privacy Archives - Security IT Summit | Forum Events Ltd
  • Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Security IT Summit Security IT Summit Security IT Summit Security IT Summit Security IT Summit

Posts Tagged :

privacy

Normalising data leaks: A dangerous step in the wrong direction

960 640 Guest Post

It was only recently, in early April, when it came to light that the personal data from over 500 million Facebook profiles had been compromised by a data leak in 2019. And since then, an internal Facebook email has been exposed, which was accidentally sent to a Belgian journalist, revealing the social media giant’s intended strategy for dealing with the leaking of account details from millions of users. Worryingly, Facebook believes the best approach is to ‘normalise the fact that this activity happens regularly,’ and to frame such data leaks as a ‘broad industry issue’. 

It’s true that data breaches occur everyday, and are increasingly on the rise – new research predicts there will be a cyber attack every 11 seconds in 2021, nearly twice what it was in 2019. However, this doesn’t mean that it should be normalised. Quite the opposite in fact, explains Andrea Babbs, UK General Manager, VIPRE SafeSend...

Dangerously dismissive

The statement from Facebook is a very worrying strategy to come from a business which holds the personal and business data of millions across its platforms. Particularly in the wake of increasingly stringent regulations appearing globally, it is startling for such a large organisation to casually dismiss data leaks. To give businesses an excuse to no longer invest time, money and effort in data security is a dangerous step in the wrong direction.

Personal data is a valuable currency for cyber hackers, and individuals want to ensure it is protected. Leaking this confidential data, such as medical information, credit card numbers or personally identifiable information (PII) can have far-reaching consequences for both individuals and businesses. Keeping this data safe should be businesses’ number one priority. However, data is only as safe as the strength of an organisation’s IT security infrastructure and its users’ attention to detail.

A defence on multiple fronts

If you do not have the right technology in place to keep your data safe, then you will face problems – but the same goes for having the right tools and training available to your users. Data security is a difficult and never-ending task, one which requires ongoing investments on multiple fronts by every organisation in the world.

Particularly in the wake of COVID-19, businesses have had to transition to remote working and accelerate their processes to the cloud. Moving to cloud based security which moves with your users is key. And investment in user training will become more normalised because an uneducated workforce is a big risk to an organisation’s data security efforts. 

To combat such threats, deploying a layered security approach is necessary for both small and large businesses. In today’s modern threat landscape, a data protection plan needs to include cover for both people and technology at its core. There are innovative tools available, such as VIPRE’s SafeSend, which supports busy, distracted users to double check their attachments or recipient list before sending an email to help them make more informed decisions around the security of their data. Additionally, companies need to invest in thorough and more frequent security awareness training programmes, which include phishing simulations as a key component.

We will also see a bigger move towards Zero Trust Network Access (ZTNA) tools – which only allow people to access the data they need, not the entire network. There will be an evolution in this area, and protection for a workforce ‘on the go’ will become the standard, but with the same foundational principles of investing in the right technology, and the users themselves. 

Reputation and responsibility

No matter where users are or what they are doing, keeping security front of mind will be one way to ensure good IT security hygiene for businesses. Those who have already made significant progress in this area will reap the rewards in terms of safe data and reassured customers, clients and prospects. 

Businesses that get out in front of all areas of data loss, not just attacks from bad actors, are the ones that will do well in the long term. The ability to reassure customers and prospects of the safety of their data will become the new marketing message in the coming years, which is why attempting to normalise data loss could be so damaging to Facebook’s reputation.

Cyber threats are only going to increase in sophistication and become more personalised to the individual by using social engineering attacks or fileless based attacks. Attackers are going to continue to take advantage of current events, such as COVID-19, to trick users into clicking a link, downloading an attachment or signing into a phishing website etc.

Businesses of all sizes have a responsibility to keep data secure – and users must be a part of the solution, rather than the problem. In order to do this, businesses need to place cybersecurity as a priority throughout their processes and invest in the right tools and training to make this more of a business-critical solution, and less of an ‘emerging necessity’ as it is now.

