data Archives - Security IT Summit | Forum Events Ltd
Posts Tagged :

data

Salesforce security: 5 ways your data could be exposed

960 640 Guest Post

By Varonis

Salesforce is the lifeblood of many organizations. One of its most valuable assets-the data inside-is also its most vulnerable. With countless permission and configuration possibilities, it’s easy to leave valuable data exposed.

That, coupled with the fact that most security organizations aren’t very familiar or involved with Salesforce’s administration, opens organizations up to massive risk.

Here are five things every security team should know about their Salesforce security practices to effectively gauge and reduce risk to data. 

5 Questions You Should Ask:

  1. How many profiles have “export” permissions enabled? 

Exporting data from Salesforce makes it a lot easier for someone to steal information like leads or customer lists. To protect against insider threats and data leaks, export capabilities should be limited to only the users who require it.

  1. How many apps are connected to Salesforce via API? 

Connected apps can bring added efficiency to Salesforce, but they can also introduce added risk to your Salesforce security.

If a third-party app is compromised, it could expose internal Salesforce data. You should know exactly what’s connected to your Salesforce instance and how to ensure that connection doesn’t expose valuable information.

  1. How many external users have access to Salesforce? 

External users, like contractors, are often granted access to Salesforce. Surprisingly, 3 out of 4 cloud identities that belong to external contractors remain active after they leave the organization.

Salesforce security teams should ensure all contractors are properly offboarded from all SaaS apps to prevent data from being exposed.

  1. How many privileged users do you have? 

Privileged users have a lot of power within Salesforce. They can make configuration changes that have dramatic effects on how information can be accessed and shared.

Salesforce security teams need the ability to audit privileged users, be notified when changes are made, and understand exactly what changed to assess risk.

  1. Are your Salesforce Communities exposing internal data publicly? 

Misconfigurations are one of the easiest ways to unintentionally expose sensitive data. For security teams that aren’t intimately familiar with every configuration within Salesforce (of which there are many!), it’s easy to miss critical gaps.

Check to see if settings for Salesforce Communities, meant to share information with customers, are inadvertently making data accessible to anyone on the internet.

Improve your Salesforce security with DatAdvantage Cloud

With Varonis DatAdvantage Cloud, it’s easy to answer these and other critical security questions about Salesforce and other SaaS apps in your environment, like Google Drive and Box.

DatAdvantage Cloud keeps valuable data in Salesforce secure by monitoring access and activity, alerting on suspicious behavior, and identifying security posture issues or misconfiguration.

Click here to view the full article and visit the Varonis website.

Cloud applications put your data at risk — Here’s how to regain control

961 639 Guest Post

By Yaki Faitelson, Co-Founder and CEO of Varonis

Cloud applications boost productivity and ease collaboration. But when it comes to keeping your organisation safe from cyberattacks, they’re also a big, growing risk.

Your data is in more places than ever before. It lives in sanctioned data stores on premises and in the cloud, in online collaboration platforms like Microsoft 365 and in software-as-a-service (SaaS) applications like Salesforce.

This digital transformation means traditional security focused on shoring up perimeter defenses and protecting endpoints (e.g., phones and laptops) can leave your company dangerously exposed. When you have hundreds or thousands of endpoints accessing enterprise data virtually anywhere, your perimeter is difficult to define and harder to watch. If a cyberattack hits your company, an attacker could use just one endpoint as a gateway to access vast amounts of enterprise data.

Businesses rely on dozens of SaaS applications — and these apps can house some of your organisation’s most valuable data. Unfortunately, gaining visibility into these applications can be challenging. As a result, we see several types of risk accumulating more quickly than executives often realise.

Three SaaS Security Risks To Discuss With Your IT Team Right Now

Unprotected sensitive data. SaaS applications make collaboration faster and easier by giving more power to end users. They can share data with other employees and external business partners without IT’s help. With productivity gains, we, unfortunately, see added risk and complexity.

On average, employees can access millions of files (even sensitive ones) that aren’t relevant to their jobs. The damage that an attacker could do using just one person’s compromised credentials — without doing anything sophisticated — is tremendous.

With cloud apps and services, the application’s infrastructure is secured by the provider, but data protection is up to you. Most organisations can’t tell you where their sensitive data lives, who has access to it or who is using it, and SaaS applications are becoming a problematic blind spot for CISOs.

Let’s look at an example. Salesforce holds critical data — from customer lists to pricing information and sales opportunities. It’s a goldmine for attackers. Salesforce does a lot to secure its software, but ultimately, it’s the customer’s responsibility to secure the data housed inside it. Most companies wouldn’t know if someone accessed an abnormal number of account records before leaving to work for a competitor.

Cloud misconfigurations. SaaS application providers add new functionality to their applications all the time. With so much new functionality, administrators have a lot to keep up with and many settings to learn about. If your configurations aren’t perfect, however, you can open your applications — and data — to risk. And not just to anyone in your organisation but to anyone on the internet.

