News & AnalysisSecuritySpecials

Data Privacy Day: Experts Comment on Enterprise Privacy Practices

data privacy

In the last two years, we’ve experienced a broad spectrum of events that disrupted our lives and business – from economic turbulence, to the ongoing pandemic, to social movements, environmental disasters, and much more. While technology has adapted and responded to these times of change, data privacy practices are often left behind, leaving individuals and businesses to rethink how ‘private’ their data is.

Even though recent large-scale data breaches have made data privacy a hot topic today, the figures are indeed shocking. As of 2021, CERT-In had documented and reported more than 11.5 lakh incidents of cyber attacks. Data Privacy Day, celebrated on January 28 every year, is an excellent opportunity for companies to make a commitment to cyber security and implement robust data management solutions.

Ahead of this special day, CXOToday speaks to some experts in the tech industry on how they are looking at privacy through the lens of the various changes they’ve faced in recent times, and how organizations can improve their data privacy practices going forward.

—————————————————————————————————————————————–

“Data privacy concerns have been exacerbated by the pandemic as we have seen an uptick of ransomware and cyber crimes with bad actors taking advantage of the rapid shift to remote work, the increase in online deliveries and the proliferation of QR codes. The sheer amount of data we share about ourselves online is a privacy concern and more alarming is that many workers are using the same devices for personal and business activities. For this reason, it is critical for businesses to be able to manage all devices that access their network, along with effectively prioritizing and remediating vulnerabilities that pose the most danger to their organization.

For example, companies should automate patch management for customers and help them identify and patch their most critical vulnerabilities proactively. It is critical for businesses to have real-time intelligence on known exploits along with threat context for vulnerabilities so they can respond with more agility to the vulnerabilities that place their organization at the greatest risk.” – Lana Xaochay, Ivanti Data Privacy Officer

—————————————————————————————————————————————

“Data privacy reform has changed our global community forever. As we begin 2022, organisations face an emboldened world demanding greater accountability and trustworthiness. The recent steps taken by several countries to bolster their consumer privacy rights and processing activities (such as China’s Personal Information Protection Law) will have a far-reaching global impact on privacy rights and data protection practices. People are more empowered than ever to exercise their rights, submit Subject Rights Requests (SRRs) and reclaim control of their information. They want to understand how their data is used and to access, correct, delete, and restrict use. To meet these data-intensive demands and overcome a scarcity of resources to support key business activities, organisations must embrace process automation for SRR response and apply case management tools that best track its performance and effectiveness. A well-executed program that delivers a strong experience will be critical to improve customer satisfaction and loyalty.”- Andy Teichholz, Global Industry Strategist, Compliance & Legal at OpenText


Veeam“Data privacy has become a high priority for corporations across India, owing to factors such as increased global business operations and outsourcing of work to specialists outside of the organisation. Furthermore, the increased adoption of hybrid working models has made data maintenance and security more difficult. The significant increase in digital convergence has made it possible to easily exploit data beyond the stated intentions. This has added additional responsibility on organizations to protect the personal data of its employees and customers. Gartner predicts that by 2024, worldwide privacy-driven spending on data protection and compliance technology will exceed USD 15 billion annually. The Indian Government too has proposed a data protection law for data privacy assurance to support the ongoing issue around data privacy breaches. These standards seek to provide a privacy assurance framework for organizations to establish, implement, maintain and continually improve their data privacy management system.” – Sandeep Bhambure, Vice President & Managing Director, Veeam India & SAARC


“In recent years, data privacy compliance has become a critical consideration driving critical business decisions as companies look to digitally transform. Cybersecurity vulnerabilities continue to increase as companies grow their digital footprints due to the massive amounts of data being generated. The Data Privacy Day comes as a reminder for organizations to assess their cyber risks and ensure strong data privacy protections are in place but in such a way that will not impede innovation within the digital economy. Due to the increasing complexity of data flows, enterprises need to evolve past securing data at rest to a posture of continuous governance where all data is protected. Increasingly, we are seeing enterprises place, manage and analyze data at the edge, closer to their users, services and clouds. Meanwhile, concerns over the security and privacy of data in movement and/or in the cloud have also increased. This situation is more critical in Asia-Pacific and has driven the need for better technology and infrastructure solutions that improve data accessibility, security and control, while also meeting increasing data privacy requirements. It is a balancing act.” – Peter Waters, Chief Privacy Officer, Equinix

