As the breadth of cybersecurity threats grow, there is increasing pressure on organisations to ensure the protection of sensitive personal, financial and operational data. Failure to do so could cause major reputational damage, an extended period of operational disruption and leave organisations on the wrong side of regulatory rules, like GDPR.

A recent study from VMware found that 84% of companies felt they had too much data, while only 19% have any formal incident response plan in place, in order to respond to an attack.

In support of Data Privacy Week which culminates in Data Privacy Day (28^th January), leaders from across the cybersecurity community have offered their views on the trending threats facing data privacy, and how organisations can best protect themselves:

Attack vectors and surfaces are only increasing

Simon Mullis, Chief Technology Officer at Venari Security, explains that the necessary adoption of encryption has facilitated further data privacy risks: “Organisations must gain better visibility of their encrypted communications if they are to limit the risk of data breaches and ensure full regulatory compliance.”

“Not only do organisations routinely fail to apply best practice to their use of encryption across the enterprise, but the current system of decryption before detection simply isn’t sufficient, owing to financial and time constraints and the sheer volume of traffic organisations are expected to handle and protect. Instead, organisations should adopt a ‘measure and mitigate’ approach, using behavioural analytics to detect illegitimate activity and understand what is happening on their network at any given time.”

Furthermore, Graeme Cantu-Park, Chief Information Security Officer at Matillion, explains that data privacy concerns are growing alongside the adoption of the cloud, with businesses using it “to store and analyse petabytes of data every day. Consumers and businesses alike rightly remain cautious about how, why, and where their data is stored and processed, so organisations need to promote transparency and help customers better understand data privacy and security in the cloud.

“As businesses adopt SaaS and cloud-based compute and storage, understanding the shared security model is essential. Clear delineation of security responsibility should be understood by both parties to ensure configurations are in line with your personal or organisation appetite and policy.”

The value of data privacy training

Adam Mayer, Director at Qlik, believes that Data Privacy Week should act as an important reminder: “Every individual within an organisation requires a basic understanding of their internal privacy rules and regulations. It has become more important than ever for organisations to ensure they implement good practice, as not adhering to stringent guidelines can have serious financial repercussions.

“Our research found that by 2030, businesses will have “Chief Trust Officers” in place that will be responsible for setting the foundation of governance, outlining policies and procedures for all staff to follow.”

Daniel Ostoïc, Human Resources Manager, F5 agrees, explaining that Data Privacy Week “provides an opportunity to educate a wider range of people, not just those working in dedicated security teams or governmental bodies, on the roles they can play to build a world where data is secure. This is key, as isolated data security stakeholders can sometimes feel powerless if they are the only ones caring about data protection.”

This is echoed by Paul Dettman, Data and Product Manager at Grayce, who adds, “With our lives becoming more intricately enmeshed in digital, businesses should look to make everyone in their organisation, not just the traditional IT and data teams, undergo data literacy training. Businesses can strengthen the security around their data by ensuring all employees understand the risks around data.”

Tom Richardson, Media and Broadcast Lead at Exponential-e, echoes this point by adding “Every piece of data must be defended with effective procedures and protocols alongside training for staff at all levels to ensure they’re aware of the risks and how to mitigate them.”

Jonathan Nguyen-Duy VP, Global Field CISO at Fortinet concludes, “When it comes to data protection, there is still a lot of education and work that needs to be done when it comes to good data hygiene. Does the network include sophisticated data protection measures such as threat prevention and detection, pseudonymisation of personally identifiable information, and internal segmentation to isolate and track customer and employee data? Is there a documented and tested data breach response plan? If they are unable to answer “yes” to all these questions, then they likely won’t meet the standard for existing data privacy regulations.”

A shared responsibility

In addition to workplace training, Rick McElroy, Principal Cybersecurity Strategist, VMware believes that consumers still need to be savvy about their data. “Consumers should be educated on and aware of the actual risks of using the latest “on trend” app. Privacy should be presented in a way that is more easily understood by younger generations, otherwise we are missing an opportunity to meaningfully educate a whole population of people. The state of privacy is poor today, but with the right consumer engagement, it could help tip the scales back in favor of consumers.”

Indeed, Manju Kygonahally, CMT Industry and Consulting Head, Global Growth Markets, Cognizant, believes organisations should take data protection seriously no matter the age of the customer: “Some suggest that Gen X and Y are more concerned about their data privacy. But while older consumers may be more careful about what they share, this doesn’t mean they’re less at risk. As we get older, we can rack up hundreds of companies that all have information on us, creating a large threat surface.

“Meanwhile, Gen Z consumers tend to keep their data sharing to a much more intimate group of corporates, particularly social media giants. While the threat landscape for them is smaller, they’re sharing more information online with organisations whose tooling for tracking, interpreting, and sharing with business partners is particularly advanced.”

Finally, while changing working practices mean workers must be responsible for the data they’re sharing outside the of the office network, business leaders need to ensure they’re supported by the right systems that can help them stay safe. James Bristow, SVP EMEA of Cradlepoint, highlights that as more and more businesses are operating with permanent hybrid working models, with employees working from multiple locations in addition to the office and the home, “the need for a secure, reliable and easy-to-deploy network across all industries has never been greater.”

“This extended WAN edge – encompassing physical sites, vehicles, and remote locations – creates a broad network attack surface. Integrating zero trust network access into their Wireless WAN architecture is one way to ensure that only authorised individuals can access critical data on a company’s network, reducing the risk of malicious actors, or even other employees, accessing sensitive information they shouldn’t.”

Prevention is better than a cure

Overall, data privacy is a crucial consideration for organisations looking to protect customer information, safeguard their own reputation and achieve regulatory compliance, and to save businesses from potentially highly damaging and costly slip-ups in this area. Specifically, business leaders should seek to remain vigilant to new attack vectors, as they continue to embrace new and emerging technologies, and should encourage everyone to take an active role in the data privacy process – no matter their age or position in the business.