down could appear in public—so think before you type.
“Companies should adopt customized solutions for their data privacy requirements. Don’t blindly copy what some other company (or organization) is doing. You are not them. Your needs are not their needs. The amount of privacy you need is to support the mission of your organization, not to hinder it. So, start by asking what you need and what will support the mission.
“APIs and data privacy. APIs are the critical front door to your business. It is the perfect layer at which to adjust, check, and enforce entitlements to the information being requested.”
Daniel Markuson, Digital Privacy Expert with NordVPN, stresses that knowing there’s a problem is at best the beginning:
“Data Privacy Day aims to raise awareness on issues of privacy, however, awareness is meaningless if it doesn’t turn into action. Protecting your individual privacy is all about creating habits, such as putting extra effort into creating strong passwords, not clicking on unknown links or downloading unverified files, disabling Wi-Fi & Bluetooth when they’re not in use, and overall staying attentive while browsing online. While this may sound tedious, there are tools that can make protecting your privacy much more effortless. A VPN hides your personal information, password managers protect your credentials & generate strong passwords, while file encryption tools make it so only you can access your files.”
Shekkar Ayyar, CEO of Arrcus, warns that Web 3.0 is coming, and will bring new challenges with it:
“Web 3.0 applications like metaverse and defi that are based on AR/VR and blockchain are stretching the requirements on scale and performance of the underlying networking infrastructure. The internet today relies on a complex global mesh of routing and switching nodes, supported by technologies like BGP, or Border Gateway Protocol. As recent outages at AWS and Facebook demonstrate, the risk of network failure is high whenever manual intervention is involved. A critical best practice we at Arrcus recommend is the adoption of intelligent, network analytics-driven automation of router operations to handle fault correction and detection of errors in configuration.”
Danny Lopez, CEO of Glasswall, reminds organizations that they can’t overlook the human element:
“Data Privacy Day serves as a reminder of how important the human element is in the world of cybersecurity. Without a proper understanding of online privacy risks, organisations can be left defenceless against hackers.
“According to the IBM Cost of a Data Breach Report 2022, stolen credentials are the most common attack vector, leading to 20% of breaches costing an average of USD $4.37 million. In addition, the Verizon 2021 Data Breach Investigations Report stated that phishing attacks increased by 11% last year, with cybercriminals tweaking their scams to fit current events and grab attention.
“The solution to fending off cyberattacks at both an individual and company level is twofold: training and technology. Training will arm employees to be alert to risks and follow best practices. This can be as simple as using strong passwords and multi-factor authentication, not opening links and/or attachments from unfamiliar sources, and using anti-virus software.
“On the technology side, taking a proactive, zero trust (never trust/always verify) approach when it comes to security can not only protect the companies that implement them but their customers as well. Having these measures in place will not only assist with preventing attacks, but it’s also more cost effective and efficient than using employees as an organisation’s first line of defence. By combining training and technology, individual, company, and client data privacy is significantly more achievable for organisations around the globe.”
There’s a human factor to consider, of course, but there’s also a bot factor, as David Higgins, Technical Director at CyberArk, points out:
“It’s not just humans that are susceptible to clicking on the wrong link or are perhaps a little too cavalier about what they share about themselves. Software bots have sharing issues too, and this Data Privacy Day we highlight how we can better protect the data that they access from being exposed.
“Software bots – little pieces of code that do repetitive tasks – exist in huge numbers in organizations around the world, in banking, government and all other major verticals. The idea behind them is they free up human staff to work on business-critical, cognitive and creative work, but also helping improve efficiency, accuracy, agility and scalability. They are a major component of digital business.
“The privacy problem arises when you start to think about what these bots need so they can do what they do. Much of the time it’s access: If they gather together sensitive and personal medical data to help doctors make informed clinical predictions, they need access to it. If they need to process customer data stored on a public cloud server or a web portal, they need to get to it.
“We’ve seen the problems that can arise when humans get compromised and the same can happen to bots – and at scale. If bots are configured and coded badly, so they can access more data than they need to, the output might be leaking that data to places where it shouldn’t be.
“Likewise, we hear about insider attacks and humans being compromised to get at sensitive data virtually daily. Machines have the exact same security issues; if they can access sensitive data and they aren’t being secured properly, that’s an open door for attackers – one that can put individuals’ privacy at risk. Attackers don’t target humans to get to data, they just target the data. If machines -especially those in charge of automated processes (think repeatable tasks like bank transfers, scraping web data and moving customer data files) are the best path to take to get to it, that’s the one they will choose.”
The bots are our creations, and it’s not surprising that they’ve inherited our weaknesses. (And they exercise some of those weaknesses at a scale the most profligate among us can only envy.)
Kurt Glazemakers, Chief Technology Officer at Appgate, argues that, as far as privacy is concerned, the VPN has been a double-edged sword:
“There is no doubt that the VPN has played an important role in the evolution of the internet. However, as we near another data protection day having witnessed more data breaches and cyber attacks over the past year, it is time we recognise that the VPN has also played a role in providing organizations with security flaws and vulnerabilities that leave them open to attacks and subsequently, data theft.
“Of course, a recent example of the danger of VPNs is the infamous Fortinet VPN hack in September of last year, where the VPN vulnerability allowed unauthenticated attackers to read arbitrary files which contained plaintext credentials. The leaked credentials could (and still can) be used as an entry vector for more complex attacks. For example, the Colonial Pipeline attack of last year used a compromised credential for a legacy VPN appliance. Evidently, VPNs leave the door open for cyber criminals to exploit its vulnerabilities, gain access to the network and steal credentials and other valuable pieces of data.
“So, what is the answer and is there a better solution? Zero trust network access (ZTNA), with its ‘authenticate, then trust’ approach, versus VPNs’ trust of IP addresses, is becoming an increasingly mainstream choice among businesses. The principle is even favored by bodies such as the Pentagon who launched a zero trust cybersecurity office in December 2021. By adopting ZTNA, organizations can limit the damage of any potential loss of data and help companies to quickly recover after an incident. The approach closes the gaps left by outdated technology that no longer protects businesses from the evolving tools used by modern cybercriminals.
“In order to detect an intruder and protect their data, organizations need to apply zero trust policies including segmenting networks and assuming all connections can be compromised. Zero trust needs to be implemented in the core infrastructure and organizations must profile any device trying to connect in the network, use multi-factor authentication to ensure credentials are not compromised, and most importantly, only provide access to data according to what a user or a system needs to.
“Our data is one of our most valuable resources and cybercriminals know that. By implementing zero trust policies, organizations can ensure that their employee’s credentials, and their customer’s data is secure and protected from the prying and watchful eyes of the cybercriminal community.”
Finally, Anastasios Gkouletsos, IT Security Lead at Omnipresent, offers five safety measures industry can apply to protect and maintain clients’ and employees’ personal information and data:
- “Data Encryption - Keeping your data fully encrypted and anonymised while storing in compliance with the most stringent industry standards.
- “Cloud Hosting - Rather than having a physical data center, use a cloud service provider and leverage their security and compliance controls for data center physical security and cloud infrastructure.
- “Vulnerability Assessments - Run annual third-party penetration tests and perform regular vulnerability scans with leading tools in the industry.
- “Information Security Policies - Develop and maintain a written Information Security Policy along with Policies for Access Control, Change Management, Data Integrity, and more.
- “Focus on Endpoint Security - Endpoint security should be a priority for every company, but particularly for those that are going global. For remote teams, endpoint security should go far beyond installing off-the-shelf anti-virus software. An effective endpoint security solution should also include a firewall, malware removal, ransomware protection, device management, password manager, and a business VPN.”