Data Privacy Day (known in Europe as Data Protection Day) is a global event that occurs every year on 28 January. The purpose of Data Privacy Day is to raise awareness and promote data protection best practices.
Data Privacy Day promotes events and activities that stimulate the development of technology tools that promote individual control over personally identifiable information, encourage compliance with privacy laws and regulations and create dialogues among stakeholders interested in advancing data protection and privacy.
Security Advisor ME spoke to some of the security leaders to find out how relevant data privacy is, today, and whether they think enough is being done about this. Here’s what they said:
Bernard Montel, EMEA Technical Director and Security Strategist at Tenable
Fundamental to data management and privacy is protection of our sensitive data. However, reading the daily headlines, there are still numerous data breaches with huge volumes of information being breached globally. What we know is that, when a threat actor evaluates a company’s attack surface their attack methodology is not advanced or even unique but opportunistic, looking for an open window to crawl through. They’re probing for the right combination of vulnerabilities, misconfigurations and identity privileges that will give them the greatest level of access the fastest.
Understanding all of the conditions that matter in today’s complex and dynamic environments help the organisation understand the full breadth and depth of its exposures, allowing security teams to take the actions needed to reduce them through remediation and incident response workflows.
To reduce the threat, security teams need to see all of their software vulnerabilities, misconfigurations, who is using what systems and what level of access they have all correlated together, regardless of whether it’s happening on a laptop, a container, an application or a programmable logic controller (PLC). This provides the full breadth and depth of the organisation’s exposures allowing the team to take the actions needed to reduce threats through remediation and incident response workflows.
Werno Gevers, Cybersecurity Expert at Mimecast
Data privacy has never been more important for businesses and individuals alike. As more of our lives are digitised and the volume of personal and corporate data continues to grow, citizens and businesses face an uphill battle to protect their data and prevent threat actors from using it in the service of cybercrime and fraud. Personal data has become like gold to cybercriminals, who weaponise your own information against you to make their cyber scams more believable.
The rapid digital transformation that most businesses have undergone in the last few years has created additional opportunities for threat actors, who have stepped up their efforts to breach organisational defences and steal sensitive personal and professional data.
In recent years we’ve seen a rise in legislation that ensures the protection of personal data. Last year we saw the launch of the Personal Data Protection Law in the UAE which provides a legal framework to ensure the security and privacy of personal information. Meanwhile Saudi Arabia’s Personal Data Protection Law will be effective in March this year and will regulate how personal data can be used, processed and retained.
These laws put greater pressure on businesses to protect their customer and other data – or risk penalties and a subsequent loss of trust with their customers.
The implementation of these laws is an excellent step in the right direction, but the onus now falls on organisations to ensure they are compliant and that they have all the processes, tools, and systems in place to always work protected and better manage all the data they collect and store. By doing so, organisations can build and maintain high levels of trust that can improve their relationship with customers.
Sreedharan K S, Director of Compliance, ManageEngine (Zoho Corporation)
The privacy environment has undergone significant upheaval worldwide, the watershed moment being the adoption of GDPR by European Union. Data is a valued resource for making crucial business decisions. However, regulators and data subjects are both demanding robust data privacy frameworks to prevent the misuse of personal information. The momentum in this rapidly evolving privacy landscape will continue to gain pace in 2023.
Data privacy laws give customers more control over their data, requiring organisations to get customer consent before using their personal information and provide transparency on how data will be processed, and it’s vital for organisations to comply with these legal requirements. With data privacy regulations gaining prominence following the implementation of the GDPR, privacy laws have been implemented in many regions. This has led to greater awareness among individuals about their data privacy rights, and organisations are facing more legal scrutiny when processing personal data.
This is why businesses need to ensure they are in compliance with their respective data privacy laws and are protecting the rights of data subjects. However, the data protection laws which are territorial in nature face unique challenges when data moves across boundaries. This has resulted in governments coming up with enhancements related to transfer of data to the existing data protection laws. Data protection laws will continue to be adopted by more countries and will evolve to better protect individuals’ rights. Privacy laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) regulate data storage, sharing, and disclosure practices for consumer data in today’s digital economy, and are disrupting business models and the way data transfer works.
The competing standards for data protection across different regions create challenges in navigating the complex regulatory space. For instance, POPIA, the South African data protection act, classifies information about a company or facility as personal data. This criterion is specific to South Africa, meaning organisation should be aware of variations like these and accommodate them in their policies and procedures.
Corporations also need to be vigilant and conscious about transferring data. It’s possible that some of the former processes through which these transfers occurred are obsolete. Businesses must restructure their work procedures and examine how sub-processors handle data in order to shield data against potential threats and comply with regulatory requirements.
The data protection laws will evolve based on how effective they are. Organisations need to keep track of the evolving data protection landscape, review their processes, and embrace agility. To address the ever-changing requirements of data protection laws, cloud companies are localising their data and processes.
Johnny Karam, Managing Director & Vice-President of International Emerging Region at Veritas Technologies
Over the past couple of years, ransomware, once thought of as primarily a security threat, has evolved into one of the biggest data privacy challenges that businesses continue to face. Today, double and triple extortion tactics that up the ante by threatening to sell or otherwise leak sensitive data are table stakes. Recent reports indicate that ransomware attacks in the Middle East are on the rise, with the UAE and Saudi Arabia the countries most targeted in the GCC.