GDPR

The data dichotomy and the vital importance of effective self-regulation

960 640 Guest Post

The data privacy debate that has raged for the past decade has patently failed to meet the needs of either industry or consumers. Legislative change continues to challenge digital marketing models – and has had little impact on consumer trust: Edelman’s 2021 Trust Barometer cites an era of “information bankruptcy”, with global trust levels at an all-time low. What has to change? John Story Vice President, Deputy General Counsel Global GTM, Acoustic, EMEA, explains why effective self-regulation is a vital step in rebuilding consumer trust...

Ethical Challenge

Data privacy is once again, front and centre of the advertising and marketing debate. From the imminent demise of third-party cookies, to ever-increasing privacy regulations including GDPR, UK DPA 2018 (essentially the post-Brexit version of GDPR), and the Privacy and Electronic Communication Regulations (PECR)—as well as the latest Apple / Facebook ad tracking row–it’s easy to see how consumers and marketers alike might be scratching their heads over where, how and why data can be used.

Marketers are justified in bemoaning the impossibility of doing an effective job or meeting customers’ desires for better, more relevant and personalised messaging given the increasing constraints placed by legislative change. But the industry needs to face facts: it has been too slow and too reactive. 

Just consider the inadequate industry response to scandals such as Cambridge Analytica’s data misuse. Effective self-regulation should have become an absolute priority, yet little happened. When the industry fails to step in and address its problems, when companies sit and wait for a major issue to emerge and only then attempt to address the fall out, legislators feel they have little option but to intervene. The results are more often than not to the detriment of everyone in the ecosystem.

Effective Self-Regulation 

For marketers, consumer trust is essential to survival – and the onus is on the industry to rebuild and sustain that trust. Which is why, however the motives are perceived, Apple’s recent move is a positive step in reinvigorating the debate and, hopefully, accelerating the adoption of the effective self-regulation that will rebuild consumer trust and confidence.

Improving the way companies – of every size – notify consumers, then request and honour consent is an indispensable step in the creation of an industry that truly recognises the importance of ethical behaviour. By finding a way to convey a commitment to data privacy without confusing or overwhelming the end customer, the industry can avoid the risk of further inappropriate or clumsy legislation – legislation that is both implemented inconsistently and fails to improve consumer confidence.  

Legislation takes too long to devise and ratify – making it technologically out-of-date by the time it is enforced. Even worse, once in place, it’s incredibly hard to change. It also rarely achieves the essential change in attitude to data ethics and data privacy that’s required. Legislators may hope fines encourage organisations throughout the data ecosystem to modify behaviour, but when the culture is one of enforcement the modification in behaviour is often the minimum required to avoid future sanction.  

Take Ownership of Data Ethics

Public trust can be rebuilt and maintained if the industry takes appropriate, ethically sound, self-regulatory steps that evolve with technology and public perception. There should then be little call for regulators and governments to step in and impose stifling legislation.

However, it’s important to recognise that this affects every company, every marketer, and every MarTech provider. This is not just an issue for the large technology companies. Indeed, given the fact that Apple remains a lone voice and there has been little sign from Google or Facebook of a willingness to put effective self-regulation ahead of revenue generation goals, unless marketers and MarTech companies highlight the ethical data privacy debate and take action, change won’t occur.

This is nothing new: the marketing and advertising industry has always worked together on self-regulation – from the development of advertising standards onwards. The only change is the technological context. Abdicating responsibility for data privacy and a commitment to data ethics will only erode public trust further and lead to the imposition of additional legislation.

Conclusion

We have seen the changes that can be achieved as a result of high-profile debate. With recent concerns about hateful content and misinformation online, for example, social media providers took positive steps to self-regulate;  they recognised that working effectively together was important to create a long-term future for their platforms. The next step must be to encourage the same levels of effective self-regulation around data usage and advertising.

Apple has nudged open the debate on data privacy and data ethics. The onus is now on players throughout the industry to push that door wide. Public trust is imperative – and that means effective self-regulation and the creation of a data ecosystem built on transparency and informed consent.

STUDY: Covid-19 technologies must be regulated to stop ‘big brother’ society

960 640 Stuart O'Brien

Technologies, such as track and trace apps, used to halt the spread of covid-19 have to be thoroughly examined and regulated before they are rolled out for wider adoption, to ensure they do not normalise a big-brother-like society post-covid-19.

