Contactez-nous Suivez-nous sur Twitter En francais English Language

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Expert Commentary, Data Privacy Week 2024

January 2024 by cyber security experts

January 21 – January 27 marks Data Privacy Week 2024, an annual international effort to raise awareness about the importance of respecting privacy, safeguarding data, and educating individuals and businesses on data protection challenges. the expert commentary from leaders across the cybersecurity and tech space on the importance of this week as well as insights into how organizations can best safeguard their private data.

Omri Weinberg, Co-Founder and CRO at DoControl: “An often-overlooked aspect of data security, especially in SaaS environments, is the insider threat posed by employees. Collaboration through these platforms, while boosting productivity, can inadvertently lead to the exposure of sensitive information. It’s crucial for organizations to educate their teams on the risks of data sharing and implement robust controls to mitigate accidental breaches. Ensuring data privacy is a collective effort, where every employee’s awareness and vigilance are key.”

Gopi Ramamoorthy, Senior Director of Security and GRC Engineering at Symmetry Systems: “For individuals, data privacy should start with Zero trust. It is highly recommended not to share the personally identifiable data (PII) with any organization or any website unless required. If you are providing PI to a required site, always use caution to ensure the website that you are on is correct, legitimate and secure. There are many fake sites that collect personal data. Additionally, posting on social media and reacting to social media posts should be done with no sharing of personal information including sensitive information like home address, travel, family plans and related information.
For organizations, GDPR articles 4,5 and 6 can be referred for guidance to make decisions on what personal data to collect and why. These three articles define the means and purpose of collection data and processing principles. Other privacy regulations have similar articles that provide the guidance on the basis of PII data collection. Once data collection and purpose is decided, adequate data security needs to be carefully planned. Securing PII starts with Privacy By Design (PbD). The core principle of Privacy By Design is based on least privilege and need to know basis. Organizations should have clearly defined and strict access controls around PII data based on regulations, policies and procedures. Also, organizations should implement adequate logging and monitoring controls. For many tasks such as data discovery, data classification, data access controls, etc., the latest technologies can be used for effective security, automation and scaling.”

Eric Scwake, Director of CyberSecurity Strategy, Salt Security: “Data Privacy Week allows organizations of all sizes to reflect on their critical data and assess ways to ensure its safety and security. Customers and internal stakeholders trust organizations with their data, but the digital transformation has exposed it to more significant threats. As APIs are now touching this data more than ever, it’s essential to understand how they utilize it and promptly identify any potential risks. When considering data privacy, it’s crucial to consider the people, processes, and policies involved.

1. Understand your APIs: Have processes in place to understand APIs used in your environment, including what data they access. Knowing this will allow you to apply policy governance rules to API’s across your organization.
2. Embrace Access Control: Implement strong authentication and authorization protocols to ensure only authorized applications and users can access data. Use multi-factor authentication, API keys, and granular access controls.
3. Encryption is Everything: Encrypt data at rest and in transit, rendering it useless to any unauthorized eyes that might intercept it.
4. Vulnerability Vigilance: Regularly scan your APIs for vulnerabilities and patch them promptly. Proactive monitoring is vital to staying ahead of evolving threats.
5. Transparency Matters: Open communication is vital. Clearly document your API usage policies and data privacy practices. Let users know what data you collect, why, and how they can control its use.

These steps allow organizations to build a robust data privacy ecosystem where APIs become guardians, not vulnerabilities. Commit to securing these digital gateways and ensuring data travels safely in the online world this Data Privacy Week.”

Patrick Harr, CEO of SlashNext: “One of the biggest gaps in security postures today is how personal and corporate data is protected in the age of the hybrid and remote workforce. These blind spots are becoming more readily apparent as organizations and individuals adopt new channels for personal messaging, communications, and collaboration. Targeted phishing attacks in collaboration tools are becoming more common because the likelihood of success is higher than email phishing attacks. Users are not expecting phishing attacks in Teams or Sharepoint, and these attacks are often too sophisticated for a user to determine the communication is malicious. It’s also far less common for organizations to have security protections in place around these types of tools compared to email security solutions. And when a phishing attack succeeds, the cybercriminals capture private data, personal information, company data, or they may even install malware directly onto the device to facilitate ongoing attacks.

In 2023 especially, the introduction of Generative AI technologies like ChatGPT has been a game changer for cybercriminals, particularly in relation to cyberattacks launched through common messaging apps including email and SMS text messaging. These new AI tools have helped attackers to deliver fast moving cyber threats, and have ultimately rendered email security that relies on threat feeds, URL rewriting and block lists ineffective, putting organizations’ private data at high risk. In fact, SlashNext’s latest State of Phishing report revealed a 1,265% increase in phishing emails since the launch of ChatGPT in November 2022.

The best defense for an organization to protect against phishing and ensure the safety of both its corporate data as well as employees’ personal data is to always be one step ahead of the attackers. It’s crucial for cyber security protection to leverage AI to successfully battle cyber threats that use AI technology. You have to fight AI with AI.”

