After a volatile 2021 for cybersecurity and fraud risks, we expect similar threats to continue into 2022
But ignoring some of the high-profile cyber terrorism threats to governments, amid rising political tensions in Europe in particular, there’s a lot that data privacy professionals will need to consider when it comes to addressing the threats that face individuals and enterprises every day.
With many of our interactions being touched by a digital element today, whether at work, while shopping, travelling or booking appointments, enterprises and organisations have become inundated with data. But it’s not always clear what the privacy risk to this might be.
With this in mind, let’s explore what some experts in the tech industry think about the state of data privacy for 2022.
Data is more prevalent than ever – putting enterprises and individuals at risk
Indeed, this is echoed by Rick McElroy, Principal Cybersecurity Strategist, VMware, who points out, “we’re all familiar with the concept of The Great Resignation, but what organisations need to be hyperaware of is its significant impact on insider threats. The number of employees that have left a company but still have access to the network or propriety data – whether accidentally or purposefully – has significantly increased. Malicious actors know this and will start to target these employees to either carry out cyberattacks or plant ransomware.”
Similarly, Matthew Peake, Global Director of Public Policy, Onfido, argues that “account opening processes often force us to hand over personal information to the companies we interact with. And not just our contact details. Between the online services that many of us sign up for, these companies know our mother’s maiden name, our first pet’s name, our first school, and a plethora of other personal facts about our private lives. We have come to assume that revealing this information is necessary to guarantee the security of our online accounts.” Indeed, David Higgins, EMEA Technical Director at CyberArk points out “it’s not just humans that are susceptible to clicking on the wrong link or are perhaps a little too cavalier about what they share about themselves. Software bots have sharing issues too, and this Data Privacy Day we highlight how we can better protect the data that they access from being exposed.”
Finally, Karen Worstell, Senior Cybersecurity Strategist at VMware, notes that “as we settle into a new era of anywhere work, enterprises must understand that data privacy practices rest on a foundation of strong cybersecurity controls. Data Privacy Week is a time for organisations to set goals for implementing best practices that improve data protection and cybersecurity. These include robust vulnerability management, implementing multifactor authentication, threat hunting, and network micro-segmentation, among others.”
Cybercriminals are only getting smarter
Chris Butler, Lead Principal Consultant, Resilience and Security, Sungard, points out, “in 2021, 39% of UK businesses reported suffering some cyber security breach. It remains one of the highest board-level concerns and sits at the top of enterprise risk registers. Large investments are being made into stronger data protection and backup policies to ensure the speedy recovery of business operations following an attack, particularly if that attack involves ransomware.”
Indeed, according to Simon Mullis, CTO at Venari, “End-to-end encryption is often touted as a silver bullet in reducing the consumer risk of enterprise data breaches, with 62% of the top 1000 global websites now supporting the latest version of TLS 1.3. But cybercriminals are now also reaping the benefits of the total encryption of network traffic to conceal malware communications and exfiltrate data undetected.”
What can enterprises do to protect themselves?
It’s not all doom and gloom, however. There are actions that organisations can take proactively. Graeme Cantu-Peak, CISO, Matillion, argues that “all big cloud players have security and regulatory compliance measures in place. So instead of asking, ‘is my data secure in the cloud?’, cloud users should ask themselves, ‘am I using the cloud securely?’ For example, in your enterprise cloud strategy, you should mandate that data is properly encrypted during every step of the data journey, and that necessary security controls are in place.
Additionally, David Warburton, Principal Threat Research Evangelist EMEA, F5, suggests, “more businesses need to look into ‘privacy by design’. For example, from the concept stage of developing an application onwards, consider how an individual’s privacy and life would be affected if their data was made public. This is a core concept of GDPR. Think about what data is needed, how long it needs to be kept, and how it is protected. If the data is no longer required, you also need to know when to delete it. These are big considerations with lots of pitfalls. Today, applications are increasingly spread across different locations and cloud providers, so data privacy must always be front of mind.”
As Erez Yalon, VP of Security and Research, Checkmarx notes, “developers are constantly handling data in the creation and updating of applications, and ensuring the security of this data is a critical part of application security. This is something which can easily be overlooked, especially by developers who create customer-facing software solutions. By implementing checks and adding governance rules to AppSec models though, software teams can ensure their applications aren’t only secure from traditional threat actors, but that the data they’re using is governed correctly.”
Finally: how can technology help?
According to Adam Mayer, Senior Manager at Qlik, “Data Privacy Day is also a timely reminder to take a look beyond the usual access controls and think about how analytics could be used to support compliance. Analytics programmes can help IT teams visualise who has access to what information and if that remains relevant to their role. This helps businesses introduce real intelligence into the management of data privacy to reduce the risk of human error and streamline processes for IT teams.”
In addition, Matthew Peake, Global Director of Public Policy, Onfido, states, “modern identity verification technology, such as using biometrics, uses physical identifying features rather than personal information for account authentication. This puts control firmly back in the consumer’s hand over what information they want to reveal to the companies they interact with.”
Finally, Shakeel Itoola, Chief Information & Data Officer, Demand Science, points out that with the right technology in place, there’s no reason that data privacy regulations need to be a burden. Indeed, as he states, “Governments around the world are cracking down on how data is used with laws like Europe’s GDPR and California’s consumer privacy act. This increased regulation and awareness have been important and necessary in today’s digital age. But, it has created new challenges for businesses, who often rely on data insights to inform their decisions—especially B2B marketers who have increasingly turned to data models and analytics to identify potential leads.
“This does not mean the end for business use of data. Instead, they should focus on using contextualised data, becoming more prevalent within several industries. Contextualised data combines generic data with synthetic data, creating training data for AI models to accurately manage real-time behaviours, provide personalised experiences, and manage pipeline activities.”