Considering the hundreds of millions of records exposed in data breaches just last year, the 12th annual Data Privacy Day could not arrive quickly enough.
On the plus side for privacy, at least for EU residents, GDPR went into effect last May and will soon be joined by the California Consumer Privacy Act and other legal movements designed to help stem the seemingly unstoppable tied of data breaches. However, new regulations are not enough to protect one’s data so cybersecurity experts are pitching in their thoughts on actions businesses and consumers can take to protect data going forward.
Although today focuses on privacy, Cyxtera CISO Leo Taddeo reminds the public the effect a lack of privacy has on cybersecurity.
“Privacy and security go hand in hand. Most cyber-attacks start with some form of social engineering. The more cybercriminals know about you, the more likely they can convince you to trust them. Be on guard. Learn the privacy policies of the organizations you do business with and don’t share your sensitive personal information with any organization that doesn’t value your security and privacy,” he said.
Rishi Bhargava, co-founder of Demisto, said boosting defensive abilities starts with strict passwords. As countless studies have pointed out consumers and businesses must make sure the same login credentials are not used across a variety of sites. The next step is adding a VPN.
“Whether employees are working from home or any other public location, organizations should ensure that Virtual Private Networks or VPNs are used. By combining encryption protocols and virtual P2P connections, VPNs protect any sensitive company data that employees might access while connected to non-enterprise public/private networks,” he said.
Some executives were bit more blunt in describing the mistake being made allowing very fallible humans to simply pick their own passwords.
“In giving users flexibility to set any desired password we fail to fix stupid. Carbon-based life forms cannot trip over creating secure passwords. Our challenge as system owners is to prevent users from doing lazy and stupid things. For example, so I don’t forget my password let me include my logon name in it plus by date of birth. Users will go out of their way, unintentionally, and do the least secure thing possible. As an administrator prevent it,” said Rod Simmons, VP of product strategy, active directory at STEALTHbits Technologies.
A good intermediary step is simply adding the additional layer of security that two-factor authentication supplies, many execs noted.
However, not everyone wants to place all the pressure on the individual, Michael Magrath, director of global regulations and standards at OneSpan is calling for new technologies and laws to help out.
"Privacy enhancing technologies including modern, frictionless authenticators including advanced biometrics should be part of the solution to properly protect data and keep it private. In addition, web platforms and mobile applications must be architected and developed with privacy and security in mind to protect consumers,” he said adding a prediction, "I expect that comprehensive, GDPR-like federal legislation will be passed in the 116th Congress. The legislation would hopefully leverage parts of GDPR, the California Consumer Privacy Act and the NIST Privacy Framework."
And when all the technical and legal frameworks are not enough to encourage companies to take data privacy serious there is always the big stick approach.
“France recently fined Google $57 million for a European privacy rule breach, resulting in Google’s largest penalty ever. Suddenly we’re putting a real price tag on data protection, or least trying to do so. The U.S. needs to create similar privacy laws to help protect consumers. CCPA is a good first step, but augmenting it with specific penalties will force compliance. Compliance will inevitably force protection which will lead to both security and safety,” said Rusty Carter, VP for product management at Arxan.
Even though there always will be more work to do on every front a recent Unisys survey of consumers found people are aware of not only the need to protect their data, but also which types of information they wish to keep under wraps:
· 42 percent don’t want their health insurance providers to track their fitness activity via wearable monitors to determine premiums or reward behavior.
· 38 percent don’t want police accessing data from their wearable fitness monitor at their discretion to determine if they were at a given location at a certain time.
· 34% don’t want medical devices such as pacemakers or blood sugar sensors to immediately transmit any significant changes to their doctor.
· 27 percent don’t want sensors in their luggage that communicate with an airport’s baggage management system like sending text messages when your luggage has been loaded/unloaded.
· 24 percent don’t want an emergency button on their smartphone or smartwatch to send their location to police if they need help.
· 21 percent don’t want an app on their smartwatch from their bank or credit card company to make payments from their watch.