It only takes one misconfiguration to expose sensitive data. As the CEO of a company that has helped businesses identify misconfigured Salesforce Communities (websites that allow Salesforce customers to connect with and collaborate with their partners and customers), I’ve seen firsthand how, if not set up correctly, these Communities can also let malicious actors access customer lists, support cases, employee email addresses and more sensitive information.

App interconnectivity risk. SaaS applications are more valuable when they’re interconnected. For example, many organisations connect Salesforce to their email and calendaring system to automatically log customer communication and meetings. Application program interfaces (APIs) allow SaaS apps to connect and access each other’s information.

While APIs help companies get more value from their SaaS applications, they also increase risk. If an attacker gains access to one service, they can use these APIs to move laterally and access other cloud services.

Balancing Productivity And Security In The Cloud

When it comes to cloud applications and services, you must balance the tension between productivity and security. Think of it as a broad, interconnected attack surface that can be compromised in new ways. The perimeter we used to defend has disappeared. Endpoints are access points.

Now consider what you’re up against. Cybercrime — whether it’s malicious insiders or external actors — is omnipresent. If you store sensitive data, someone wants to steal it. Tactics created by state actors have spilled over into the criminal realm, and cryptocurrency continues to motivate attackers to hold data for ransom.

Defending against attacks on your data in the cloud demands a different approach. It’s time for cybersecurity to focus relentlessly on protecting data.

Data protection starts with understanding your digital assets and knowing what’s important. I’ve met with large companies that guess between 5-10% of their data is critical. When ransomware hits, however, somehow all of it becomes critical, and many times they end up paying.

Next, you must understand and reduce your SaaS blast radius — what an attacker can access with a compromised account or system.

An attacker’s job is much easier if they only need to compromise one account to get access to your sensitive data. Do everything you can to limit access to important and sensitive data so that employees can only access what they need to do their jobs. This is one of the best defenses, if not the best defense against data-related attacks like ransomware.

Once you’ve locked down critical data, monitor and profile usage so you can alert on abuse and investigate quickly. Attackers are more likely to trigger alarms if they have to jump through more hoops to access sensitive data.

If you can’t visualize your cloud data risk or know when an attack could be underway, you’re flying blind.

If you can find and lock down important data in cloud applications, monitor how it’s used and detect abuse, you can solve the lion’s share of the problem.

This is the essence of zero trust— restrict and monitor access, because no account or device should be implicitly trusted, no matter where they are or who they say they are. This makes even more sense in the cloud, where users and devices — each one a gateway to your critical information — are everywhere.

This article first appeared on Forbes.

YAKI FAITELSON

Co-Founder and CEO of Varonis, responsible for leading the management, strategic direction, and execution of the company.

Normalising data leaks: A dangerous step in the wrong direction

960 640 Guest Post

It was only recently, in early April, when it came to light that the personal data from over 500 million Facebook profiles had been compromised by a data leak in 2019. And since then, an internal Facebook email has been exposed, which was accidentally sent to a Belgian journalist, revealing the social media giant’s intended strategy for dealing with the leaking of account details from millions of users. Worryingly, Facebook believes the best approach is to ‘normalise the fact that this activity happens regularly,’ and to frame such data leaks as a ‘broad industry issue’. 

It’s true that data breaches occur everyday, and are increasingly on the rise – new research predicts there will be a cyber attack every 11 seconds in 2021, nearly twice what it was in 2019. However, this doesn’t mean that it should be normalised. Quite the opposite in fact, explains Andrea Babbs, UK General Manager, VIPRE SafeSend...

Dangerously dismissive

The statement from Facebook is a very worrying strategy to come from a business which holds the personal and business data of millions across its platforms. Particularly in the wake of increasingly stringent regulations appearing globally, it is startling for such a large organisation to casually dismiss data leaks. To give businesses an excuse to no longer invest time, money and effort in data security is a dangerous step in the wrong direction.

Personal data is a valuable currency for cyber hackers, and individuals want to ensure it is protected. Leaking this confidential data, such as medical information, credit card numbers or personally identifiable information (PII) can have far-reaching consequences for both individuals and businesses. Keeping this data safe should be businesses’ number one priority. However, data is only as safe as the strength of an organisation’s IT security infrastructure and its users’ attention to detail.

A defence on multiple fronts

If you do not have the right technology in place to keep your data safe, then you will face problems – but the same goes for having the right tools and training available to your users. Data security is a difficult and never-ending task, one which requires ongoing investments on multiple fronts by every organisation in the world.

Particularly in the wake of COVID-19, businesses have had to transition to remote working and accelerate their processes to the cloud. Moving to cloud based security which moves with your users is key. And investment in user training will become more normalised because an uneducated workforce is a big risk to an organisation’s data security efforts. 

To combat such threats, deploying a layered security approach is necessary for both small and large businesses. In today’s modern threat landscape, a data protection plan needs to include cover for both people and technology at its core. There are innovative tools available, such as VIPRE’s SafeSend, which supports busy, distracted users to double check their attachments or recipient list before sending an email to help them make more informed decisions around the security of their data. Additionally, companies need to invest in thorough and more frequent security awareness training programmes, which include phishing simulations as a key component.

