Data Privacy—Insights from the Cybersecurity Industry

What Can You Do to Ensure Customers and Employees Trust That You’re Protecting Their Privacy?

Data Privacy Day helps raise awareness and promote privacy and data protection best practices. With 2020 being a record year for data breaches, we reached out to the cybersecurity community to share their insights into how they emphasize data privacy and the importance of protecting personal information for employees or consumers. We asked for insights on what companies have learned from 2020, how the mindsets of security professionals have changed heading into 2021, and how organizations can demonstrate to consumers their personal data is protected and warrants their trust.

We heard from more than 40 experts, and below are some of the responses.

Carolyn Crandall, Chief Security Advocate, Attivo Networks

The year 2021 will be the time when people realize credential protection cannot be about just password protection and naming conventions. Almost every major attack involves the compromise of Active Directory. However, it has remained an underserved area of security control. The same can be said for credential misuse detection. Large mainstay security players have not developed technology to address the detection of in-network credential theft or attacker attempts to enumerate Active Directory, so we will see market challengers step forward with newer innovations. These new solutions will deliver not only detection capabilities but also limited trust models, so only the right people with the right credentials and the right approved tools can get access.

 

Anurag Kahol, CTO, Bitglass

Now that we have begun to see distribution of the vaccine, some may think it’s only a matter of time before “normal” in-office work resumes. However, that is not likely to be the case. Instead, we are going to see a permanent blend of remote and in-office work, as well as mobile employees whose workspaces are constantly changing. Organizations must be prepared to continue to operate in this manner while ensuring that data is secure no matter where or how it is accessed. 

 

Mike Behrmann, Director of Security, Blumira

The media largely overlooked FireEye’s exemplary conduct in the midst of a stock-rattling corporate crisis. FE maintained their integrity by not only responsibly disclosing embarrassing breach details, such as the compromise of all FE offensive tools, but also going the extra mile to help the world detect and remediate subsequent threats by offering hashes of their custom tools along with relevant indicators of compromise. Perfect information security is a myth and therefore cannot earn consumer trust alone. Information security excellence coupled with demonstrable corporate selflessness, the kind FE showed during this crisis, is how you earn consumer trust.

 

Tony Anscombe, Chief Security Evangelist, ESET

Privacy is becoming a front-and-center topic, with many companies needing to take stock and comply with legislation or face stiff penalties. Being transparent and ensuring the company’s privacy policy is easy to read and understand, and of a reasonable length (with a maximum read time of 5 minutes) will help create engagement with the consumer. The policy should also provide clarity on what data is collected, why it’s being collected and how the company intends to use the data and who it may be shared with. 

Matt Stamper, CISO, EVOTEK

Unfortunately for many organizations, their security and privacy teams are overwhelmed and operate independently of each other, and finding scarce privacy and security talent remains a challenge. When privacy and security teams collaborate, however, governance over personal data improves, and security practices are better aligned to organizational risk tolerances and privacy obligations.

Darren Guccione, CEO and Co-Founder, Keeper Security 

When the entire world migrated to a remote workforce, data privacy and security became vulnerable. Companies became anxious about protecting not only the organization’s data but also their employees and customers. The good news: More than half (53%) of respondents say their organizations are instituting the necessary security protocols to keep the network safe, and 50% of respondents say their organizations are encrypting sensitive data stored on devices.

 

Data protection includes data control. Companies can gain consumer trust by leaving the power in the hands of the consumers. A Zero Trust security framework and zero-knowledge security architecture does exactly that. It creates a double-blind situation, where service providers involved cannot decrypt and access the data that’s stored on their servers. Only the end users (consumers) know and have control over their information. 

 

Kristen Bolig, Founder, SecurityNerd

The shift to remote work was the main reason 2020 was a record year for data breaches. As more employees began to work from home, they lost many of the security benefits that come from an office setting. Many workers were forced to rely on unsecured networks. They also used their personal computers, which often do not include basic malware protections or antivirus software. Unfortunately, most people don’t know how to take basic steps to protect their or their company’s data. The lack of protection and basic security knowledge made for the perfect storm of data breaches.

 

Many companies learned that they must take steps to inform their employees of cybersecurity risks. They’ve begun to adopt continuing education to provide their workers with the skills they need to protect confidential data. They’ve also enforced stricter policies that prevent team members from participating in risky behavior. Rather than being reactionary, security professionals are becoming proactive about preventing data breaches of their remote workers. 

 

Robert E.G. Beens, CEO and Co-Founder, Startpage

Practice Privacy by Design, which requires brands to bake customer protection into the foundation of their organization. It may take more effort to achieve this, especially if a brand already has an existing service/solution, but it’s worth your customers’ trust. Another important element is Privacy by Default, which uses default settings that protects privacy and ensures minimal data collection, especially as most customers don’t reset their default settings. This leaves the choice to opt-in in customers’ hands. Brands should avoid collecting data just to suit their bottom line, instead collecting only data that is required. 

 

Rick McElroy, Head of Security Strategy, VMware Carbon Black

Organizations in 2020 learned that there were a number of areas in which they weren’t as resilient as they needed to be. Organizations have also learned that privacy is important to their customers, and many have had to pivot due to legislation to do the right things by their consumers. In the future, organizations should look to be proactive with privacy controls—it’s going to be a major business diversifier as consumers are seeking platforms they can trust. 

 

The rapid implementation of cloud security technologies has pivoted security professionals into a “cloud-first” mindset very similar to what happened with IT services and the cloud. This has a significant impact on the strategies deployed as well as the tools needed to defend. Security professionals have also shifted mindsets toward identity and endpoint being more crucial than ever to protect in the context of remote work. Security professionals are anticipating a hybrid approach, combining office and work from anywhere, and they are re-architecting their programs, as a result, to ensure organizations stay one step ahead of attackers. 

Marc Laliberte, Senior Security Analyst, WatchGuard Technologies

User privacy has been crumbling for years. Each new security breach and data dump further chips away at what little privacy does remain. Adding to the challenge is that connected devices are far more intertwined in our lives than ever before. We rely heavily on digital assistants such as Alexa or Siri, smart home management products, wearable technology and more. While these technologies do make our lives easier, the privacy and security risks are undeniable.

To expedite an even broader commitment to privacy, we believe users will finally revolt en masse and force into existence new privacy regulations for social media services, connected devices and more.