Recognising the 1981 signing of Convention 108, the first legally binding international treaty for privacy and data protection, Data Privacy Day raises awareness of the need to keep employee and customer data secure, and compliant with regulations such as GDPR. Today, it’s reported that over 2.5 quintillion bytes of storable information is developed every day — with an average digital user producing some 1.7MB of data each second.
Continuously evolving cyber threats and the recent evolution of AI paint a data management landscape that could prove chaotic and costly if all assets aren’t properly controlled. Costs for poor privacy practices, after all, would not only be financial, but reputational, too.
OpenText research reveals that almost three-quarters (72 per cent) of consumers say they have new concerns about how organisations use their data since the start of the pandemic, while almost half (46 per cent) say they would no longer use or buy from a company they were previously loyal to if it failed to protect or leaked their personal data. Indeed, retaining customer trust is vital, and strong data privacy is key to achieving this.
In this article, we delve into how businesses can ensure that all company and customer data is managed by strong data privacy protocol.
Key roles in the IT team
Privacy is now at the forefront and one of the top concerns for consumers, making it the responsibility of everyone in IT. This truly calls for a team effort across the organisation.
“On Data Privacy Day, organisations have the opportunity to reflect and commit to a holistic approach within their IT teams to ensure data privacy standards are upheld and data resiliency is achieved,” said W. Curtis Preston, chief technical evangelist at Druva.
Preston went on to identify the following roles and responsibilities that should be in place in the IT team:
- The web developer ensures that any personal data received via the web is stored directly in a special database designed for personal information.
- It’s the database administrator (DBA)’s job to ensure that the database is treated differently, applying the process of least privilege to it, to ensure only a select few are granted access, and everyone else (including bad actors) is only met with encryption.
- Then, the system administrator needs to apply the same concepts to wherever that database resides.
- It’s the backup person‘s responsibility to ensure the backups of this database follow best practices, and are encrypted and air gapped.
- Finally, the security person should check in with the rest of the staff to help them understand their responsibilities and ensure they are meeting them.
“When all of these pieces of the team are aligned, organisations can be certain that they’ve done everything possible to keep their data resilient in the face of unexpected threats and adversity,” Preston said.
Ransomware is set to continue wreaking havoc on company networks. According to the Veeam Data Protection Trends Report, 85 percent of companies were attacked by ransomware at least once in 2022 alone. All members of staff need to remain vigilant, with training put in place to help recognise what needs to be done to prevent harm.
“While we hear time and time again experts telling organisations to protect data and get ahead of becoming a bad actor’s next target, many don’t know the first steps to take,” explained Veeam’s vice-president of enterprise strategy, Dave Russell.
“My advice on Data Privacy Day is to make sure systems are patched; employees are given proper training on common attack methods such as phishing links; zero-trust strategies are implemented and maintained; to be aware of the best digital hygiene practices; and to implement a data recovery strategy to ensure that when an attack happens, data remains immutable.”
>See also: Data immutability: the forgotten component of defence in depth
It may be an industry standard in many sectors, but the frequency of data breaches in the past year shows that encryption isn’t always properly implemented. Data needs to be consistently encrypted across all locations, transfer points and formats.
“With ever-expanding amounts of data being generated and stored every day, in all manner of locations, formats and platforms, it is the lack of visibility and consistent enforcement of security policies that threat actors are taking advantage of,” explained Chris Harris, EMEA technical director at Thales.
“Networks are under constant probing and scanning by threat actors, so finding ways to securely store and move the vast amounts of data being generated every day, without compromising on performance and user experience, is crucial.”
The types of encryption to consider
There are various kinds of data encryption that are suitable for the various cases that organisations will meet when keeping assets protected. These include:
- Data-at-rest encryption: ensures that data is secure down to the storage type in which it resides.
- Firmware protection: helps to prevent threat actors from reverse engineering firmware.
- Hardware-level encryption: provides a level of encryption that is separate from the operating system.
- Instant secure erase (ISE): encrypts the drive, with only the encryption key needing to be deleted when data needs to be eradicated, allowing for quicker protection in a matter of seconds.
“We live in a world where data is everywhere, stored on both hardware and software, meaning always-on protection is a must for businesses,” said Brad Jones, CISO and vice-president of information security at Seagate.
“Any businesses looking to seize the benefits of innovation in technologies such as embedded systems, IoT, real-time data and AI-powered cognitive systems, must do so with strict compliance with legislation like GDPR and data security at the heart of their adoption.”
AI and ML-powered tools
There are an array of artificial intelligence (AI) and machine learning (ML)-powered tools that can bolster data privacy approaches, allowing for added threat visibility and predictability, as well as the accelerated action made possible thanks to added insights.
On the other side of the screen, AI, ML and other automation capabilities can help to maintain strong customer service regarding data, as Andy Teichholz, global industry strategist, compliance & legal at OpenText explains: “Customers are more empowered than ever to exercise their rights and reclaim control of their information by submitting Subject Rights Requests (SRRs), with our research showing that more than a third (34 per cent) of consumers would completely abandon a brand if the company failed to respond to a SRR.
“With the help of available technologies including AI and ML tools, organisations cannot only locate all personal and sensitive information, they can appropriately classify, manage, and protect it throughout its lifecycle and apply policy-based retention tools to support data minimisation.
“They can also automate the SRR fulfilment process to ensure deadlines are met and that processes are repeatable and defensible.”
>See also: Use cases for AI and ML in cyber security
The zero trust journey
With hybrid working continuing to spread endpoint devices beyond the traditional network parameters that were present pre-pandemic, every organisation now needs a comprehensive zero trust model that assumes all new devices and users are considered suspicious until proven otherwise. However, this alone isn’t enough — a truly successful zero trust approach is a strategic journey, as opposed to a one-time measure.
“Organisations often think that creating a zero trust framework is a ‘one-and-done’ process. In reality, it is an interactive journey that must be reassessed at every step of the way,” said Chris Vaughan, vice-president, technical account management EMEA at Tanium.
“Cloud solutions often have a tool set that can continuously check the state of endpoints and attest to them much more readily, as long as they are switched on.
“Through a zero trust approach and the use of effective tools to gain visibility of IT environments, organisations will give themselves the best chance of avoiding costly breaches in 2023.”
Information Age guide to data + privacy — Data and privacy regulation is becoming increasingly complicated, with the EU set to fine companies up to €20m for misusing people’s information. Here are strategies and tools to ensure you stay compliant.
Data privacy: why consent does not equal compliance — Brands and publishers are unwittingly leaving themselves exposed to being fined billions of dollars for data privacy violations.
What will a UK version of GDPR look like? — A new UK version of GDPR must have at its core a commitment to lower costs and compliance issues for small businesses, say business experts.