Philip George, Executive Technical Strategist, Merlin Cyber: “Year after year, Data Privacy Week invokes calls for better data protection practices, regulations and standards, and encourages individuals to be more conscious of how they share and protect their own personal data online. These are all important parts of the data privacy conversation, but this year a much stronger emphasis needs to be placed on post-quantum cryptography (PQC) and what organizations must be doing now in order to ensure data remains protected in the post-quantum future. Today’s data encryption standards will be ineffective against advanced decryption techniques fueled by cryptographically relevant quantum computers. Although commercial quantum computers exist today, they have yet to achieve the projected computational scale necessary for cryptographically relevancy. However, this reality may change quickly, considering the continued investment by nation states and private sector alike. Coupled with the growing application of ML/AI in the areas of research and development, the potential for more breakthrough developments in quantum computing remains high. Which means the chances for any of the aforementioned entities reaching quantum cryptographic relevancy are improving day-by-day.
NIST is expected to publish its first set of PQC standards this year, which will serve as an important step toward providing organizations with quantum resistant cryptography solutions. Security leaders and data-owners should follow NIST’s guidance and begin their internal preparations today. Primarily, this should entail establishing an integrated quantum planning and implementation team and mapping out cryptographic dependencies by conducting a full system cryptographic inventory. After conducting this inventory, security teams can then implement a risk-driven modernization plan that starts with business-critical and protected data (by law) systems.
These activities must happen in 2024, because threat actors are in fact already targeting encrypted data, by taking a “steal and store now to decrypt later” approach. Quantum computing-based attacks will become a reality in the near future, and we cannot wait until cryptographic relevancy is achieved to begin what may become the largest cryptographic migration in modern history/the history of computing.”

Manu Singh VP, Risk Engineering, Cowbell

"In today’s threat landscape, we are seeing the continued evolution and sophistication of cyberattack techniques and tactics, including bad actors circumventing multi-factor authentication (MFA) and accessing offline backup systems. What the industry previously considered ironclad defenses simply aren’t anymore. This Data Privacy Day, organizations should prioritize staying ahead of threats through:

Conducting a risk assessment to identify the vulnerabilities within the organization, and actioning on the findings. A risk assessment shows organizations what their architecture looks like, their vulnerabilities, and more. Addressing issues identified in a risk assessment puts an organization in a better position to deal with cyber incidents. If you work with a cyber insurance provider, ask them for your organization’s risk assessment report and how they can help you improve your cyber hygiene.
Upholding good cyber hygiene. While cybersecurity measures should be tailored to an organization based on its risk assessment, it’s important to follow basic best practices: adopt MFA, deploy an Endpoint Detection and Response (EDR) solution, keep up with patching, maintain good password hygiene by adopting a password manager, and have offline and tested backups/copies of all data."

Darren Guccione, CEO and Co-Founder, Keeper Security

Attacks are changing, protecting yourself isn’t

This Data Privacy Day, industry experts may warn about the new and novel ways attackers are violating your privacy and breaching your data. From the threats that come with generative AI to the rise of attacks targeting genealogy companies like 23andMe that hold highly sensitive personal information, it’s certainly clear the tools in a cybercriminal’s arsenal are growing more sophisticated. But the fundamental rules of protecting oneself in the digital landscape remain as relevant as ever. Basic cybersecurity measures, such as creating strong and unique passwords, enabling multi-factor authentication and keeping software up to date, are frequently overlooked. A recent study by Keeper found a quarter of IT leaders confessed that they even use their pet’s name as a password!

Take the following steps to proactively protect yourself in the evolving digital world:

1. Use strong, unique passwords for every account

2. Enable multi-factor authentication

3. Regularly update software

4. Employ strict privacy settings on apps and browsers

5. Avoid oversharing on social media

6. Back up your important data

Before finding yourself overwhelmed by all the ways cybercriminals can attack you, sit down and consider these basic cybersecurity measures and whether you are following them. Number one is critical, but difficult to achieve using just your memory, so consider using a password manager to safely and securely store and manage passwords. By taking these proactive steps, you can significantly strengthen your data privacy and reduce the risk of falling victim to both current and evolving cyber threats.

John A. Smith, Conversant Founder and CSO

Cyberattacks are the top global business risk of 2024. Data Privacy Week provides organizations an opportunity to raise awareness about data privacy issues and associated security risks, educate individuals about protecting their personal information, and promote more secure organizational data practices.

In today’s digital age, most enterprises obtain personal and confidential data from their employees, customers, and stakeholders, making them vulnerable to a cybersecurity attack or data breach. All organizations have a responsibility to protect their data; many (such as law firms and healthcare institutions) have a fiduciary duty to protect sensitive information regarding clients. These businesses are built on trust; and in many cases, lives and financial well being depend on it; both can be easily and irreparably harmed if data is compromised. Organizations should consider the following to increase data privacy and security within their company:

Adhere to regulations and compliance requirements: Enterprises should constantly review and be aware of data privacy regulations, such as GDPR, CCPA, or other regional laws.
Understand that compliance isn’t enough: While security frameworks and mandatory compliance standards must be met, they in no way guarantee security: These frameworks and compliance standards should be viewed as a minimum floor. Threat actors are not limited to the guardrails within these frameworks, and threat actor behavior simply changes faster than the frameworks and standards can keep pace with. It’s essential to have a layered security program across people, process, product, and policy that protects the entire security estate with redundant controls.

