The collection and use of personal data have grown at an unprecedented rate in recent years, accelerating even faster during the pandemic amid the digital shift. Heather Paunet, senior vice president at Untangle, noted: “In today’s connected era, people disclose personal data during dozens of daily interactions, from online shopping, healthcare portals, social media, wearable devices to streaming services. This data is used to create profile-specific experiences across a multitude of devices and mediums, resulting in personalized, effective marketing campaigns.”
Unfortunately, this information is also viewed as highly valuable by those with nefarious intentions, from cyber-criminals motivated by financial gain to governments wishing to use this data as a means of surveillance and control.
Protecting this data has also become more challenging in the past two years. Terry Storrar, managing director of Leaseweb UK, explained: “Protecting data has become more complex during the pandemic with the majority of businesses moving to hybrid or remote office models. There is now a myriad of external and internal security threats to address, including new vulnerabilities resulting from security gaps in the rapid-fix infrastructures that were put in place to enable home working in the first lockdown.”
Therefore, during this year’s Data Privacy Week, it is vital organizations reflect on their data protection strategies and question whether they are sufficient for the current landscape. Here are three key areas they should focus on to ensure their customers’ privacy is respected.
Security Starts at Home
First and foremost, organizations need to get their own houses in order. Insider threats, be they malicious or negligent, is a significant and growing problem, and often puts sensitive customer data at risk. Anurag Kahol, CTO at Bitglass, a Forcepoint company, said: “Companies need to protect access to consumer information as well as the various systems that store it. This can become more challenging for improperly equipped organizations that adopt cloud technologies and other remote work capabilities, as consumer data can then potentially be accessed across numerous applications and on various devices.”
Organizations must take steps to ensure access to customer data is as restricted as possible, particularly with the growing use of third-party vendors. For example, “organizations can require that employees attempting to access consumer data are authenticated via single sign-on (SSO) as well as multi-factor authentication (MFA). This will aid in ensuring that only legitimate, authorized users can handle consumer information,” outlined Kahol.
To significantly reduce the risk of non-malicious insider breaches, employees should receive extensive security awareness training. This has become even more vital following the shift to remote working, with staff often without easy access to their IT team. Leaseweb UK’s Storrar commented: “Lack of education and human error are two of the largest causes of data breaches, and it is easy for an employee to unknowingly fall into the trap of poor security practices outside the office walls. This might be something as basic as storing confidential documents on a personal device, reusing passwords or forgetting to update software. The good news is that these are relatively simple to fix through training that encourages all employees to take responsibility for the safety of the data they use.”
"Lack of education and human error are two of the largest causes of data breaches, and it is easy for an employee to unknowingly fall into the trap of poor security practices outside the office walls"
Adopting New Technology Solutions
Data protection tools are advancing, and investing in such technologies is becoming a need rather than a want. Stuart Abbott, area vice president & general manager of UK & Ireland at Commvault, said: “Most companies do have data protection strategies, but they are often legacy solutions that need to be modernized. Many try to patch their legacy solutions to make them fit for today’s threat landscape, but this has limited effect and leaves data vulnerable. In order to be sure that current strategies are fit for the modern-day, budget should be allocated to invest in new data protection solutions. While we are currently not seeing companies adopting these new technologies en masse, I expect we’ll see this gradually change. A lot of people are behind the curve because the market itself is still modernizing. We are moving in the right direction, but there is still a lot to be done.”
Enza Iannopollo, Forrester principal analyst, agreed progress is being made. “Privacy teams are progressively investing in more sophisticated and automated technology to support their efforts. Encryption is one of the main technologies they are implementing today. Privacy-preserving technologies, as well as software for privacy training, also top the list of new tools privacy decision-makers are planning to adopt in the future,” he stated.
Understand Global Data Protection Legislation
Since the EU’s General Data Protection Regulation (GDPR) came into force in 2018, a plethora of data protection and privacy legislation has been enacted worldwide, and more is on the horizon. Therefore, companies operating across jurisdictions must have a clear understanding of the requirements of multiple regulations and have the ability to comply with them all. To do so, Gareth Tolerton, product innovation director at Totalmobile, offered the following advice: “Ensure that you have specific policies in place around the handling, storage, access, visibility and transmission of personal data so that staff know exactly when and how they can interact with this. In the same vein, training is vital. Initial GDPR training would have occurred almost four years ago, so regular refreshers are key to keeping teams secure. Finally, organizations that can appoint a dedicated Data Protection Officer will be able to give their full attention to internal compliance strategies and processes, adding that extra layer of protection.”
With the data protection landscape becoming more complex and expensive for businesses to navigate, Erkang Zheng, founder and CEO of JupiterOne, hopes that in time, more consistency will be brought in across borders. “We need to see greater simplification on the process side, driven by the unification of regulations. So many things sound great on paper, but how practical is it to implement security across so many different regulatory frameworks?” he asked. “At the very least, national rules will need to come together for organizations to implement a cohesive privacy framework for each country. By not reaching some consensus about privacy, we introduce greater risks for everyone to stand up with adequate security protections.”
Investing time and resources into data protection has never been more critical given the increasing flow of personal information, facilitated by the digital revolution. Organizations must ensure personal data is kept safe and private from nefarious actors, both to stay compliant with regulations and to retain the trust of consumers, who are becoming increasingly aware of these matters. With much of the world appearing to finally emerge from the COVID-19 pandemic, Data Privacy Week 2022 is as good a time as any to reflect on how to adapt to a changing data protection landscape.