The last year was a busy one for hackers. 2019 saw globally-renowned businesses, public authorities, and even voting systems become victim to crippling instances of system outages, data theft and ransomware attacks.
As digital technologies continue to permeate just about every aspect of modern life, it goes without saying that the security of data is a global issue.
Data Privacy Day is aimed at spreading awareness of the hugely fundamental role that cybersecurity plays in the world. Here, industry experts delve into its importance further:
What’s all the fuss about?
Tim Hickman, partner at White & Case claims that “the ICO’s response to the Dixons Carphone data breach further emphasises the importance of properly protecting customer data. A clear trend has emerged in the past 18 months, with many of the ICO’s most high-profile investigations focusing on data breaches involving financial data. Businesses that handle financial data therefore need to be especially careful to implement appropriate cybersecurity measures. In the past 12 months, the ICO has announced its intention to issue fines totalling hundreds of millions of pounds in respect of large-scale breaches involving financial data.”
“It is always possible to report a data breach to the ICO with the option of providing additional information once an investigation has taken place. However, pre-emptively reporting a data breach can have serious adverse consequences because such a report effectively requires the company to admit that it has suffered a breach.”
“Data Privacy Day [also] reminds us that customers are increasingly wary of how brands are using their data”, comments Nicola Pero, CTO at Engage Hub.
“Research shows that 65% would stop using a brand that was dishonest about how it was using their data. This percentage seems poised to grow further and further in the years to come, driven by a core group of influencers for whom data privacy is a hot issue with political connotations, similar to climate change or gender inequality.”
Pero speculates that “brands will increasingly be unable to establish an emotional connection with their customers if they abuse or misuse their data. Realising that one of your favourite brands has been sharing or abusing your personal data in ways that you didn’t expect would for some customers be similar to finding that a close friend has revealed a secret that was supposed to be for their ears only.”
David Higgins, EMEA technical director at CyberArk explains that “it’s now well-established that data is the world’s most valuable asset, and a tempting target for malevolent hackers with varying motivations. More often than not, they are pursuing credentials that they can use to infiltrate businesses and target sensitive and valuable data. Attackers seek ways to cause irreparable damage across a whole range of industries, from seizing companies’ administration logins to hacking into medical data so as to hold individuals to ransom over the disclosure of sensitive personal information. As a tragic, but potentially realistic scenario, this could even result in a doctor being unable to perform a life-saving operation due to a lack of availability of the patient’s records for example.”
The role of technology
It may seem ironic, but Andrew Tsonchev, director of technology at Darktrace maintains that technology itself will also have a big part to play in working alongside humans. “Large-scale data breaches, from Capital One last year to Marriott in 2018, have opened consumers’ eyes to the importance of holding businesses accountable. The question now being asked of organisations is not ‘which data regulations are you compliant with?’ but ‘what exactly are you doing to keep my data safe?’
“Data, and the systems that hold data, will always be vulnerable. If organisations are to truly protect consumer data, artificial intelligence (AI) will be critical, not just a nice-to have. Only AI can constantly monitor where critical data is and automatically stop it leaking out of an organisation and into the wrong hands.”
“Data privacy is an aspect of security that has become increasingly important to businesses and consumers alike,” adds Chris Hodson, CISO at Tanium. “The enforcement of GDPR in 2018 followed by the CCPA in January of this year has shown that governments are prepared to proactively regulate organisations to implement higher standards of protection for personal data.
According to Hodson, “Companies often fail in privacy and information protection because they simply don’t understand the volume, breadth and sensitivity of information contained within their IT environments.” In an attempt to solve this issue, Hodson suggests that “understanding what is in an IT environment is a crucial step to ensuring data is effectively protected. It is the job of IT operations and security teams to unite to establish complete visibility of their ecosystem and implement the controls necessary to support data protection and information privacy.”
“An issue that is often overseen in terms of GDPR”, according to Chris Huggett, senior vice president for Europe and India at Sungard Availability Services, “is the result of an IT outage, which prevents businesses from keeping its services running. As a server or organisation’s infrastructure is down, data is then at risk to exposure and therefore a company is at risk of failing compliance. IT and business teams will need to locate and close any vulnerabilities in IT systems or business processes and switch over to disaster recovery arrangements if they believe there has been a data corruption.”
Huggett highlights that “an organisation’s speed and effectiveness of response will be greatly improved if it has at its fingertips the results of a Data Protection Impact Assessment (DPIA) that details all the personal data that an organisation collects, processes and stores, categorised by level of sensitivity. Data Privacy Day is a great opportunity to expose unknown risks that organisations face but moving forward it is vital that business leaders embed privacy into every operation. This is the only sustainable way to ensure compliance on an ongoing basis.”
The role of the people
“In the age of social media and the over-sharing of personal information, many forget that privacy is our right. It is protected by laws such as Article 8 of the European Convention on Human Rights”, reminds David Warburton, senior threat research evangelist at F5 Networks.
As a one-stop piece of advice, Warburton suggests that “if you do anything this Data Privacy Day, make it a positive step to enhance your business’ privacy stance by reinforcing the importance of cybersecurity and the dangers of social engineering. This should include robust employee awareness programmes that evolve in line with new social platforms and ensure a culture of responsible sharing.
“But it isn’t just individual employees that need attention. Attackers can also target specific organisations via employee details on company and partner websites. Information such as ownership records, SEC filings for public companies, lawsuits, and social media, all provide insights that can be used maliciously. Every business should periodically review any information shared on associated websites and social media pages to determine if the content is essential.”
In addition to taking proactive steps to preventing cyber threats, Euan Davis, European lead for Cognizant’s Center for the Future of Work notes that “over the coming years, we will see new roles within security departments emerge, requiring different capabilities to the jobs that we see on offer today. Some of these were outlined in a recent report by Cognizant called “21 More Jobs of the Future” and include: Cyber City Analysts, Cyber Attack Agents, Juvenile Cybercrime Rehabilitation Counsellors and Cyber Calamity Forecasters.
Securing the future in the digital era
Higgins concludes, “hackers will inevitably be successful from time to time. Addressing this threat and limiting how far they can infiltrate a network after a successful breach is imperative in order to safeguard national security. Infiltration or compromise of CNI, for instance, could plausibly result in the loss of control of public services such as utilities, healthcare and government, posing a severe risk to public safety. This Data Privacy Day, we need to take a step back to not only understand the value in the data we hold, but also the importance of only allowing individuals and systems that need it to access it.”
Data Privacy Day might sound like ‘just another awareness day’. But there is a reason that this year it is being observed for the entire month rather than just one day. Despite new security technologies and tightening regulations, the goalposts are constantly shifting as the tactics and targets of hackers become even more ambitious and sophisticated. To have any chance at winning the digital battle, business leaders must ensure that data privacy is embedded into every aspect of the organisation.