We will also see a bigger move towards Zero Trust Network Access (ZTNA) tools – which only allow people to access the data they need, not the entire network. There will be an evolution in this area, and protection for a workforce ‘on the go’ will become the standard, but with the same foundational principles of investing in the right technology, and the users themselves. 

Reputation and responsibility

No matter where users are or what they are doing, keeping security front of mind will be one way to ensure good IT security hygiene for businesses. Those who have already made significant progress in this area will reap the rewards in terms of safe data and reassured customers, clients and prospects. 

Businesses that get out in front of all areas of data loss, not just attacks from bad actors, are the ones that will do well in the long term. The ability to reassure customers and prospects of the safety of their data will become the new marketing message in the coming years, which is why attempting to normalise data loss could be so damaging to Facebook’s reputation.

Cyber threats are only going to increase in sophistication and become more personalised to the individual by using social engineering attacks or fileless based attacks. Attackers are going to continue to take advantage of current events, such as COVID-19, to trick users into clicking a link, downloading an attachment or signing into a phishing website etc.

Businesses of all sizes have a responsibility to keep data secure – and users must be a part of the solution, rather than the problem. In order to do this, businesses need to place cybersecurity as a priority throughout their processes and invest in the right tools and training to make this more of a business-critical solution, and less of an ‘emerging necessity’ as it is now.

GDPR

The data dichotomy and the vital importance of effective self-regulation

960 640 Guest Post

The data privacy debate that has raged for the past decade has patently failed to meet the needs of either industry or consumers. Legislative change continues to challenge digital marketing models – and has had little impact on consumer trust: Edelman’s 2021 Trust Barometer cites an era of “information bankruptcy”, with global trust levels at an all-time low. What has to change? John Story Vice President, Deputy General Counsel Global GTM, Acoustic, EMEA, explains why effective self-regulation is a vital step in rebuilding consumer trust...

Ethical Challenge

Data privacy is once again, front and centre of the advertising and marketing debate. From the imminent demise of third-party cookies, to ever-increasing privacy regulations including GDPR, UK DPA 2018 (essentially the post-Brexit version of GDPR), and the Privacy and Electronic Communication Regulations (PECR)—as well as the latest Apple / Facebook ad tracking row–it’s easy to see how consumers and marketers alike might be scratching their heads over where, how and why data can be used.

Marketers are justified in bemoaning the impossibility of doing an effective job or meeting customers’ desires for better, more relevant and personalised messaging given the increasing constraints placed by legislative change. But the industry needs to face facts: it has been too slow and too reactive. 

Just consider the inadequate industry response to scandals such as Cambridge Analytica’s data misuse. Effective self-regulation should have become an absolute priority, yet little happened. When the industry fails to step in and address its problems, when companies sit and wait for a major issue to emerge and only then attempt to address the fall out, legislators feel they have little option but to intervene. The results are more often than not to the detriment of everyone in the ecosystem.

Effective Self-Regulation 

For marketers, consumer trust is essential to survival – and the onus is on the industry to rebuild and sustain that trust. Which is why, however the motives are perceived, Apple’s recent move is a positive step in reinvigorating the debate and, hopefully, accelerating the adoption of the effective self-regulation that will rebuild consumer trust and confidence.

Improving the way companies – of every size – notify consumers, then request and honour consent is an indispensable step in the creation of an industry that truly recognises the importance of ethical behaviour. By finding a way to convey a commitment to data privacy without confusing or overwhelming the end customer, the industry can avoid the risk of further inappropriate or clumsy legislation – legislation that is both implemented inconsistently and fails to improve consumer confidence.  

Legislation takes too long to devise and ratify – making it technologically out-of-date by the time it is enforced. Even worse, once in place, it’s incredibly hard to change. It also rarely achieves the essential change in attitude to data ethics and data privacy that’s required. Legislators may hope fines encourage organisations throughout the data ecosystem to modify behaviour, but when the culture is one of enforcement the modification in behaviour is often the minimum required to avoid future sanction.  

Take Ownership of Data Ethics

Public trust can be rebuilt and maintained if the industry takes appropriate, ethically sound, self-regulatory steps that evolve with technology and public perception. There should then be little call for regulators and governments to step in and impose stifling legislation.

However, it’s important to recognise that this affects every company, every marketer, and every MarTech provider. This is not just an issue for the large technology companies. Indeed, given the fact that Apple remains a lone voice and there has been little sign from Google or Facebook of a willingness to put effective self-regulation ahead of revenue generation goals, unless marketers and MarTech companies highlight the ethical data privacy debate and take action, change won’t occur.

This is nothing new: the marketing and advertising industry has always worked together on self-regulation – from the development of advertising standards onwards. The only change is the technological context. Abdicating responsibility for data privacy and a commitment to data ethics will only erode public trust further and lead to the imposition of additional legislation.