That’s according to research conducted by Jeremy Aroles, Assistant Professor in Organisation Studies at Durham University Business School, alongside Aurélie Leclercq-Vandelannoitte, Professor of Management of Information Systems at IÉSEG School of Management, which draws from the concept of ‘societies of control’, developed by the French philosopher Giles Deleuze, in order to analyse the technologies currently being used to tackle the covid-19 pandemic.

Whilst the study acknowledges the public health benefits of these technologies, the researchers state we must be wary of what technology is rolled out by governments and critically cross-examine these.

Dr. Aroles said: “Presented as ways to curb the immediate progression of the pandemic and improve safety, the acceptance and use of these technologies has become the new “normal” for many of us, therefore it is important that these systems of control are heavily vetted and cross-examined before being rolled out to the wider public.”

The researchers suggest three solutions regarding the development and use of covid-19-related technologies.

First, the public should question the locus of collective responsibility. Increasingly complex systems of control and surveillance have been fuelled by our reliance on technology which, the researchers say, has blurred our understanding of the boundary between “good and bad” or “right and wrong”.

Second, more must be done to raise people’s awareness of how digital technologies work, and the risks of adopting them across society. People are often, rightly, concerned over their privacy and the sharing of their data. It is therefore crucial that these technologies are transparent and actively help individuals fully understand the ramifications of the control systems they’re opting in to.

Third, given that covid-19 tracking technologies are developed by companies for the benefit of governments, it is vital that greater regulation of the partnerships between state authorities and companies is adopted. Alongside this, it is also important that counter-powers such as journalists and the public hold these partnerships to account, to ensure they do not violate the privacy of citizens for financial gain.

The researchers state that it is important the covid-19 pandemic is not utilised as an opportunity to enforce a society of control and to normalise greater surveillance. They suggest that researchers or bodies specialising in the management of information systems should be brought in to supervise the developments of digitally enabled control systems, such as covid-19 apps, and not to abandon them to companies that could violate the privacy of citizens.

Ecommerce explosion ‘opens cyber attack floodgates’

960 640 Stuart O'Brien

According to the Global Information Security Survey by Ernst and Young, customer information is the most valuable type of data for most attackers.

The threat to cybersecurity and privacy is increasing: about 6 in 10 organizations (59%) have faced a significant incident in the past 12 months, and 48% of executive boards believe that cyber attacks and data breaches will more than moderately impact their business in the next 12 months. 

Data breaches involving payment fraud and other issues related to online security have skyrocketed over the past few years, coinciding with the growth of the e-commerce industry, especially during the COVID-19 mandated quarantine regime. Measures to protect businesses and customers against cyber threats have never been more important.

One challenge that has grown for e-commerce businesses is that of open-source software vulnerabilities, according to NordVPN. Open-source software uses code that anyone can view, modify, or enhance. And while it has been hugely valuable to e-commerce businesses, it also carries a number of cybersecurity challenges.

‘’Open-source software is popular because it is often free to use or can be modified to suit the individual needs of a business. But this popularity means that any vulnerabilities found in the code can be a massive problem across a huge number of websites. Add in the changes COVID-19 has brought, and this problem has intensified a lot. Companies should really start making technical improvements to their websites fast if they want to avoid a potentially catastrophic breach. If they continue using unpatched, open-source software with vulnerabilities, they’ll leave themselves open to attacks,’’ said Juta Gurinaviciute, Chief Technology Officer at NordVPN Teams.

Another issue businesses are facing is the rise in attacks on outdated or fake plugins. When used on companies’ websites, these compromised plugins can lead to the spread of malware. One such issue is e-skimming — an attack where malware infects online checkout pages to steal payment and personal information of shoppers. E-skimming is getting more common — companies both large and small have been hit by e-skimming attacks in the past two years, and that includes big names like Macy’s, Puma, and Ticketmaster. 

Other security threats to e-commerce sites include phishing, ransomware, SQL injection, DDoS attacks, and cross-site scripting (XSS).

E-commerce websites hold a lot of valuable data about their customers, and that makes business owners a target. Customers put a lot of trust in the merchants they shop with, providing personal data and sensitive payment information with every purchase. Earning consumer trust is critical to a continued relationship. Once lost, earning it back is really hard.

