Data Privacy Day 2024: Expert Opinions Shape the Week’s Discourse
Users must accept marginal security hassles as a tradeoff for greater privacy as dictated under this year’s theme of ‘Take Control of Your Data.’
- As Data Privacy Day approaches on Sunday, January 28, Spiceworks spoke with several experts for their views on privacy-related affairs across industries.
- The National Cybersecurity Alliance (NCA) has themed Data Privacy Day 2024 as Take Control of Your Data.
The Data Privacy Week 2024, usually the week running up to January 28, when the Data Privacy Day is observed each year, had a rather ominous start this year. On Monday, January 22, researchers at SecurityDiscovery and CyberNews uncovered a supermassive database of leaked data amounting to 12 terabytes.
The Mother of all Breaches (MOAB) contains a mind-boggling 26 billion records of data stolen in previous breaches, leaks, and privately sold databases over the years.
The only saving grace from the revelation is that the data was accumulated and not stolen in a new breach. “I think most people in this world now correctly think that at least some portion of their personal information is available on the internet. A lot of the time, it is due to being tricked by social engineers or phishing emails. Other times, it’s due to compromised websites and databases,” Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, told Spiceworks.
“Either way, most of us have some portion of our private information out on the internet available to anyone. It’s a sad fact of life, and I wonder how it impacts younger people and society overall to grow up in a world where our private information is no longer private. I think you have one side that just accepts that’s the way the world works now. The extreme opposite side is aggressively working to remove all their information from vendors and the internet as best they can to go ‘off-grid.’ The MOAB database is just another data point supporting either group.”
It is unlikely that users will simply accept a breachy way of life. It will be equally far-fetched to believe organizations will be able to seal the leak plug. Still, companies and individuals should educate themselves on the privacy requirements each passing year and spread awareness on the matter.
Because as prevalent as data breaches and privacy violations are, users still choose convenience, which often trumps common sense and the knowledge that online services could share user data.
For instance, last year, 52% of business professionals were wary of sharing bank account information, which can lead to financial fraud, according to Aberdeen Strategy & Research’s Voice of IT survey. Additionally, 38% of respondents were aware of the risks of sharing account passwords, 38% of social security numbers, 12% of biometric identifiers, and another 12% of sharing credit card transaction history.
For identity theft, 43% of respondents in Aberdeen’s survey were concerned about sharing social security numbers, 38% of bank account info, 32% of account passwords, 17% of biometric identifiers, and 13% were worried about sharing names.
However, sensitive information can encompass much more than that, and users are probably unaware of the consequences of sharing data.
Data Privacy Day serves as an annual reminder to take notice of the successes and the failures of the year past and look forward to upcoming challenges. As the technology industry gears up to pledge cybersecurity and privacy resolutions, here’s what experts have to say.
Gopi Ramamoorthy, senior director of security and GRC Engineering at Symmetry Systems, on what not to share
Ramamoorthy advises individuals to borrow the principle of Zero Trust for privacy-related decisions. Avoid sharing personally identifiable data (PII) unless absolutely necessary or sensitive information like home address, travel, family plans, and related information on social media. And if you have to, ensure the site’s legitimacy and the implemented security (ex., communication protocols).
“For organizations, GDPR articles 4, 5, and 6 can be referred to for guidance in deciding what personal data to collect and why. These three articles define the means and purpose of collection data and processing principles. Other privacy regulations have similar articles that provide guidance based on PII data collection. Once data collection and purpose are decided, adequate data security needs to be carefully planned,” Ramamoorthy told Spiceworks.
“Securing PII starts with Privacy By Design (PbD). The core principle of Privacy By Design is based on least privilege and a need-to-know basis. Organizations should have clearly defined and strict access controls around PII data based on regulations, policies, and procedures. Also, organizations should implement adequate logging and monitoring controls. For many tasks such as data discovery, classification, access controls, etc., the latest technologies can be used for effective security, automation, and scaling.”
See More: Data Privacy Nightmares In Smart Cars: Understanding The Risks
Kobi Nissan, CPO and co-founder of Mine, on navigating regulations
While the United States is yet to see lawmakers mull over and pass federal-level data privacy regulations, certain U.S. states, not to mention other countries, are ahead of the curve. Evolving complexities have thus compelled organizations to look inward.
“From talking to hundreds of companies and enterprises over 2023, nearly all mentioned wanting–needing–to get full visibility over their data stacks. The data privacy and governance community is finally in a place where solutions can offer them a single source of data truth, which will be vital as companies begin adopting AI-powered platforms,” Nissan told Spiceworks.
“Privacy requirements are at an all-time high with new regulations passing almost every week around the globe, so one of the main privacy trends of 2024 will be how companies react and approach this new slate of privacy responsibilities. The new business reality means tackling regular impact assessments, handling more data subject requests than ever, and sorting out the complex web of American privacy regulations.”
Patrick Harding, chief product architect at Ping Identity, on data management
Users sharing data with organizations extend a certain level of trust for responsible management. Harding told Spiceworks, “It’s up to organizations to ensure customers understand how data is collected and are given a clear opt-in or opt-out option to feel secure and respected. This transparency and accountability go a long way in instilling brand loyalty, long-term trust, and a positive customer experience.”