Conclusion

We have seen the changes that can be achieved as a result of high-profile debate. With recent concerns about hateful content and misinformation online, for example, social media providers took positive steps to self-regulate;  they recognised that working effectively together was important to create a long-term future for their platforms. The next step must be to encourage the same levels of effective self-regulation around data usage and advertising.

Apple has nudged open the debate on data privacy and data ethics. The onus is now on players throughout the industry to push that door wide. Public trust is imperative – and that means effective self-regulation and the creation of a data ecosystem built on transparency and informed consent.

Security software revenue to hit $45.5B in 2021

960 640 Stuart O'Brien

The digital transformation accelerated by the pandemic and the growing number of data breaches and cyberattacks has forced online users, companies, and organizations to increase their spending on security software solutions.

According to data presented by StockApps.com, global security software revenues are expected to hit $45.5bn in 2021, a 20% increase in two years.

For the purposes of the study, it says the security software market includes all software solutions that aim to protect individual computing devices, networks, or any other computing-enabled device. It includes antivirus software, management of access, data protection and security against intrusions, and any other system-level security risks, both in local installation and cloud service.

StockApps says recent years have witnessed a massive adoption of these solutions, driven by the surge of eCommerce, huge technology developments including AI and IoT, and the rising number of connected devices.

In 2016, the entire market was worth $27bn, revealed the Statista survey. In the next two years, revenues surged by more than 40% to $38.1bn.

The entire market maintained its steady growth amid the COVID-19 pandemic, with millions of people working and educating from home. The TrustRadius 2020 survey of software buyers and users revealed that 41% of organizations increased their security software spending amid pandemic. 

Statistics show the market revenue jumped by 7% year-over-year to $41bn in 2020. This figure is expected to rise by $4bn in 2021. However, the following years are set to witness a surge in the adoption of software security solutions, with revenues jumping to more than $61bn by 2025.

In global comparison, the United States represents the leading security software market expected to generate $22.8bn, or 50% of revenues this year. Statista data indicate the US security software revenues jumped by 20% in the last two years, while the unified market is set to reach $30.5bn value by 2025.

With $2.3bn in revenue or almost ten times less than the leading United States, Germany ranked as the second-largest security software market globally. The United Kingdom, Japan, and China follow with $2.2bn, $2.1bn, and $1.9bn in revenue, respectively.

Escaping from Data Lockdown with a Digital Evolution

960 640 Guest Post

With data amassing at an exponential rate, digital transformation continues to be throttled as businesses struggle to achieve the insight they need from the data. To achieve value from data, businesses need to be able to access what they need, when they need, by the right people, in a usable format. Peter Ruffley, CEO, Zizo, has previously detailed the first three aspects businesses should consider to get out of data lockdown, including data access, responsibility and outcomes. With the data readily available and the company goals in mind, businesses need to ensure that the data they’re analysing will be of value and help them meet these objectives.

Here, Peter highlights two further aspects for businesses to consider before they can move forward in their digital transformation journey. While there is no one-size-fits-all approach to suit every company, by having available and structured data with an open and flexible culture, organisations are in a much stronger position to take on this critical shift and escape from data lockdown. 

Data structure and analysis:

Data must be structured for purpose – clean and consistent data will lead to better decisions and an easier transformation. There are many whose skill set is structuring data and building data structures; but because of their fixed belief on how they think things should be done, it can be a choke point for digital transformation. You have to be prepared to follow a business objective, even if it may apparently contradict some of the deeply held beliefs of your IT colleagues, or if the data tells you something that goes against your intuition, rather than derailing the process. 

Digital transformation isn’t a one-change process, but instead, a number of transformations will need to be made and augmented with other sources of structured data – it should be conducted as an ongoing rolling programme of incremental changes and additions. That adaptability to absorb other sources of data and find other business value is what this is all about.

It’s not digital transformation, it’s digital evolution. Some things may not go 100% to plan, therefore, you have to change and adapt based around those models. And just because every decision can be driven by data, does not mean you have to analyse all the data before you take each step. There is a case for paralysis through analysis; if you try to look at everything, you will end up doing nothing. An agile way of doing things and trying something small to see if it works, using the tools and techniques for when we want to scale up or down will enable smaller steps towards transformation to be taken faster. 

Business value and collaboration:

The key to digital transformation success is collaboration and flexibility. Businesses need to be flexible enough to digitally transform the marketplace. The tools, techniques and technologies exist, but there are only some organisations that are going to be smart, quick enough and united to actually take advantage. 

By distinguishing ownership and having a sense of collaboration within your company culture, the barriers to digital transformation will be diminished as team members acknowledge the changes that are going to be made to the business as a result of this transition. Without everybody on board, the transformation will not work. Technology is just one part of the process underpinning these changes – having an open attitude towards the use of data within the organisation is a necessity. 

People need to trust the data they’re using through provenance and understanding the business rules and objectives. Rather than trying to impose a rigid framework, using data as the foundation provides you with trusted evidence and reasoning, backed up by other areas of the business. If you’ve got a dialogue supported with data that you trust, stakeholders will buy into the initiative. 

