Cybersecurity Experts Weigh In On January 28 Data Privacy Day

January 28, marks International Data Privacy Day.  Powered by the National Cyber Security Alliance, Data Privacy Day “encourages consumers to own their privacy and businesses to improve their data privacy practices.”

As we are mindful of Data Privacy Day this January, we are reminded even more of how companies and their clients or customers need to stay hyper aware of ensuring that their data is safe and protected. This rings especially true when it comes to digital transformation and data migration as the complexity of these processes leaves important data vulnerable and opened to the risk of getting lost or hacked. When companies make the move to new application systems, it is essential to ensure a smooth transition by implementing best practices such as conducting thorough inventory to determine no personal data is being collected, adequately backing it up, and properly protecting it with appropriate security platforms.―Steele Arbeeny, CTO, SNP Group

Data Privacy Day is all about raising awareness of how organizations put the vast amount of sensitive data they store at risk and encouraging everyone to take action to better protect this data. One major risk to data privacy is excessive access, which simply means that there are individuals, either internally or externally, who have unnecessary access to information on the mainframe. The more people with access to information, the more likely your data will be compromised. These issues can crop up inadvertently and go undetected for years, so organizations need to include excessive access checking in ongoing security processes.

To mitigate this risk, excessive access checking should be included in an organizations security policy and done periodically to maintain a proper security posture. However, this is an arduous process that can uncover hundreds of thousands of findings, which the organization then must address. The good news is, automation can speed up excessive access checking and helps organizations drill down to the user level, to get a detailed report of who has access to what.

Another tip for organizations to improve data privacy practices is to accurately inventory, classify, and define data ownership. For organizations beginning the data discovery and classification journey, visibility into the movement and usage of your firm’s most sensitive data can help uplift security programs significantly. When you know what you have, where it is, and who has access to it, you can develop the right policies around ownership and also target your strongest security controls such as encryption of that data.―Ray Overby, CTO and Co-Founder, Key Resources

In today’s sophisticated threat landscape, customers expect that the enterprises they’re doing business with are protecting their data and privacy, no matter where in the world they are located. These expectations are shifting how businesses must now operate, especially considering they also need to adhere to an ever-widening set of data privacy regulations, including GDPR. While meeting these compliance regulations is complex and challenging, they cannot be ignored. A key part of this will be for businesses to plan their infrastructure, and data handling and storing processes accordingly.

Most enterprises managing customer data are likely leveraging at least one form of cloud – which becomes increasingly complicated when different service providers have their own processes for remaining compliant. Enterprises can’t count on their providers’ compliance alone – they must ensure their own forms of protection as well. In order to still reap the benefits of cloud, enterprises seeking to uphold the highest standard of data privacy will increasingly turn to encryption to protect their critical information. As such, securing encryption keys becomes a necessary layer of added security.

Key encryption management services secure encryption keys in a Hardware Security Module (HSM) that is kept separate but in close proximity to the cloud environment in which their applications reside, allowing for high performance, low latency integration with cloud apps without compromising on security or compliance. Since most enterprises don’t have the necessary resources to do this on their own, turning to a managed service within a colocated data center provides the perfect solution for key encryption management. Not only will this help enterprises adhere to strict data privacy regulations, but it will also help them win in the ever-scrutinizing eyes of consumers looking to hold businesses to a higher standard in the wake of high-profile data privacy scandals.―Patrick Lastennet, Director of Business Development, Enterprise, Interxion

Data is a new currency that individuals and organizations are mining and monetizing around the world. Some of the biggest technology companies in the world such as Facebook, Google, and Amazon use data they collect on their platforms for targeted advertisements, which is a main driver for their monopolistic profits. While many admire these companies as American pioneers, they should also realize that we are entrusting them with our personal data, which is a large responsibility. On Data Privacy Day, it’s important to remember that sensitive information needs safeguarding more than ever before. Some information that particularly needs to be protected by companies includes personal health data as this is very sensitive information that most people don’t want to be shared or used against them for future decisions they may want to make. Some startups are pioneering new ways to make sense and drive productivity through data analytics and mining such as App Annie and Tamr. We anticipate investments in this space will only continue to grow alongside the growth of global data.―Anis Uzzaman, CEO, Pegasus Tech Ventures

Here are some actions you can take, starting today, which can help reduce the possibility of digital security incidents from effecting your life, as these are things within our control. Use a password manager application and vault. Let 2020 be the decade you finally stop using yellow sticky notes to store passwords and user IDs. Always use a VPN. You probably use one for your work activity, so why not use one for your personal activity? Using a VPN is especially important when you connect to the Starbucks wi-fi, or airport wif-fi, etc. Don’t be the subject of wi-fi attacks – use a VPN to keep your data private

Use encryption for mail, calendars, Messaging. The range of protection for email messages and calendars can vary. Gmail, for example encrypts messages from your PC to the Google mail servers. Proton Mail, on the other hand, is an end-to-end encrypted mail service that claims to be so secure, one of their data centers is located in an ex-military bunker under a 1000 meters of granite rock. WhatsApp and Viber both claim to deploy end-to-end encryption for personal messaging. Find a service that provides you with the security peace of mind you need.

