Data Privacy Day

Comment from Joseph Carson, chief security scientist at Thycotic: 

“Data privacy will, and already is, evolving into a Data Rights Management issue. 

Citizens’ privacy will continue to be under the spotlight in 2021. The end of privacy as we know it is closer than you may think. Privacy definitions are very different between nation states and cultures, however, one thing that is common is that privacy is becoming less and less of an option for most citizens. In public and online, almost everyone is being watched and monitored 24/7 with thousands of cameras using your expressions, fashion, walk, directions, interactions, and speech to determine what you need, what you might be thinking, who you are going to meet, who is nearby, and even algorithms that determine what your next action might be.  

“Regulations will continue to put pressure on companies to provide adequate cyber security measures and follow the principle of least privilege to protect the data they have been entitled to collect or process. “

I believe the big question, when it comes to data privacy, is “How is citizens’ data being used, collected and processed?” Ultimately data privacy will evolve into Data Rights Management which means rather than giving up personal data for so called free use of internet services, citizens should and can get paid for allowing their personal data to be used for marketing purposes. It will become more about how the personal data will be used, and what monetization is resulting from the data. In the future everyone will become an influencer this difference is how much is it worth.” 

Commentary from Ed Williams, EMEA Director of SpiderLabs at Trustwave
2020 was an incredibly impactful year for a number of reasons, one of which was data protection/data privacy. When I look at the work we’ve been conducting at Trustwave’s SpiderLabs, I see a specific emphasis on remote working solutions. While many organisations are being proactive with their assurance work, we’re seeing that this isn’t the case for all organisations.  

 When it comes to regulations, as we begin 2021, I believe that GDPR will still have an impact in the short term, regardless of Brexit. Coupled with the digital transformation we’re seeing with organisations moving to the cloud, there are plenty of areas for organisations to come un-stuck. Businesses must be sure to remember that the cloud has a ‘shared model of responsibility’, in that both parties must ensure the security and privacy of data. 

 Moving forward this year, if the strategy for privacy fell under my remit within my organisation, with my penetration test hat on, I’d focus on looking to ensure that appropriate security and privacy training is given to all staff.  Given that many organisations are now working from home potentially using equipment that isn’t specifically work-related, and with threats and vulnerabilities abound, being able to identify these threats is imperative. Secondly, I’d focus on the data itself. Data is always valuable to the bad guys and ensuring that data is managed correctly should also be a focus. Having appropriate policy and procedures for data given the recent home working trend should be updated, with appropriate training and technical controls. 

 To round off, at a high level there are several broad security practices that can help with data privacy and protection however the two I’d prioritise are:   

a.                Enable multi factor authentication on services, especially those that you value, email being a good example of this, and I’d also consider using a password manager.  

b.               Always update software and operating systems to the latest versions available to prevent against the ever-growing threat of ransomware. 

 Commentary from Adam Brady, Director, Systems Engineering, EMEA, at Illumio

With this Thursday being named as a day to recognise data privacy or data protection, it’s a great reminder that data protection should be something that should be a top priority for organisations every single day. And a big part of that should be stopping the spread of breaches to prevent access to PII. 

Ransomware is in the news almost daily, and that’s only going to continue for the foreseeable future. Organisations need to take the more pragmatic approach of assuming breach and consequently maintain an ongoing focus on protecting the data they store. Privacy and consumer data is such a high-value currency that if an attacker knows what they have, they’ll exploit it for every last penny. 

 For organisations looking to secure PII, micro-segmentation as part of a Zero Trust approach is a critical control. Traditional segmentation of the network is no longer enough to prevent the kind of lateral-movement-based threats we see. Forward thinking enterprises need to be thinking about visibility, and micro-segmentation – where they can easily isolate high-value applications and environments, prevent lateral movement, enforce granular security policies, and apply the Zero-Trust posture of “never trust, always verify”. 

 Although we hope measures are already in place, today is a good reminder for organisations to pause, take stock and ensure they are protecting data to the best of their ability.” 

For more information on the Mid-Year Global Risk Report:

·    Read the report, download graphs and images: https://drive.google.com/drive/folders/1CzPTSbrgYuAEMx9OWjAEtx0J_bvk9Ygt?usp=sharing 
·    Access the Covid portal to predictive COVID-19 data, analysis and reporting for background use: https://covid.sibylline.co.uk
·   Username: Sibylline.Press
·   Password: RunForestJumpedMusic93!
·    Watch the recorded pre-briefing:  https://vimeo.com/439226405?mc_cid=1ae497f094&mc_eid=f4fcb983f9 
password: SibyllineMidYear2020!