—————————————————————————————————————————————–

“It’s not just humans that are susceptible to clicking on the wrong link or are perhaps a little too cavalier about what they share about themselves. Software bots – little pieces of code that do repetitive tasks – exist in huge numbers in organizations around the world, in banking, government and all other major verticals and are now a major component of digital business. Problems arise when humans get compromised and the same can happen to bots – and at scale. If bots are configured and coded badly, so they can access more data than they need to, the output might be leaking that data to places where it shouldn’t be. Likewise, we hear about insider attacks and humans being compromised to get to sensitive data virtually every day. Machines have the exact same security issues; if they can access sensitive data and they aren’t being secured properly, that’s an open door for attackers – one that can put individuals’ privacy at risk.  Attackers don’t target humans to get to data, they just target the data.  If machines, especially those in charge of automated processes (think repeatable tasks like bank transfers, scraping web data and moving customer data files) provide the best path to get to the sensitive data, that’s the one the attackers will choose. The hybrid work model has changed the privacy game as well. It means that companies have to re-evaluate how data privacy is enforced in 2022. Securing access to sensitive data by remote employees will be big in 2022.” – Sumit Srivastava , Solutions Engineering Manager – India at CyberArk


“Data privacy had a big year; hybrid work opened the floodgates to new data security and privacy risks, there were eye-watering fines from high profile data breaches and new privacy laws such as the China Personal Information Protection Law (PIPL) went into effect as more regulations continue to surface. The India Data Protection Bill will likely be passed in February and a federal data privacy regulation is even under serious discussion in the United States. Regardless of how the data privacy landscape continues to evolve, there are fundamental steps every business can take to put privacy first and protect the personal data of both employees and customers.

This year’s Data Privacy Day is an opportunity for businesses to take inventory of their protection practices and identify what more they can do to build trust. Keeping the end user’s privacy interests at heart and leading with transparency is a fool-proof strategy; it will never fail. Seize the moment by reviewing data processing activities to understand what’s being collected, how it’s being stored, and who it’s being shared with – and more importantly, if all of this information must continue to be collected and stored long term. Organizations should look to leverage the cloud to streamline governance and achieve data resilience at scale.

Also, Data Privacy Day is only an annual reminder, but we must work to collectively put data protection at the forefront every day afterwards. By taking these fundamental steps, businesses will be that much closer to improving their resiliency and successfully navigating today’s new landscape.” – Yogesh Badwe, Chief Security Officer, Druva

 —————————————————————————————————————————————–

“Take the time to learn what privacy controls are available in all the apps and online services you use. Unfortunately, every app and every social network seems to do things differently, with privacy and security options often scattered liberally across numerous “Settings” pages. But don’t be afraid to dig through all the options, and don’t just rely on the default settings.  Start by turning off as many data sharing options off as you can, and only turn them back on if you decide you really want and need them.

If a service demands you to share more than you are willing to hand over – your address, phone number or birthday, for example – or asks for data that you just don’t think is relevant for what you are getting in return, ask yourself, “Do I really need to sign up for this, or should I find somewhere else that isn’t so nosy?”

Don’t let your friends talk you into airing and sharing more than you’re comfortable with – after all, it’s your digital life and your data, not theirs. Remember: if in doubt, don’t give it out. and be aware before you share.” – Paul Ducklin, principal security researcher, Sophos

—————————————————————————————————————————————–

“As we increasingly blur the line between our online and offline lives, Data Privacy Day is the little reminder we need at the start of each New Year to ensure our personal information is protected.  Even though we live in a digital world, we are often not fully cognizant of data privacy until our data has been compromised. Data is one of the most important assets for organizations. Thus, data privacy and security take center stage in their cybersecurity strategy. To enable seamless business recovery and develop a safe post-Covid data-centric economy, organizations need to move beyond just basic compliance measures to achieve continuous situational awareness for faster threat detection and response. This year’s Data Privacy Day should serve as a catalyst in the fight against rising cyber threats and bring greater attention toward protecting the critical data of businesses. Collaborative cyber defense, threat intelligence sharing, and data protection strategies must be leveraged to empower governments and private organizations in mitigating cyberattacks. More emphasis should be placed on implementing secure authentication mechanisms to minimize the risk of credential compromise, while ensuring secure and easy access for all stakeholders. Crucial business data in India can be protected through investment in the modernisation of security infrastructure, using secured collaboration and information-sharing platforms, leveraging threat intelligence for proactive cyber defense, using security orchestration and automation (SOAR) to streamline SecOps, and performing periodic security and risk assessments.  Individuals must take control of their digital footprints and privacy as we continue to telecommute in 2022. Moving forward, cyber situational awareness and hygiene will continue to play a key role as one of the pillars of data privacy.” – Akshat Jain, CTO & Co-Founder, Cyware