Organisations can’t expect the deployment of tools and technologies to change their business overnight, but by having a more open and collaborative attitude towards the use of data within the organisation, underpinned by new tools and technology, a digital evolution can progress in the right direction. 

Meeting the Tests to get out of Data Lockdown

960 640 Guest Post

Digital transformation of any business has always been hampered by making sense of underlying data. And that data has been growing in volume at an unprecedented rate driven by the growth of IoT. It’s the perfect storm – the need for real-time information being increasingly distanced by the rate at which the data volume is growing. Businesses need insight, not just data, which means getting the right information, to the right person, at the right time. 

But the age-old problem remains today – how do you understand and see what data you have readily available, in a format that’s usable and that you can access at the right time? Peter Ruffley, CEO, Zizo, explores three aspects businesses must consider to get out of ‘data lockdown‘…

Data access 

There are a multitude of ways to store and access data, but a majority of businesses haven’t considered access to external data sources yet. When we begin to question how to enrich and improve data, one of the fundamental capabilities of this process is by integrating external third-party data sources, such as weather, crime or other open data sources. 

Businesses need to have an understanding of what they need to do to make the process worthwhile, and ensure they have the correct capabilities before they start. A common first approach for many organisations is to build from scratch and make it their own, rather than considering the buyer approaches where you look at what’s out there, explore the marketplace and transform existing data to use within the business, rather than starting from the ground up. 

If they can’t combine different sources of data quickly and cost-effectively together, they won’t move forward. It makes sense to digitally transform an organisation if it is going to make use of what’s already out there, as being able to tap in and share other work and insights will make the exercise worthwhile and cost-effective. With combinations of solutions available in the marketplace that can accelerate the process by providing the necessary building blocks, it’s time to transform the digital transformation process. 

Data responsibility 

There remains a disconnect between IT teams and businesses’ impressions about what it means to provide the data. If both parties are not aligned with the same aims of the business, the project could stall at the first hurdle. Instead, organisations need to bridge the divide and encourage stronger collaboration between all stakeholders. When businesses realise where those holes are in their structure, it’s key to get people involved to solve those challenges. 

This involves change on three levels; personnel, cultural and technological. Who’s responsible for this chain? Whose action is it? How do we bring these teams together? The business might be storing a lot of data, but how can it be accessed, interrogated and made useful? How will the business’ data goals be defined? 

Typically, the digital transformation initiative comes from the top in the organisation. In order to get your business on board, you have to make a very clear case of what the benefits are. Employees need to trust that improvements will be made for them by doing this, rather than just dictating the plan. Digital transformation is a change programme, which impacts all aspects of the business. You therefore have to approach it in the same way that you would approach any change project – with clear objectives and an agreed process of identifying how you’re going to get value from data. With a compelling case, you have a much better chance of carrying it through with buy in from all stakeholders. 

Data and objective identification:

You can’t embark on a digital transformation initiative without a concept – you’re condemning the project to failure if the business is not engaged properly with the process before you start. In order to yield business benefit from data, organisations must identify the areas that will realise the most benefits. Even if they’re hypothetical, there must be measurable ambitions in place or milestones for this journey, so that there is an understanding of what you’re going to do, and what you want to get out of it. Or if those ambitions weren’t achieved, why not? What steps need to be taken next time? 

Organisations have to be able to collect the data and assess whether they can achieve their business objectives from that data. But a goal of just ‘digital transformation’, ‘digitising data’ or ‘making more money’ will never translate into a concrete business case. Goals need to be specific and measurable in order to determine the project roadmap and for success to be evaluated. 

More importantly, you have to understand where the data is in your organisation and what it’s being used for, before you start the process of transformation. The whole supply chain needs to be aware of the transformation and the demands that are going to be in place. You’ve got to be very open about this process, because there will be people who you haven’t thought of that might be impacted by the changes you’re making.

With easy access, a connected team and clear objectives, companies can have a clear outline of what it is they set out to achieve in their digital transformation, how they expect to make this transition with the data available, and who can take on what role in this process. 

User Access Review – What’s That?

960 640 Guest Post

By Tenfold Security

Users come, they stay, they leave, they move around between departments and they collect privileges on the way. That’s OK, they need privileges to do their jobs. But do they need all the privileges they have, always? That’s a question you need to ask yourself, for every userrepeatedly.

This article covers what is meant by a user access review, why is it important for your business and how can you simplify the process and up your company‘s IT security and level of data protection at the same time.

Click here to read the full article.

Solving the data centre skills shortage

960 640 Stuart O'Brien

By Stephen Whatling, Chairman at BCS

The growth in demand for data centres worldwide has posed many challenges in recent years and this has now been expedited by the Covid-19 pandemic. Following a major uplift in demand for data services since March, the need for a resilient data infrastructure has never been greater.

However, this year BCS’ independent survey shows an increase in concern about the availability of design and build staff with an 11% rise, to 75%, of respondents believing there is an inadequate supply of skilled labour. The same independent BCS survey shows that 90% of those involved in the design and construction of data centres believe there is a dearth of both design and build personnel.