Businesses are also required to meet various compliance standards, and fines can be levied if those are not met. In case of a breach, there is a whole host of other problems to address: forensic investigation, data recovery services, credit monitoring for impacted parties, and liability insurance to help mitigate this financial risk, to name just a few.E-commerce security is never a done deal. Threats and hacking methodologies evolve at an alarming rate, so maintaining awareness and a security-focused mindset is the key to staying secure. Layering multiple solutions for business security is one of the best ways to keep an online business safe against cyber attacks.

‘’Companies can start with their firewalls (including web application firewalls), making sure the connection is secure, ensuring that passwords are strong, implementing multi-factor authentication, using intrusion detection systems, and constantly monitoring and updating web platforms,’’ the NordVPN Teams expert added.

These are the key data privacy issues in 2020

960 649 Stuart O'Brien

Tuesday January 28th marked Data Privacy Day, the annual international day aimed at raising awareness of privacy and data protection issues and promoting best practices.

Here we’ve gathered up the thoughts of some leading figures from across the sector, covering everything from GDPR to biometrics and compliance, and what 2020’s priorities need to be…

Chase Buckle, Trends Manager, GlobalWebIndex

“In today’s post-Cambridge Analytica world, we’re witnessing a ground-breaking shift in consumer attitudes towards data, privacy and brand trust.

While GDPR has certainly shifted the balance of power, leading to new perspectives on consumers’ rights to share or withhold data online, 58% of UK consumers are still concerned about the internet eroding their personal data.

The increased awareness of how companies collect and use data online, also brought by events such as Data Privacy Day, has done little to alleviate concerns over online privacy more generally –  61% of UK consumers worry about how their personal data is being used by companies and 55% now prefer to be anonymous when browsing online.

This anxiety around online privacy and technology is most prevalent among younger age groups. These so-called digital natives are more conscious of the complexity of data security and technology, and are more aware of just how much they might not know around the issue. In fact, the younger the consumer, the more likely they are to say that they don’t feel in control of their personal data online, and that they just don’t understand new technology. 

Within this new digital landscape, company reputations hinge on their trust and transparency credentials over personal data. To build consumer relationships, trust has to become one of the core elements of any brand proposition.”

Nigel Hawthorn, data privacy expert, McAfee

“Over a year after the EU’s General Data Protection Regulation (GDPR) came into force, the regulatory bodies are changing their focus from guidance to full enforcement. The GDPR framework serves as a driver for organisations to revisit their current processes and take full responsibility for how they process and store personal data. As the UK leaves the EU, this legal responsibility doesn’t go away. The UK government passed the Data Protection Act 2018 to provide an equivalent law to GDPR. As we’re stepping into a new decade, we are seeing the rise of more regulations which put internet users first and a rise in the data stored in the cloud.”

“With the increasing reliance on the cloud, businesses need to be rest assured that they have complete visibility and control over data regardless of where it is. According to our latest research, 40% of large UK businesses expect to be cloud-only by 2021. What we’re going to see in 2020 is even more data and applications shifting to the cloud – and where they migrate, cybercriminals will follow.

Today, we should recognise that the age of the cloud is here. Whether businesses are cloud-only or shifting towards a cloud-first approach, the key is to make sure it isn’t an easy target for cybercriminals.”

Zachary Jarvinen, Head of Product Marketing, AI and Analytics, OpenText – “As we welcome in another Data Privacy Day, this date – and what it represents – has never been more relevant or more important.

“It’s clear that 2020 will be the year that the rest of the data privacy iceberg begins to emerge. While regulations like Europe’s GDPR and the California Consumer Privacy Act (CCPA) have already been established, new regulatory developments surrounding data privacy are continually coming to light.

“Although these regulations have their inherent differences, the general scope of data privacy laws is to give consumers the right to know how and what type of personally identifiable information (PII) is collected, and the option to take legal action in the event that they should incur damages from bias or data security breaches. In 2019, 53% of consumers stated that they would cancel a transaction if they didn’t like something in the privacy policy – more must be done this year to make sure data privacy and protection is a top priority for companies.