“Privacy is really about choice, trust, and giving customers autonomy over how their data is managed,” Harding added. However, “A disheartening 10% of consumers fully trust organizations that manage their identity data, and it shouldn’t be that way.”
“Customers just want to know their data is being protected and not exploited. The majority (61%) of global consumers report that having privacy laws enacted to protect consumer data and knowing that the website vendor is complying with those regulations makes them feel more secure when sharing their information online.”
Harding highlighted the importance of decentralized identity management.
Kevin Breen, director of Cyber Threat Research at Immersive Labs, on the role of humans in data (in)security
According to the 2023 Thales Global Data Threat Report, human error is the foremost cause of data breaches. Besides being routinely responsible for cloud misconfigurations, humans, who can be socially engineered, emerged as the top weaknesses for ransomware gangs to exploit in 2023, leading to breaches of casinos in Las Vegas and more.
“As sensitive data is increasingly pushed to the cloud and stored in global data centers, data sovereignty and security remain key issues facing CISOs and security teams this year. With the top cause for cloud data breaches being human error, it’s more important than ever to ensure that both security and DevSecOps teams continue to keep pace with the evolving threat landscape, continuously measure organizations’ cyber capabilities, and fill the skills gaps to better address such threats,” Breen explained.
“This goes beyond knowing the tools and techniques threat actors employ; it’s equally critical to know how to deploy and secure customer and personal data. This applies to both the architects behind data security and employees themselves.”
See More: What Have We Learned Five Years After Implementing GDPR?
Eric Scwake, director of cybersecurity strategy at Salt Security, on API security
Digital transformation initiatives propelled by the evolution of cloud, web-based services, and mobile have created a special need for application programming interfaces or APIs. By definition, APIs relay sensitive data and application logic, thus necessitating protecting this link between two or more software applications highly pivotal to avoid man-in-the-middle and other attacks that may blow open data security.
“As APIs are now touching this data more than ever, it’s essential to understand how they utilize it and promptly identify any potential risks. When considering data privacy, it’s crucial to consider the people, processes, and policies involved,” Scwake told Spiceworks.
He commended organizations follow the following steps “to build a robust data privacy ecosystem where APIs become guardians, not vulnerabilities.”
- Understand your APIs: Have processes in place to understand APIs used in your environment, including what data they access. Knowing this will allow you to apply policy governance rules to API’s across your organization.
- Embrace access control: Implement strong authentication and authorization protocols to ensure only authorized applications and users can access data. Use multi-factor authentication, API keys, and granular access controls.
- Encryption is everything: Encrypt data at rest and in transit, rendering it useless to any unauthorized eyes that might intercept it.
- Vulnerability vigilance: Regularly scan your APIs for vulnerabilities and patch them promptly. Proactive monitoring is vital to staying ahead of evolving threats.
- Transparency matters: Open communication is vital. Document your API usage policies and data privacy practices. Let users know what data you collect, why, and how they can control its use.
Philip George, executive technical strategist at Merlin Cyber, on post-quantum cryptography
George told Spiceworks that a breakthrough in quantum computing development is on the horizon and can happen in 2024. Post-quantum decryption is theorized to blow over existing data encryption standards, rendering them ineffective.
Thankfully, the National Institute of Standards and Technology (NIST) is expected to publish the first post-quantum computing (PQC) standards for quantum-resistant cryptography this year. “Security leaders and data-owners should follow NIST’s guidance and begin their internal preparations today,” George said.
“Primarily, this should entail establishing an integrated quantum planning and implementation team and mapping out cryptographic dependencies by conducting a full system cryptographic inventory. After conducting this inventory, security teams can implement a risk-driven modernization plan starting with business-critical and protected data (by law) systems.”
“These activities must happen in 2024 because threat actors are, in fact, already targeting encrypted data by taking a ‘steal and store now to decrypt later’ approach. Quantum computing-based attacks will become a reality soon, and we cannot wait until cryptographic relevancy is achieved to begin what may become the largest cryptographic migration in modern history/the history of computing.”
Closing Thoughts
Considering what experts had to say about privacy in 2024, it seems like while organizations face dangerous, consistently evolving adversaries, the onus is on them to do more.
“Privacy is personal,” opined Bhagwat Swaroop, president of Digital Security Solutions at Entrust. “The so-called conflict between ‘seamless user experience’ and security is over; the only answer is that security has to be welcomed as part of the experience. Breaches affect our livelihoods, reputations, and families, so a little friction is a feature, not a bug.”
However, will users accept marginal hassles as a tradeoff for greater privacy as dictated under this year’s ‘Take Control of Your Data’ theme? The existence of the privacy paradox, i.e., a difference in privacy attitudes and privacy-compromising behavior online behavior, suggests otherwise.
How can users shed convenience for greater privacy? Share your thoughts on LinkedIn, X(Twitter), or Facebook. We’d love to hear from you!
Image source: Shutterstock
MORE ON PRIVACY