As the confusion regarding exam results and the subsequent issues with university places continues to test the education system, it is a growing concern for the future supply of resources skilled in the design and build of data centres.  It is then perhaps no surprise that for the second survey running, greater industry engagement with educators is ranked as the top factor to address this identified skills shortage. This is particularly important given the tremendous competition for suitably qualified STEM staff from a wave of different technology sectors across the wider economy. Early engagement with the industry at the educational level is needed to encourage the next generation of potential datacentre professionals through providing clear routes to jobs and career advancement that exist in many of the competing industries.

Better on the job training and improved or greater incentives for apprenticeships also ranked highly in the survey as  respondents acknowledged the positive impact that the education sector and businesses working in partnership can have in developing home-grown resources.  At BCS we believe that the expansion of apprenticeship places is vital to the success of the generation of UK based skills.  This year we had over 200 applicants for the apprentice and graduate scheme we operate in partnership with London Southbank University which provides funded places and, alongside studies, enables the apprentices to access every aspect of the BCS business.

From this year’s intake, Imogen Paton is enrolled on a Quantity Surveying Degree Apprenticeship at London Southbank University and will be sharing her time between studying there and getting some great practical experience with BCS over the next five years. Imogen said: “I am really looking forward to this opportunity to grow and work with both a great company and great university and can’t wait to get started!”

Many businesses might think that taking on an apprentice during the current pandemic will not bear fruit but that is not necessarily the case.  Yes, it can be harder and will require a little more care and attention but the right candidates will learn some invaluable skills during these strange times.

Ben Chappell, a BCS Apprentice Consultant from London Southbank University says he will “definitely take a new sense of confidence in working independently back to the office when the lockdown is over.”

“I’ve been balancing client tasks with Southbank University work successfully, which has given me assurance that my routine is productive. One of the lessons for my industry is that we now know that a significant amount of work can be done remotely if the circumstances require it. However, I am also very much aware of the importance of social interaction for both the office teams and client relations and I’m looking forward to getting back on site,” he said.

It is also worth remembering that the survey was undertaken at the beginning of the UK lockdown, before the length of the lockdown and subsequent travel restrictions could be fully understood.  Despite the timing, almost three-quarters of respondents believed that shortages amongst data centre operational staff was already making it increasingly difficult to run facilities well. It is now clear that the difficulties associated with international travel such as the lack of availability of flights and hotel rooms or the more recent focus on quarantine rules has made it even more difficult for the roving teams of design, build and maintenance engineers to do their jobs efficiently.  These teams are, of course, essential workers and not subject to the quarantine rules but travel, and life in general, is more difficult now, and as a result less productive.  This will mean that even more skilled engineers are required to support the existing infrastructure.

Meeting the demands for greater capacity was an issue before Covid-19 with 74% seeing higher labour costs, 55% using increased outsourcing and almost 50% seeing delays due to the shortage of available skills.  It is likely these numbers will be even higher next year. We should also take note of the likely impact of Brexit and any future immigration policy.  It is vital that any future policy recognises the importance of the data centre industry in the UK and supports it with favourable access for the skilled workers that will be needed in order to meet the existing demand. 

In conclusion, the demand for UK based data centres currently outstrips supply, smart working and automated processes, and a focus on education alongside investment and support from the Government, is required sooner rather than later to ensure the UK capitalises on this opportunity.

These are the key data privacy issues in 2020

960 649 Stuart O'Brien

Tuesday January 28th marked Data Privacy Day, the annual international day aimed at raising awareness of privacy and data protection issues and promoting best practices.

Here we’ve gathered up the thoughts of some leading figures from across the sector, covering everything from GDPR to biometrics and compliance, and what 2020’s priorities need to be…

Chase Buckle, Trends Manager, GlobalWebIndex

“In today’s post-Cambridge Analytica world, we’re witnessing a ground-breaking shift in consumer attitudes towards data, privacy and brand trust.

While GDPR has certainly shifted the balance of power, leading to new perspectives on consumers’ rights to share or withhold data online, 58% of UK consumers are still concerned about the internet eroding their personal data.

The increased awareness of how companies collect and use data online, also brought by events such as Data Privacy Day, has done little to alleviate concerns over online privacy more generally –  61% of UK consumers worry about how their personal data is being used by companies and 55% now prefer to be anonymous when browsing online.

This anxiety around online privacy and technology is most prevalent among younger age groups. These so-called digital natives are more conscious of the complexity of data security and technology, and are more aware of just how much they might not know around the issue. In fact, the younger the consumer, the more likely they are to say that they don’t feel in control of their personal data online, and that they just don’t understand new technology. 

Within this new digital landscape, company reputations hinge on their trust and transparency credentials over personal data. To build consumer relationships, trust has to become one of the core elements of any brand proposition.”