“The Data Privacy Day is a great opportunity to acknowledge and celebrate that digital trust is being transformed, with participation from all stakeholders. We must adopt a stronger legal framework which protects customers and at the same time must include non-personal information as well in the ambit of the law. Online trust & safety is the single biggest victim in an ever-growing world of opportunity the internet bestows us all with. In 2021, there were 5 major data breaches, ranking India as the third-largest victim of growing cyberattacks. Over 150 million users were impacted, whose private data now floats in the internet ether, leaving them vulnerable to the rapidly increasing menace of cyber fraud, and online theft. Consumers are demanding accountability and control of their digital privacy. Companies need to and are investing heavily in data security, and data privacy infrastructure. As our online and offline lives merge, we prioritise convenience. This convenience should not come at a cost.” – Ranjan Reddy, Founder and CEO, Bureau
—————————————————————————————————————————————–

“With the increasing threat of cyber attacks in recent months, it is imperative businesses review data management and security approaches in order to stay ahead of digital adversaries and to ensure that employees’ and customers’ data is secure. In order to reduce the threat landscape, Organizations should strive towards limiting capture of Personally identifiable information of both employees and Customers to what is absolutely necessary. Organizations should also implement processes that limits access to sensitive information to an authorized few and further implement extensive monitoring and alerting systems in the event of any anomaly. It is possible to minimize the risk of phishing and other data privacy violations by maintaining good authentication hygiene and educating employees and users to keep an eye out for suspicious email addresses, requests, and links. With automation’s role growing in cloud environments, organizations must follow best practices to protect credentials, including the elimination of commonly used passwords and the use of multi- factor authentication. Organizations should also have an up to date, documented and tested breach response and reporting strategy to ensure that they are able to notify their Customers and employees in the event of a breach or incident involving their data.” Satya Machiraju, Vice President, Information Security, Whatfix


“In today’s digitally-driven world where cyber-crime and data theft are rising at an exponential rate, the need for small business owners to pay more attention to security protections for their online business becomes more critical. While bigger corporations are working towards upgrading their data protection ecosystem, small businesses are finding it hard to invest in the right technologies needed to help safeguard their business and customers’ data, often making them more susceptible to privacy breaches. Indian businesses need to analyze the potential risks and develop a data-protective attitude, which not only helps in securing sensitive customer and business data but also enhances the customer experience. At GoDaddy, we will continue to create awareness around it through our suite of website security tools and solutions. We believe a strong impetus by India’s small business owners to more actively work to protect the data they collect could aid in securing more trust in their businesses. We are confident that working together in India will accelerate its focus and work towards creating a more safe online ecosystem in India.” – Nikhil Arora, Vice President, and Managing Director, GoDaddy India 


“With the hybrid work model, organizations also process complex amounts of data in environments where frequent exchange of data may occur from multiple touchpoints. The influence of emerging tech like cloud-native applications, Kubernetes containers, and AI in day-to-day business activities also increases the risk of misuse of data due to the lapse in the upkeep of cybersecurity goals and IT infrastructure, making organizations vulnerable to cybersecurity threats. Consumers are also constantly discovering the information collected about them, how that data is used, and how daily breaches put that information at risk. Consequently, organizations must make security a top priority to maintain consumer trust and remain compliant with regulations.

To address these challenges, a few steps that organizations must take, include, an accurate inventory of data. This is critical for adhering to data privacy regulations, such as GDPR. Many organizations may not know the information they have or where it is going, thereby making it difficult to protect it. Additionally, solutions that dynamically allow or deny access based on contextual factors like a user’s location, device type, or job function are highly favorable, along with data loss prevention (DLP) capabilities. India is also taking steps to implement a data protection framework that incorporates many elements of the GDPR.” Ripu Bajwa, Director and General Manager, Data Protection Solutions, Dell Technologies, India

—————————————————————————————————————————————–remote workforce“Toward the end of 2021, Check Point Research noted that cyber-attacks against corporate networks had increased by a staggering 50% on the previous year. The education and research sector was the hardest hit, averaging 1,605 attacks per week, with government organizations, communications companies, and internet service providers close behind. Even attacks on the healthcare sector were up 71% on pre-pandemic levels, showing nothing is off-limits to threat actors.  In our 2022 Security Report, we also noted that email had become an increasingly popular vector for distributing malware throughout the pandemic, now accounting for 84% of malware distribution. Beyond the corporate world, it was also clear that large-scale attacks on critical infrastructure, such as the Colonial Pipeline incident, had a very real impact on people’s day-to-day lives, even threatening their physical sense of security. Data Privacy Day, or Data Protection Day as it’s known in Europe, is the perfect time for individuals and businesses to evaluate their data hygiene and security protocols to ensure their data is kept as safe and secure as possible. Check Point Software is beginning 2022 with a new strategic direction that follows the mantra: You Deserve the Best Security. While adopting the kind of best security practices promoted by Data Privacy Day is vital, it’s only a baseline. We know that businesses can’t afford to settle for second best when it comes to defending themselves in a constantly evolving threat landscape”- Sundar Balasubramanian, Managing Director, India, and SAARC, Check Point Software Technologies.

