Data privacy “needs to become part of everyday conversations”

Data Privacy Day (known in Europe as Data Protection Day) is an international event that occurs every year on 28 January, with its purpose being to raise awareness of and promote privacy and data protection Best Practice. While great strides have been taken, there’s a strong belief that data privacy needs to become part of everyday conversation in business circles, with today’s companies harbouring a distinct ethical responsibility in this area.

Colin Truran, principal technology strategist at Quest Software, commented: “Data Privacy Day acts as a stark reminder for businesses to reassess their data protection strategies, but we need to continue making this part of our everyday conversation. While we’re making great strides towards this, businesses still need to move away from viewing data privacy as a simple ‘tick-box’ exercise and consider the ethical responsibility. Legislation such as the General Data Protection Regulation (GDPR) and the role of the Information Commissioner’s Office is pushing this mandate to the forefront and holding organisations accountable. It’s early days, but the foundations are starting to be laid. Businesses need to start considering the impact of their actions. This will be another watershed moment, and one they may fall victim to if unprepared.”

Truran added: “With organisations becoming more aware of the ethical implications, we have to start considering data sovereignty, anonymity and ownership. One of our biggest challenges is human error. There’s still a significant lack of understanding from the public on the true dangers of data misuse. While we don’t know how our information will be used in the future, there’s a lot we can do now as individuals to protect our identities. Perhaps by integrating data privacy into the national curriculum we can then start to safeguard data from Day One.”

GDPR “just the starting point”

Adenike Cosgrove, cyber security strategist at Proofpoint, observed: “Data Privacy Day provides an important opportunity for organisations to take a step back and consider whether they really are doing enough to keep their customers’ data secure in the face of today’s threats. While data protection regulations such as the European Union’s GDPR have helped to start conversations and forced organisations to think differently about how to keep data secure, this is just the starting point. Just because a business complies with the GDPR, for example, doesn’t necessarily mean that it’s doing everything it can to protect its customers’ personal data. For example, under the GDPR, the integrity and confidentiality principle states that organisations must implement ‘adequate security controls’ to safeguard personal data. Critically however, the GDPR doesn’t define what ‘adequate’ really means.”

Cosgrove went on to state: “An organisation could argue that its implementation of basic anti-virus protection and once-yearly data protection training for staff is ‘adequate’. Technically speaking this may be compliant with regulations, but is it really enough to keep consumers’ personal data safe from malicious attacks and data breaches? Today’s cyber threat landscape has changed dramatically, with malicious actors favouring sophisticated and targeted attacks which rely on social engineering to capitalise on human vulnerabilities. ‘Adequate’ security simply isn’t enough. Defending against such threats requires an equally sophisticated strategy for the ongoing security of people, processes and technology.”

Further, Cosgrove informed Risk Xtra: “Regulatory compliance is often viewed as a ‘tick-box’ exercise and can be open to interpretation, so becoming compliant with regulations such as the GDPR should not be a primary driver of security. Compliance is an important step in the process as it can help an organisation to discover critical gaps in its current security, but it should only be viewed as a starting point on the journey towards true data protection and information security. Beyond the compliance ‘tick-box’, organisations need to implement industry Best Practice, understand their individual risk profile and implement people-centric security strategies.”

Security “the first concern”

Richard Wadsworth, vice-president of delivery operations at Contino, explained: “Security is the first concern for organisations. Today’s businesses are operating across increasingly complex and distributed IT environments and have a mandate from regulators to protect any data that’s processed with a multi-pronged approach. On Data Protection Day, it’s worth organisations considering what their first step towards enhanced security should be. Breaking down silos between teams and ensuring that everyone is responsible for security is a good starting point. If applications are built by development teams with security in mind, Ops can deploy them faster and with peace of mind knowing that Dev understands how important reliability and security really is.”

He added: “Security patches should be quick and automated and not take months to complete. Similarly, when designing APIs and new features, this should be done with an eye on future releases so you don’t end up with technical debt and are unable to patch your system for fear of breaking something. As businesses continue to embrace the cloud, it’s important to remember that it operates on a shared responsibility model. This means that the cloud vendor is responsible for the security of their cloud platform, but businesses are responsible for the security of data in the cloud platform. Having security policies in place that can be scaled across your organisation goes a long way towards securing cloud-native applications.”

By way of conclusion, Wadsworth opined: “Ultimately, security needs to be ‘Step Zero’ for every process put in place. By having a ‘security first’ approach built around a combination of tactics, businesses can ensure data security is a top priority for Data Protection Day and every day thereafter.”