Nigel Hawthorn, data privacy expert, McAfee

“Over a year after the EU’s General Data Protection Regulation (GDPR) came into force, the regulatory bodies are changing their focus from guidance to full enforcement. The GDPR framework serves as a driver for organisations to revisit their current processes and take full responsibility for how they process and store personal data. As the UK leaves the EU, this legal responsibility doesn’t go away. The UK government passed the Data Protection Act 2018 to provide an equivalent law to GDPR. As we’re stepping into a new decade, we are seeing the rise of more regulations which put internet users first and a rise in the data stored in the cloud.”

“With the increasing reliance on the cloud, businesses need to be rest assured that they have complete visibility and control over data regardless of where it is. According to our latest research, 40% of large UK businesses expect to be cloud-only by 2021. What we’re going to see in 2020 is even more data and applications shifting to the cloud – and where they migrate, cybercriminals will follow.

Today, we should recognise that the age of the cloud is here. Whether businesses are cloud-only or shifting towards a cloud-first approach, the key is to make sure it isn’t an easy target for cybercriminals.”

Zachary Jarvinen, Head of Product Marketing, AI and Analytics, OpenText – “As we welcome in another Data Privacy Day, this date – and what it represents – has never been more relevant or more important.

“It’s clear that 2020 will be the year that the rest of the data privacy iceberg begins to emerge. While regulations like Europe’s GDPR and the California Consumer Privacy Act (CCPA) have already been established, new regulatory developments surrounding data privacy are continually coming to light.

“Although these regulations have their inherent differences, the general scope of data privacy laws is to give consumers the right to know how and what type of personally identifiable information (PII) is collected, and the option to take legal action in the event that they should incur damages from bias or data security breaches. In 2019, 53% of consumers stated that they would cancel a transaction if they didn’t like something in the privacy policy – more must be done this year to make sure data privacy and protection is a top priority for companies.

“Until now, most organisations have focused their efforts on structured information, but they must also be able to understand what PII is located in textual documents. Archived data, in particular, is an especially pressing concern for most enterprises. AI-powered solutions will be instrumental in locating sensitive data and managing it through automated workflows. Today, organisations will also need to establish internal data governance practices to determine who is accountable for data security and enterprise-wide policy, which may include creating teams that blend technical and regulatory expertise.

“It’s also a great time to get started with a career in the industry. Over the past four years there has been a 75% increase in jobs with “privacy” in the title. Privacy is hot. And, finally data protection is at the table for new initiatives and technology decisions.”

Simon Wood, CEO, Ubisecure  “The topic of data privacy could not be more relevant in the current cybersecurity landscape. Last year, for example, a number of headline-hitting data breaches were revealed to be a result of misplaced security design choices – demonstrating the damaging consequences of underestimating security requirements. 

“A large cause for concern here is when it comes to businesses building identity management functionality in-house. No matter how big the development team some companies may have, a lack of experience and resources in cybersecurity areas like identity management means that building such features internally comes with increased risk. Faced by tight deadlines and pressure to get applications to market as fast as possible, teams are challenged to build functionality that properly adheres to privacy by design and proven security methodology. Often, we see the impact of not doing so through the breaches that take advantage of weak authentication policies and a failure to keep data privacy central to the whole design process. 

“One way for tech leaders to solve this problem is to deploy Identity-as-a-Service (IDaaS) solutions – cloud based authentication and identity software or APIs already proven and in use in the market. Such solutions allow teams to integrate identity features into applications as securely and as seamlessly as possible, without reinventing the wheel each time. Ultimately, this on-demand expertise reduces the risk of data breaches caused by employee-led error and places data privacy at the forefront of the development process.“

Gijs Roeffen, Director IT & Security at EclecticIQ – “As data breaches continue to hit the headlines, businesses and consumers alike are becoming more and more aware of the need to protect their data. Here are a couple of simple tips to help keep your personal information secure: 

Swap PIN codes for biometrics

“When it comes to passwords and PIN codes, people are creatures of habit. People not only use the same password across multiple online accounts, they will also happily use the same PIN code for their debit card and their phone, or a generic PIN number. In fact, cybersecurity specialist Tarah Wheeler recently shared the most common PINs used by smartphone users to secure their devices, and shockingly, the most common PIN number was 1234. 

“Passcodes and PIN numbers can easily be captured from a glance over someone’s shoulder, or can be photographed or filmed from another mobile device. Biometrics, however, such as facial recognition or fingerprints, are unique to the user and can’t be obtained in either of these ways, making them a much safer option than passwords and PINs.

 Safeguard your SMS messages

“While it is possible to intercept SMS messages over the air, it requires multiple factors to be aligned to be successful. Attacks on SMS are often very targeted, since intercepting SMS codes requires specialist knowledge and hardware. 

“Using a two-factor authentication, however, is an effective means of defence against account takeover, so be sure to check your SMS is protected. Alternatively, look into using an encrypted messaging service. Encryption jumbles the content of a message into random data until it is received on the other end, so if a hacker intercepts the message, they won’t be able to view it in full. Apple’s iMessage service uses encryption, as does WhatsApp, which works across both Android and iPhone devices.”