“Until now, most organisations have focused their efforts on structured information, but they must also be able to understand what PII is located in textual documents. Archived data, in particular, is an especially pressing concern for most enterprises. AI-powered solutions will be instrumental in locating sensitive data and managing it through automated workflows. Today, organisations will also need to establish internal data governance practices to determine who is accountable for data security and enterprise-wide policy, which may include creating teams that blend technical and regulatory expertise.

“It’s also a great time to get started with a career in the industry. Over the past four years there has been a 75% increase in jobs with “privacy” in the title. Privacy is hot. And, finally data protection is at the table for new initiatives and technology decisions.”

Simon Wood, CEO, Ubisecure  “The topic of data privacy could not be more relevant in the current cybersecurity landscape. Last year, for example, a number of headline-hitting data breaches were revealed to be a result of misplaced security design choices – demonstrating the damaging consequences of underestimating security requirements. 

“A large cause for concern here is when it comes to businesses building identity management functionality in-house. No matter how big the development team some companies may have, a lack of experience and resources in cybersecurity areas like identity management means that building such features internally comes with increased risk. Faced by tight deadlines and pressure to get applications to market as fast as possible, teams are challenged to build functionality that properly adheres to privacy by design and proven security methodology. Often, we see the impact of not doing so through the breaches that take advantage of weak authentication policies and a failure to keep data privacy central to the whole design process. 

“One way for tech leaders to solve this problem is to deploy Identity-as-a-Service (IDaaS) solutions – cloud based authentication and identity software or APIs already proven and in use in the market. Such solutions allow teams to integrate identity features into applications as securely and as seamlessly as possible, without reinventing the wheel each time. Ultimately, this on-demand expertise reduces the risk of data breaches caused by employee-led error and places data privacy at the forefront of the development process.“

Gijs Roeffen, Director IT & Security at EclecticIQ – “As data breaches continue to hit the headlines, businesses and consumers alike are becoming more and more aware of the need to protect their data. Here are a couple of simple tips to help keep your personal information secure: 

Swap PIN codes for biometrics

“When it comes to passwords and PIN codes, people are creatures of habit. People not only use the same password across multiple online accounts, they will also happily use the same PIN code for their debit card and their phone, or a generic PIN number. In fact, cybersecurity specialist Tarah Wheeler recently shared the most common PINs used by smartphone users to secure their devices, and shockingly, the most common PIN number was 1234. 

“Passcodes and PIN numbers can easily be captured from a glance over someone’s shoulder, or can be photographed or filmed from another mobile device. Biometrics, however, such as facial recognition or fingerprints, are unique to the user and can’t be obtained in either of these ways, making them a much safer option than passwords and PINs.

 Safeguard your SMS messages

“While it is possible to intercept SMS messages over the air, it requires multiple factors to be aligned to be successful. Attacks on SMS are often very targeted, since intercepting SMS codes requires specialist knowledge and hardware. 

“Using a two-factor authentication, however, is an effective means of defence against account takeover, so be sure to check your SMS is protected. Alternatively, look into using an encrypted messaging service. Encryption jumbles the content of a message into random data until it is received on the other end, so if a hacker intercepts the message, they won’t be able to view it in full. Apple’s iMessage service uses encryption, as does WhatsApp, which works across both Android and iPhone devices.”


Ashley Bill, enterprise data consultant, Micro Focus – “Fortunately, life after the General Data Protection Regulation (GDPR) has seen organisations begin to change how they think about data privacy. While avoiding regulatory fines and reputational damage is often top of mind, savvy business leaders may also see the business benefits that effective compliance can bring: the ability to generate high quality, streamlined data that can be monetised through applying predictive analytics.

“By investing in optimised data management driven by compliance, organisations can effectively increase the value of their data. It not only saves them pouring significant amounts of time into making sense of exploding datasets, but also creates an environment where teams can effectively deploy predictive analytics to make informed decisions. Using insights gleaned from quality data, companies can better predict the preferences and behaviour of their target audiences to inform and maximise the potential of marketing, advertising and product development. Ultimately, accurately predicting what customers want and remaining a step ahead of competitors is the ‘holy grail’ of business success.

“If predictive analytics is essential for boosting business outcomes, data privacy compliance is a fundamental component. And looking ahead, it will be a major driving force behind the development of modern, ethical, data-driven organisations.”