Data Privacy Day (January 28) is a great reminder of the importance of keeping sensitive data protected against the ever-evolving threat landscape where ransomware is the prevailing cyberattack. Here are three things organisations can do to reduce data privacy risks associated with ransomware and other threats:
Organise and assess your data. A recent Veritas study found that 53% of UAE organisations no longer had visibility of their entire data footprint in the cloud, leaving them vulnerable to cyber-attacks. Understanding what kinds of data you have enables you to assess what it’s worth and who needs access to it. These, in turn, inform where it should be stored and how access is managed. Limiting access to only those who need it limits exposure in the event of an attack.
Have a cross-functional response plan in place so you’re prepared to respond to a ransomware attack that involves sensitive data. As part of this, test your ability to quickly and even automatically take compromised storage devices offline to prevent sensitive data from being exfiltrated.
Identify, categorise, and remediate compromised data. With organized data and a response plan in place, you’ll be prepared to quickly identify what data, if any, has been compromised during an attack so you can make informed decisions about your next steps. You’ll be able to know, for example, if the bad actors took sensitive customer personally identifiable information (PII) or simply next week’s lunch menu for the cafeteria.
Mohamad Rizk, Regional Director, Middle East & CIS at Veeam Software
Follow these top tips to keep your personal information safe online.
Tip #1: Be skeptical. If a deal or offer seems too good to be true, it likely is. Don’t give your personal information to a company you’ve never heard of before simply because you can get the gaming system you’ve been eyeing for 80% off any other store’s price. Chances are – you won’t be receiving the gaming system at the end of your transaction, but that supposed company will be getting your credit card information.
Tip #2: Slow down. Mindfulness is great for your mental and online health. By slowing down and breaking the sometimes-mindless scrolling habit that so many of us have, we can make decisions with a focused mind and not fall for the tricks of social engineers who rely on us being distracted, having an emotional response to the things we see online and chasing those small doses of dopamine we get when interacting with others online. Skip the mindless scrolling and stay ahead of the cyber criminals trying to trick you.
Tip #3: Keep your private information, private. The internet, especially social media, has allowed us to share information with the masses in an instant, which removes the time to think through our actions thoroughly. If it’s not something you want showing up on a billboard as you’re driving down the road, keep it off the information superhighway. Even the best privacy settings aren’t foolproof and there is a reason that we say nothing really goes away online. Unless you want a random guy from halfway around the world using your bank account for his online gambling addiction, don’t share your mother’s maiden name or your high school’s mascot when you see one of those “my fictional character name is” games.
Tip #4: Central Bank or Police do not need your credit card or bank information. There are lots of instances today in the Middle East where individuals receive emails or text messages from cyber criminals posing as the Central Bank or Police. If these government agencies in your country want to review, activate, deactivate, cancel or take any action regarding your card or bank account, they do not need your approval or your bank/ credit card details with the CVV code and OTP codes. Do not share these details with anyone.
Tip #5: Be alert when visiting public venues like coffee shops and airports. When working on or discussing private/sensitive issues, ideally do so from a secure location like the privacy of your home. Do not bring up private information on your laptop screen while you are at an airport or coffee shop, where people could likely have a sneak peek. Also, private phone calls should only be made in private places where you can be alone and no one can hear you.
And a bonus tip! If you can connect it, protect it. In today’s world where everything from our thermostats to our coffee makers are connected online or controlled through an app, it’s important to remember that with that convenience also comes the opportunity for attackers to hijack our sessions. Be sure you are using strong passwords, opt for multi-factor authentication if given the choice, avoid unprotected Wi-Fi networks and leverage anti-malware software if the device allows for it.
Ned Baltagi, Managing Director – Middle East and Africa at SANS Institute
Despite the anniversary of 17 years of Data Protection Day and 42 years of the Data Protection Convention, personal information remains high on cybercriminals’ agendas – and it remains just as easy for them to get their hands on this data. There is not a day when a company is not hacked somewhere in the world, when the data of private individuals is not leaked somewhere.
With the increased cyberattacks on hospitals, countless amounts of patient data are unprotected on the web. Collectively, more than 38 million pieces of data have been stolen in information thefts on hospitals in the U.S. alone since 2011. Despite ever-increasing demands for data protection and data security, the security community is failing to protect sensitive information. Cybersecurity must become a work routine – the problem is not so much a lack of implementation of regulations, but more a lack of security awareness among employees faced by IT security professionals who must manage and secure more and more IT systems and applications.
In our SANS 2022 Security Awareness Report, author Lance Spitzner notes that for cyber attackers around the world, humans have become the most important attack vector. It’s no longer technology, but people that pose the greatest risk to organizations. Security awareness programs, and the professionals who manage them, are then key to managing this human risk. Security awareness programs enable security teams to effectively manage their human risk by changing the way employees think about cybersecurity and helping them exhibit safe behaviors, from the boardroom on down.
When training employees, the following three tips will help security managers:
Phishing Resistance: Phishing is a form of social engineering that uses email, social media posts or a direct messaging service to trick users into clicking on malicious links that ultimately lead them to inadvertently disclose personal information or download an infected attachment. Increased digital connectivity has led to increased vulnerability to this type of hacking technique. Security awareness trainers should provide training on how to recognize phishing. Especially in times when artificial intelligence and chat programs are giving cybercriminals a helping hand, this measure is perhaps the most important of all.
Password Hygiene: On average, two out of five people have had their digital identities stolen, passwords misused, or confidential information exposed because they used duplicate or weak passwords. Password hygiene training is therefore more than appropriate and should be an integral part of any security awareness training. Here, the participants are shown how to create secure passwords and not simply change them minimally depending on the service.
Device Locks: Digital devices such as smartphones and tablets have become an important part of everyday life, which means that there are more points of attack for malicious actors than in previous years. If users lock down their devices and keep software up to date, it will be more difficult for attackers to compromise these devices.