Ashley Bill, enterprise data consultant, Micro Focus – “Fortunately, life after the General Data Protection Regulation (GDPR) has seen organisations begin to change how they think about data privacy. While avoiding regulatory fines and reputational damage is often top of mind, savvy business leaders may also see the business benefits that effective compliance can bring: the ability to generate high quality, streamlined data that can be monetised through applying predictive analytics.

“By investing in optimised data management driven by compliance, organisations can effectively increase the value of their data. It not only saves them pouring significant amounts of time into making sense of exploding datasets, but also creates an environment where teams can effectively deploy predictive analytics to make informed decisions. Using insights gleaned from quality data, companies can better predict the preferences and behaviour of their target audiences to inform and maximise the potential of marketing, advertising and product development. Ultimately, accurately predicting what customers want and remaining a step ahead of competitors is the ‘holy grail’ of business success.

“If predictive analytics is essential for boosting business outcomes, data privacy compliance is a fundamental component. And looking ahead, it will be a major driving force behind the development of modern, ethical, data-driven organisations.”

Chris Greenwood, Senior Director and General Manager UK&I at NetApp

“Data privacy has moved beyond protection and is now a question of trust. 

“We, as consumers, trust organisations to handle our data in a secure, standardised and accountable way. But with 60% of UK businesses planning to migrate apps and data to the cloud within the next year, the risks are high. Combine this with the rise of 5G, edge computing and AI bringing about entirely new and disruptive ways to use data, organisations must ensure suitable safeguards are in place, tested and updated as we begin to unravel these various possibilities.

“75% of IT leaders anticipate that security will have the largest impact on their data strategy over the next 12 months. In order for privacy to succeed, it is the duty of companies and organisations to not only understand how and why data is being used, but also have the capabilities to remedy any ethical concerns which may naturally arise as new lines are drawn on what ‘is’ versus what ‘was’ acceptable as technology becomes ever more powerful.

“This can only be achieved by being able to see, access and conscientiously use data from any and every environment whilst affording the end user the means to control how and what data is there in the first place. Only then can user privacy truly succeed.”

Malcolm Murphy, Systems Engineering Director, EMEA at Infoblox – “You hear a lot of people in the industry talking about Zero Trust. Whist it is certainly a core element of improving data protection standards, we need to be more realistic about its wide-scale implementation.

“Despite the hype, no one is actually doing ‘Zero Trust’ yet. Putting the infrastructure in place to enable organisations to verify anything and everything trying to connect to its systems before granting access is a really hard thing to do, as we can’t easily layer it onto existing technology at scale.

“As it stands, we’re nowhere near being able to implement the Zero Trust concept at a cost-effective level, and this is unlikely to change in 2020 – and our data privacy may suffer because of it.”

“This approach will remain difficult, expensive and inconvenient. I think it will take a catastrophic event or new regulation to make organisations invest in Zero Trust, it won’t happen on its own.”

Paul Farrington, EMEA CTO, Veracode“Many businesses today are software-driven and they are conscious of the role software security plays in keeping data protected. There is a greater need to ensure security is a core part of the software development process going forward. As a new data-driven decade commences, businesses should empower developers by training them on best practices in secure coding and providing the tools to enable them to find and fix vulnerabilities in their software.

“We know that unresolved vulnerabilities that pile up over time, also known as security debt, can leave organisations exposed to data breaches. Hackers will continue to look for weak points at the application layer, which is still the predominant threat vector. By shifting security left, developers are able to fix vulnerabilities faster and more effectively, improving an organisation’s overall security and ultimately better protecting sensitive data. Across Europe, more businesses are learning that they are able to adopt application security without stifling innovation.”

Elodie Dowling, EMEA General Counsel, BMC Software

“With an increasing number of data protection laws around the world, data privacy remains a very pressing topic, and businesses such as cloud service providers continue to face an array of complex and logistical challenges to adhere to across their multi-cloud infrastructure, to ensure their customers’ data remains protected.

“Over the course of the last year, there have been a large volume of data breaches being reported. Data Privacy day comes as a very timely reminder for customers and their service providers to continue to work towards updating their existing privacy standards to a compliant level, while ensuring robust security is in place to protect customer data. Most recently, European regulators have imposed £97m in data breach fines, and businesses who operate within the cloud must remain vigilant to avoid similar penalties.

“It’s important once a business starts using a variety of cloud-based services and infrastructure to regularly carry out audits to ensure that systems and services being used remain compliant with data privacy laws. Under GDPR, personal data may not be stored longer than needed for the predefined purpose. Therefore, it’s important businesses implement retention periods, whilst having the ability to delete data effectively when retention periods have expired – both for data locally stored and in the cloud.

“Companies are able to achieve better data protection in today’s IT ecosystem through four critical measures.

  1. Visibility – IT needs the tools to know where sensitive customer data resides, how it is being processed, and by whom.
  2. DevOps – teams must be aligned to maintain security and compliance.
  3. Integrity – IT must validate structured and unstructured data automatically, and ensure that stored data is intact.
  4. Recovery – Organisations must ensure data is recoverable in a timely manner in the event of any physical or technical incidents.”