Measure your secure controls against current threat actor behaviors: By implementing robust security protocols and conducting regular security assessments against current threat tactics, organizations will know where their vulnerabilities lie and how to protect them. Threat actors are exploiting things that make the users’ experience easier, such as Help Desks that provide easy access and few verification steps, self-service password tools, weak forms of MFA, etc. To keep up, companies must trade some levels of user convenience for more stringent controls. Know your limitations: Most organizations have gaps in security controls and orchestration because they lack access to breach intelligence—how threat actors are causing damage technically. It’s those very gaps that threat actors seek and prey upon. It’s important to seek expert assistance to gain breach context and act without delay. While addressing these gaps may require additional capital investments, it will be far less than the cost of a breach, its mitigation, and the long-term fallout.
Change your paradigms: Systems are generally open by default and closed by exception. You should consider hardening systems by default and only opening access by exception ("closed by default and open by exception"). This paradigm change is particularly true in the context of data stores, such as practice management, electronic medical records, e-discovery, HRMS, and document management systems. How data is protected, access controls are managed, and identity is orchestrated are critically important to the security of these systems. Cloud and SaaS are not inherently safe, because these systems are largely, by default, exposed to the public internet, and these applications are commonly not vetted with the stringent security rigor.

Most breaches follow the same high-level pattern: While security control selection and orchestration are important, ensuring a path to recovery from a mass destruction event (without paying a ransom) should be the prime directive. Organizations should assume a mass destruction event will occur, so that if it occurs, they can have confidence in their path to recovery.

Data privacy is not just a technical concern, but a crucial tenet of ethical business practices, regulatory compliance, and maintaining the trust of individuals who interact with your business. It has become an integral part of building a secure and resilient digital economy.

Ratan Tipirneni, President & CEO of Tigera

This Data Privacy Awareness Week, enterprises and small businesses alike should prioritize holistic cybersecurity. While Kubernetes adoption has taken off, most Kubernetes teams haven’t implemented adequate posture management controls. They continue to implement the minimal level of security mandated by compliance requirements. This bubble is about to burst. This will manifest as stolen data (data exfiltration) or ransomware. However, this can be easily prevented through effective posture management to ensure that the right egress controls and micro-segmentation is in place.

Rick Hanson, President at Delinea

The end of privacy as we know it might be closer than you think. The world is increasingly relying on more AI and machine learning technologies. This reliance could result in privacy becoming less and less of an option for individuals, as AI’s capabilities in surveillance and data processing become more sophisticated.

2023 marked a significant leap in the authenticity of deepfakes, blurring the lines between reality and digital fabrication, and that is not slowing down any time soon. Our digital identities, extending to digital versions of our DNA, can be replicated to create digital versions of ourselves, which can lead to questioning who actually owns the rights to our online personas.

Unfortunately, advancements in AI technologies are evolving more swiftly than current regulations can keep pace with. In 2024, we can expect stricter data protection requirements across more countries and regions. But until these regulations evolve and can keep pace, it is important to reduce our risk and protect our privacy however possible.

One of the best ways to do this is to continuously check each application including what data is being collected and processed, and how it is being secured. Use a password manager or password vault to securely store credentials, and leverage multi-factor authentication (MFA) to ensure credentials don’t get exploited by forcing whoever the user is to prove its identity beyond just a username and password. In the event that a data privacy breach does occur, it is also important to have a cyber insurance policy in place to ensure you’ll have the means to continue to operate and recover.

Michael Brown, Vice President of Technology at Auvik

The evident tension between employee monitoring and personal privacy makes it imperative for companies to find and maintain an appropriate balance that upholds critical visibility while respecting boundaries and adhering to data privacy laws.

With the continued expansion of remote and hybrid work, there is a heightened necessity for employers to keep a close eye on the way that employees are utilizing devices and applications in their daily routines. In addition to providing valuable information about the types of and ways in which technology is being used, employee monitoring ensures that installed applications are up-to-date, protects against known security vulnerabilities, and identifies potential productivity improvements. However, maintaining data privacy during this process is critical; when boundaries are overstepped and certain kinds of information is collected, this can feel invasive to employees and result in reduced morale as well as the potential violation of data privacy laws.

On one end of the spectrum, monitoring an employee’s every action provides deep visibility and potentially useful insights, but may violate an employee’s privacy. On the other hand, while a lack of monitoring protects the privacy of employee data, this choice could pose significant security and productivity risks for an organization. In most cases, neither extreme is the appropriate solution, and companies must identify an effective compromise that takes both visibility and privacy into account, allowing organizations to monitor their environments while ensuring that the privacy of certain personal employee data is respected.

See previous articles


See next articles

Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55

All new podcasts