Chris Greenwood, Senior Director and General Manager UK&I at NetApp

“Data privacy has moved beyond protection and is now a question of trust. 

“We, as consumers, trust organisations to handle our data in a secure, standardised and accountable way. But with 60% of UK businesses planning to migrate apps and data to the cloud within the next year, the risks are high. Combine this with the rise of 5G, edge computing and AI bringing about entirely new and disruptive ways to use data, organisations must ensure suitable safeguards are in place, tested and updated as we begin to unravel these various possibilities.

“75% of IT leaders anticipate that security will have the largest impact on their data strategy over the next 12 months. In order for privacy to succeed, it is the duty of companies and organisations to not only understand how and why data is being used, but also have the capabilities to remedy any ethical concerns which may naturally arise as new lines are drawn on what ‘is’ versus what ‘was’ acceptable as technology becomes ever more powerful.

“This can only be achieved by being able to see, access and conscientiously use data from any and every environment whilst affording the end user the means to control how and what data is there in the first place. Only then can user privacy truly succeed.”

Malcolm Murphy, Systems Engineering Director, EMEA at Infoblox – “You hear a lot of people in the industry talking about Zero Trust. Whist it is certainly a core element of improving data protection standards, we need to be more realistic about its wide-scale implementation.

“Despite the hype, no one is actually doing ‘Zero Trust’ yet. Putting the infrastructure in place to enable organisations to verify anything and everything trying to connect to its systems before granting access is a really hard thing to do, as we can’t easily layer it onto existing technology at scale.

“As it stands, we’re nowhere near being able to implement the Zero Trust concept at a cost-effective level, and this is unlikely to change in 2020 – and our data privacy may suffer because of it.”

“This approach will remain difficult, expensive and inconvenient. I think it will take a catastrophic event or new regulation to make organisations invest in Zero Trust, it won’t happen on its own.”

Paul Farrington, EMEA CTO, Veracode“Many businesses today are software-driven and they are conscious of the role software security plays in keeping data protected. There is a greater need to ensure security is a core part of the software development process going forward. As a new data-driven decade commences, businesses should empower developers by training them on best practices in secure coding and providing the tools to enable them to find and fix vulnerabilities in their software.

“We know that unresolved vulnerabilities that pile up over time, also known as security debt, can leave organisations exposed to data breaches. Hackers will continue to look for weak points at the application layer, which is still the predominant threat vector. By shifting security left, developers are able to fix vulnerabilities faster and more effectively, improving an organisation’s overall security and ultimately better protecting sensitive data. Across Europe, more businesses are learning that they are able to adopt application security without stifling innovation.”

Elodie Dowling, EMEA General Counsel, BMC Software

“With an increasing number of data protection laws around the world, data privacy remains a very pressing topic, and businesses such as cloud service providers continue to face an array of complex and logistical challenges to adhere to across their multi-cloud infrastructure, to ensure their customers’ data remains protected.

“Over the course of the last year, there have been a large volume of data breaches being reported. Data Privacy day comes as a very timely reminder for customers and their service providers to continue to work towards updating their existing privacy standards to a compliant level, while ensuring robust security is in place to protect customer data. Most recently, European regulators have imposed £97m in data breach fines, and businesses who operate within the cloud must remain vigilant to avoid similar penalties.

“It’s important once a business starts using a variety of cloud-based services and infrastructure to regularly carry out audits to ensure that systems and services being used remain compliant with data privacy laws. Under GDPR, personal data may not be stored longer than needed for the predefined purpose. Therefore, it’s important businesses implement retention periods, whilst having the ability to delete data effectively when retention periods have expired – both for data locally stored and in the cloud.

“Companies are able to achieve better data protection in today’s IT ecosystem through four critical measures.

  1. Visibility – IT needs the tools to know where sensitive customer data resides, how it is being processed, and by whom.
  2. DevOps – teams must be aligned to maintain security and compliance.
  3. Integrity – IT must validate structured and unstructured data automatically, and ensure that stored data is intact.
  4. Recovery – Organisations must ensure data is recoverable in a timely manner in the event of any physical or technical incidents.”