—————————————————————————————————————————————-

“Data used to be a by-product of business. Every organization business recorded transactions, stored product, process, customer records, during the normal course of conducting business. The sea change in the past few years, is that with deep tech, vast amounts of telemetry, AI, ML, analytics, businesses are being built on data.  Data is creating value. Data is the business. Data is the source of competitive advantage. Data also gives rise to risks involved. In addition to traditional risks, there is is are also the ongoing risks of ransomware, denial of service (DoS) and, theft of intellectual property. No wonder, data protection and security have become core to businesses. Beyond the headline-grabbing numbers, there remain core principles sensible organizations must observe. Above all else, good security management is predicated on good data management. Along every step of the security journey – from prevent to detect to respond – knowing where your data is, how to extract it, and how it interoperates across and beyond organizational boundaries are key to ensuring you protect yours and your customers’ most valuable intelligence. With data privacy regulations and requirements growing more complex, users must look at solutions that simplify compliance in encryption and sophisticated AI that maps and classifies data.” Ravi Chhabria, Managing Director, NetApp India

————————————————————————————————————————————–

“Over the last 2 years, there has been a significant rise in cyber-attacks all over the world. Despite the best efforts of security teams, attackers consistently took advantage of vulnerabilities, discovering new ways of infiltration and taking advantage of people’s curiosity as well as their fears around Covid, leveraging socially engineered lure files and tactics.  There is a huge digital shift that has been created by the pandemic where many industry sectors have witnessed an accelerated approach towards digital transformation and their erstwhile perimeter has moved beyond their enterprise firewalls to cloud; either a public cloud, hybrid cloud or a private cloud. This has added complexity to the IT architecture stack and also increased the potential attack surface for adversaries to exploit; and often under-resourced security teams to protect. Today’s new perimeter needs to be buttoned up with operations and security collaborating to create a secure network. With more data moving to the cloud every day, it is imperative to have a re-architecture of the cyber strategy which should go around all three dimensions of security i.e. people, process and technology. While many cloud service providers offer basic levels of data security, it is critical for organizations to develop and implement a comprehensive data security strategy that’s scalable and combines automation with human threat hunting and threat intelligence. Another critical element of a data security strategy is real-time monitoring, detection and response. These threat detection and response capabilities should be supported by machine learning and analytics to better identify anomalies and malicious activity.  Companies require proficient and skilled cyber security experts who can keep their endpoints, cloud workloads, identify and data secure. Unfortunately some organizations still rely on legacy security solutions that are just not fit for purpose especially as adversaries evolve their tools, techniques and procedures (TTPs). They need security that is scalable, built for the cloud and can carry the same level of control and visibility from their on-premises environment into remote working environments. Meeting these challenges head on with a layered, unified approach to security will enable organizations to move forward with their cloud plans with the knowledge that their users and data are well guarded.” Nitin Varma, Managing Director, India & SAARC, CrowdStrike

—————————————————————————————————————————————-

“With the new normal dictating the ways of our lives, businesses have turned to digital transformation to ensure productivity and continuity. Cloud has emerged as the biggest enabler by fueling both remote and hybrid work infrastructure. However, cloud also raises a lot of security challenges. Enterprises often misunderstand cloud security as the sole responsibility of the cloud services provider as against viewing it as a shared responsibility. Robust cloud security provides multiple levels of controls within the network infrastructure for the protection of cloud-based assets. Whether in a public or private cloud, enterprise need access to security tools that can protect their data and resources from theft, leak, or natural disasters. Another aspect that cannot be ignored when it comes to security is the ‘Human Error’. Surprisingly enough, it is the most neglected link in cybersecurity, as IBM’s Cost of a Data Breach Report 2020 shows the average cost of data breaches from human error stands at $3.33 million, according to. Therefore, enterprises along with cloud service providers need to develop detailed and stringent security policies that clearly outline access and privileged access management, zero trust policy, user activity monitoring, and further educate their employees on the negative impact of cyber-attacks and positive impact of best practices. Also, security shouldn’t be treated as an isolated activity. It is a shared responsibility right from the management to vendors to even the new entrants in an organization. Hence, an organization can consider itself completely secure against breaches only by aligning all its stakeholders towards the common goal of ensuring comprehensive security.”  Neelesh Kripalani, Chief Technology Officer, Clover Infotech

—————————————————————————————————————————————

Leave a Response

Sohini Bagchi
Sohini Bagchi is Editor at CXOToday, a published author and a storyteller. She can be reached at [email protected]