With today being Data Privacy Day, we explore what organisations need to know about keeping the data at their disposal secure
Now in its 16th year, Data Privacy Day (also known as Data Protection Day) raises awareness of the need to keep employee and customer data secure, and compliant with regulations such as GDPR. The observation commemorates the 1981 signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. With cyber attacks constantly evolving, and hybrid working continuing to expand data perimeters, strong data privacy is as paramount as ever.
In this article, we explore what organisations in every sector need to keep in mind when seeing through data privacy initiatives, in 2022 and beyond.
Backup and recovery
Not only can cyber attacks cause organisations to lose data, but IT outages can also cause this to happen if an efficient backup and recovery plan isn’t in place. This is your last line of defence, and ensures you don’t leave the welfare of assets to chance.
William Bush, field CTO at Catalogic Software, explained: “If an organisation’s backups reside on the same network or the same storage systems as the production data, they are vulnerable to attack. Having backups air-gapped on tape or locked in secure object storage in the cloud that the ransomware attacker cannot reach, ensures that the data can be recovered.
“With digital transformation accelerating, the importance of data protection grows as the downtime for systems has a direct correlation with income and brand image. Cyber criminals are very aware of this and use the threat of shutting down an organisation’s system and sharing breaches publicly to obtain payment. An organisation’s next step should be to contact the data protection vendor and request a free review of backup and restore processes and ask what is being done to ensure the business is staying ahead of cyber criminals’ innovations.
“Don’t become a victim and add to the average cost of a data breach in 2021, which was £3.15 million.”
Understanding the journey of breached customer data
Customer data morality
Staying compliant with data protection regulations remains vital, not only when it comes to avoiding financial ramifications, but consequences of an ethical nature too. Customers are likely to lose trust in chosen organisations that have failed to avoid a data breach, and reputation on a wider scale can be damaged.
In the current landscape, investment in privacy, only collecting data that’s essential for maintaining customer service, and encrypting this data are all big steps forward.
“Collectively, are we on the right side of history with data privacy? I would argue not yet,” said Heather Gantt-Evans, CISO at Sailpoint.
“We are going to look back at this era as if we were data barbarians. In our increasingly ‘Ready Player One-esque’ environment, we must set aside time to think about our privacy and how to protect it.
“Companies who want to capitalise on this moment should give customers a path to opt out of data harvesting, and give customers the ability to be forgotten (i.e. providing previously collected data back to the customer, and then deleting it). But most importantly, organisations need to communicate clearly how collected data is used in order to provide value back to the customer. This means clearly articulating how it is protected, and the customer’s privacy options.
“This can be particularly challenging for data involved in proprietary machine learning, but algorithmic transparency demonstrates that an enterprise is conscientious about data privacy. In addition, companies should seek to embed customer privacy as one of their core values and communicate this value as part of their customer-facing messaging. Let’s usher in a new phrase: ‘the customer is always right secure’.”
Zero trust
One increasingly prominent notion that’s making waves among security personnel is that of a ‘zero trust‘ model. Based on the principle “never trust, always verify”, zero trust refers to devices that are trying to access the network — all devices must be authenticated, authorised and validated for configuration and posture. This is a key tool for many companies in the face of rising ransomware attacks.
“As if one pandemic was not enough, it seems that a second has surfaced at the same time: ransomware,” said Aron Brand, CTO of CTERA.
“In 2021, traditional enterprise security was seriously challenged, and traditional security solutions have proven to be inadequate for the new distributed working models.
“A zero trust approach, which follows the principle “never trust, always verify”, must be considered a standard part of today’s IT infrastructure. In a zero trust infrastructure, each attempt to access the network, whether or not the device is already on the VPN or LAN, must first be verified before being granted access.
“Cyber criminals frequently exploit weaknesses in a remote site or home office to penetrate an organisation’s network where they can move laterally to infiltrate more sensitive systems. Traditional approaches, which treat the local network as a safe space, are therefore no longer suitable for today’s organisations. We can expect to see significant modernisation projects implementing zero-trust approaches throughout 2022.”
How COVID-19 made zero trust the right approach to modernise networks
Privacy-enhancing technologies
As security capabilities continue to evolve, a new avenue for strengthened data protection comes in the form of privacy-enhancing technologies (PETs). Work undertaken by bodies such as the UN is exploring the possibilities of collaboration between organisations on sensitive data, on protecting assets while generating value.
Dr. Alon Kaufman, CEO and co-founder of Duality Technologies, predicts: “2022 is the year that privacy-preserving technology will be configured to support a wide variety of business applications based on the privacy level and the context of use. Some types of data are more sensitive, personal, or private than others, and are therefore subject to different regulatory controls – which necessitates the use of a range of PET-based solutions.
“In 2022, solutions will emerge to optimise the various privacy enhancing innovations developed in the past 5 years.”