Other general security hygiene actions to consider include only accessing with “HTTPS://” URLs; using a spam filter for email messages; and limiting the amount and type of personal information you give out – use aliases if you have to. The next time you go to Starbucks, and they ask for your name, tell them “Patrick Mahomes” (unless you are Patrick Mahomes)!―Jonathan Deveaux, Head of Enterprise Data Protection, comforte AG

This year, International Data Privacy Day follows one of the biggest data privacy events since EU’s General Data Protection Regulation (GDPR) – on January 1, 2020, the California Consumer Privacy Act (CCPA) went into effect. CCPA is the strongest consumer privacy legislation mandated at the state level, and it gives significantly more power to consumers to demand accountability and transparency for how their private data is handled. The CCPA also puts in place costly penalties against organizations that collect data and fail to protect it. CCPA is, in effect, a national and global law. It covers any security and data problems that happen in the state of California and impact companies conducting business in California. So, for example, a German company that does business in California could find itself liable for costly fines if its website is breached and California customers are affected.

The good news? If your organization already complies with GDPR, you are 95% of the way toward reaching CCPA compliance. A less-known but critically important piece of the CCPA is that liability for breaches extends to third-party services that web application publishers and operators use. This includes information security companies, payment processors, chatbot operators and any other provider of third-party services. Your organization may be responsible not only for security problems and breaches affecting your own code, but also for code that is not even operating on your site. This is true as long as that third-party code is included in your user experience or exposed to your users in the web application. Nearly all web applications (including web, mobile web and hybrid mobile applications) use third-party JavaScript libraries and services to add functionality and improve performance.

Now is a good time, to protect yourself from liability, to ask all third-party service providers for detailed answers to the following questions.

Do you capture any of our user data? How, where and when? Please explain the mechanism. If you do capture our user data, what is your own CCPA policy and database access structure? Can you provide an easy mechanism for us to access any user data you collect and provide it to our end users as part of a comprehensive CCPA report? What are you doing to monitor data privacy laws that other states are likely to enact?

In addition, demand certification information and make it a condition of ongoing business. For SaaS companies, SOC 2 Compliance and/or ISO 270001 is the gold standard. Next, ask them to run a simulated CCPA request process with you. This will help you assess their readiness. And, make sure your security stance for all your public-facing applications is audited and up to date with proper configurations. This will mean not only internal firewalls on databases and malware protection on every user’s device, but also technology specific to guarding web applications. Web application firewalls are table stakes. Make sure they are tuned appropriately. CCPA adherence enforces good basic security hygiene and best practices — and that will result in better protection for your users, your infrastructure and your bottom line.―Ido Saftruti, Co-founder and CTO , PerimeterX

Who needs an international data privacy day? In this perfect world we live in, businesses, governments, and other organizations are all honest and get cybersecurity right, have all the knowledge and resources on their side and take proper care of everyone’s data. NOT. Sarcasm aside, if we take a look at the facts, businesses actually do quite a bit in terms of cybersecurity. Statistics show that the average spend on cybersecurity is about 5.6% of overall budget. With regulations like GDPR, privacy and data protection became important topics at board level. Companies are well aware of the fact that they need to protect privacy and sensitive data of individuals.

Unfortunately, many organizations live from selling user data by offering “free services” in exchange for users’ personal information. Some of them are in a monopoly position that they can leverage to get users to agree, albeit reluctantly, that more and more of their data be collected, shared, and sold. While many people are either apathetic or blissfully unaware of what can happen to their data, the fact is that it’s their privacy, credit score, and even physical safety at stake. Keeping that in mind, the most important thing is to spread cybersecurity awareness. This is equally true for employees of a company as it is for us as private individuals. So, who needs a data privacy day? We all do. We need to be reminded of the risks facing our data and we have to understand our rights, and the best way to ensure data privacy is to educate people.―Felix Rosbach, Product Manager, comforte AG

While organized crime rings and governments (there is some overlap there!) get the most blame for data privacy breaches, the greatest loss of data privacy is self-inflicted. The best way for people to protect their data privacy is to go cold turkey and make January 28 a Zero Social Networking Day. No Facebook. No Tweeting. No LinkedIn. No Instagram. Nothing. For one day, forget being Carbon Neutral and go Zero Social.―Colin Bastable, CEO , Lucy Security

―IS Buzz News