Important reminder

Jasmit Sagoo, senior director and head of technology for the UK and Ireland at Veritas, stated: “Data Protection Day serves as an important reminder that businesses are being increasingly held more accountable by regulators and consumers for protecting data. It’s a good opportunity for CIOs and Data Protection Officers to highlight the issue of data privacy to the Board, or implement internal activities such as employee training or phishing tests to ensure employees are continually educated about the vital role they play in protecting data.”

Also, Sagoo outlined: “IT leaders should use Data Protection Day as an opportunity to review their current data protection strategies. Software that can automate the protection and recovery of data everywhere it lives within an organisation, while ensuring 24/7 availability of business-critical applications, should be considered. Data Protection Day may be a one-day event, but it’s imperative to maintain good privacy practices all year round.”

Imperva’s senior vice-president Terry Ray said: “As more organisations turn towards cloud environments to store their data, Data Protection Day serves as a stark reminder to businesses to ensure compliant data privacy practices are maintained. Businesses are reminded to find a balance between their security and regulatory needs, the expertise of their technical staff and security enabling technology. It’s this discrepancy that can lead to simple security mistakes that shouldn’t happen.”

Consumer demands changing

Rufus Grig, chief strategy officer at Maintel, explained: “Consumer demands are changing and businesses are operating in a global market. Therefore, companies are looking for ways in which to differentiate themselves and, as a result, are increasingly focusing on personalising their offer.”

Grig added: “As we move through the new decade, we will see companies use a variety of tactics to create a personalised experience to boost sales, but this approach must give something to the customer, whether that’s special discounts, an improved experience or hand-picked content. It is, in fact, something we’re starting to see customers demand, with consumers expecting personalisation without the wait. All of this personalisation requires one key element – data.”

Looking ahead, Grig observed: “Throughout 2020, companies would be well advised to undertake a trust building exercise and ensure their customers that data is being kept secure and the company is following Best Practice. We will see more and more companies explaining why they need certain data, how they intend to use it, how the customer could benefit and, of course, how all this information will be stored securely. If somebody understands why certain information is being collected and how this data will be used, they’re much more likely to trust a business.”

Finally, Grig said: “Companies should only collect what information they need, store it securely and implement data leakage protection. On this Data Privacy Day, companies should reflect on the data they’re collecting. They should put themselves in their customers’ shoes. As a customer, would you be happy sharing this data and how would you expect a business to use it and store it?”

Data sharing resources

The ICO is marking this year’s annual Data Protection Day by highlighting data sharing resources and guidance.

Information Commissioner Elizabeth Denham said: “Today is an opportunity to reflect on the rights that protect people’s personal data around the world. It’s also a day to recognise the role those rights play in encouraging trust and confidence in how organisations handle data, which is particularly important in enabling successful digital innovation.”

The Information Commissioner added: “To mark this year’s event, we’re focusing on data sharing. Organisations that share people’s personal information must do so in line with the law, but it’s a myth that the GDPR prevents data sharing. I hope the resources and guidance we’re sharing can help to illustrate that point.”

Tony Pepper, CEO at Egress Software, informed Risk Xtra: “Data Protection Day is a stark reminder that our 24/7/365  highly connected culture increases employee fatigue, causing them to make more mistakes, and especially so when it comes to e-mail. In fact, statistics from the ICO, which Egress obtained through a recent Freedom of Information request, revealed that 60% of 4,856 personal data breaches recorded between January and June last year were the result of human error.”

Of those incidents, nearly half (43%) were the result of incorrect disclosure, with 20% posting or faxing data to the incorrect recipient. Nearly one fifth (18%, in fact) were attributed to e-mailing information to incorrect recipients or failing to use Bcc, while 5% were caused by providing data in response to a phishing attack.

“All-too-often, organisations fixate on external threats, while the biggest cause of breaches remains the fallibility of people and an inherent inability of employees to send e-mails to the right person. Not every insider breach is the result of reckless or negligent employees. Regardless, the presence of human error in breaches means organisations must invest in technology that works alongside the user in mitigating the insider risks.”

Pepper added: “That said, it’s quite apparent that older security technologies from previous decades are vastly inadequate in protecting against this new generation of ‘human’ breaches. This is one of the reasons why we’ve developed our Human Layer Security approach in response to the fact that yesterday’s security technologies will not prevent the threats of tomorrow. It’s important to put humans at the centre of your security strategy.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts