The Critic’s View: Data Privacy Day / Data Protection Day

Our round-up of the expert views concerning keeping your data safe online

With high-profile cyber-attacks seemingly occurring every week, it’s no secret that people need to start taking better care of their data. With this in mind, this week saw both International Data Privacy Day and Data Protection Day, two initiatives aimed at raising awareness of staying safe online.

But what do our industry experts make of the occasion, and what advice do they offer to the public? TechWeekEurope asked the questions, and here are some of the answers…

online securityKurt Mueffelmann, President and CEO of Cryptzone

“This year’s Data Protection/Privacy Day is more important than ever. According to a report by the Identity Theft Resource Center, 2014 saw a 24.8 percent increase in reported breaches compared with the previous twelve months. It’s not for a lack of legislation either. While perhaps not perfect, there are strict laws in place to protect data. So what’s going wrong?

“While penalties for failing to comply with legislation is an incentive, in itself compliance is not the silver bullet – PCI DSS is testament to that. Today’s information security landscape is plagued with vulnerabilities that leave companies, and all too often the personal information of individuals, exposed to the potential of a breach.

“Instead, what’s needed is a fresh approach to network and application security that helps to remove some of the gaps, both internal and external, that lead to data leaking out.

“My advice to data protection knowledge seekers is that our 2015 security practices need to take a different approach, as the old ones do not appear to be working. Giving users access to everything is no longer a viable option with malware attacks and other vulnerabilities allowing hackers to gain entry unnoticed. Companies need to layer their defenses to ensure that they limit what users can see once within the walls of the trusted network, based on who they are and other important variables, and then control what they can do with sensitive information.

“This will not only help prevent outside attacks but also mitigate risks created by the more unassuming threat, users themselves.”

Antoine Rizk, VP Go-To-Market Program at Axway 

“A reactive approach to security breaches just won’t cut the mustard anymore. In an increasingly connected world, with the Internet of Things moving from buzzword to reality, businesses need to proactively monitor their data flows to prevent costly data breaches. However, many large organisations still wait for something to go wrong before addressing the flaws in their security strategies; a move that backfired in some of the most infamous security breaches of 2014.

“This year, connected devices will not only work their way into our daily lives but also our enterprises. BYOD will quickly evolve into BYOIoT, with employees bringing wearable devices into the work place. For such increased enterprise mobility to open windows of opportunities for businesses, without paving the way for hackers to access private data, security must evolve at the same rate as the devices themselves. Organisations also need to know what data employees are bringing into and taking out of the office to ensure that malicious attacks and conspicuous activity is blocked.”

identity deception fraud social engineering security © Pretty much everyone knows that passwords aren't supposed to be shared. Passwords exist to protect your information and your employer's information from being seen by people who shouldn't see it and who could cause serious damage if they do access it. This is why you have a strong password on your banking information (you DO have a strong password on your bank account, don't you?) So how is it that Edward Snowden managed to get the passwords that gave him access to thousands of secret documents? According to a story from Reuters, Snowden did it in the easiest way possible. He asked for it. But of course there's more to it than that. What Snowden did was tell a couple dozen of his coworkers that he needed their passwords because he was a system administrator. Those coworkers, knowing that Snowden was fully cleared, figured it was safe, and gave him the passwords. Snowden used that trust to raid the NSA files of everything he could find. Remote Data Replication: Combat Disasters And Optimize Business Operations Watch It Now Leaving aside the propriety of what Snowden did, the fact that he was able to get the information he did with other people's login information speaks volumes. Perhaps more important, it speaks those volumes directly to you and your employer. Snowden exploited a weakness that exists at nearly every company or organization and which can be overcome only by having the right security policies and the right training. That weakness is trusting the wrong people at the wrong time. The obvious question is how this applies to you and your organization. After all, the chances are pretty good that you're not sitting on a pile of state secrets. But the chances are that your company has plenty of information that has value to your competitors, to criminals, or to people who want to use that information for other dubious purposes. Do you really want the outside world to see your customer list? Your financial statements? Your supply chain or manufacturing details? Probably not. Unfortunately, if you lose control of your organization's passwords, you're doing just that. But you can limit the problem by implementing some basic practices, making sure your staff is trained and then retrained frequently. Here are some things you can do: 1. Require passwords that are hard to guess, but don't go overboard. If you require passwords that are too complex, nobody will remember them. You know what happens next—yellow sticky notes on their monitors. That doesn't really help security. 2. Control what happens if a password is shared. It's easy to say that your staff should never under any circumstances share a password. But that's not how things work in the real world. Sometimes a system administrator really does have a reason to request a user's log-in credentials. 3. When that happens, what should the user do? That depends, but at the least they should know that they should then immediately change the password. You might also want to require that any password-sharing request be reported on a routine, easy-to-fill-out form that will disclose the action to whomever you designate to handle this, such as your IT manager. 4. Make password changes easy to accomplish, and automate the reporting process so that every such change is logged. 5. Don't depend on complex control software as a primary means of user verification. It might be useful, but nothing works as well as good practices properly followed. Remote Data Replication: Combat Disasters And Optimize Business Operations Watch It Now Require two-factor authentication for access to information that's really important. Many companies use a smartcard that doubles as an access card and organizational ID card. This reduces the problem of stolen log-in credentials. More complex methods of access control certainly exist and should be used under extraordinary situations, but are not always appropriate. It's important to remember that maintaining access security requires the willing cooperation of your staff. This means that you have to tell them what needs to be protected, the means they should follow to protect that information and what they should do if they suspect that protection has been compromised, even by someone who claims a plausible reason to do so. Here's one way such a procedure might work: One of your workers with access to something sensitive, such as human resource data, requests help with a problem logging in to the network. Somebody from the help desk asks for the log-in credentials to see what the problem is and to try to fix it. The person being helped provides the information and then immediately sends an email to a designated manager saying something like this: "I provided my log-in info to Sam Smith from the help desk to fix a log-in problem. My extension is 123." Once the log-in problem is solved, the employee should immediately change their password. That change will be recorded by your network management system where it can be verified by a manager or security staffer. Will that eliminate all data loss? Of course not, but it will eliminate some of it. It requires little in the way of resources and it allows management follow-up since problems—including an administrator who seems to be asking for a lot of passwords—will show up quickly. While you can throw automation at such a problem, at some point the most basic answer is training and management. It's hard to be more effective than that unless you already have training and management practices to enforce password discipline in place already. ShutterstockPhil Zimmerman, co-founder, Silent Circle and Blackphone

“Protecting the privacy of individuals is why I started PGP, and why Mike and I started Silent Circle.  But at Silent Circle we’ve come to realize that protecting individuals at work may be the strongest form of corporate security possible.  That’s what we’re working on, and we hope that you’ll join us.”

“…when I see what happened to Sony recently — the data stored on their servers leaked to the world — my mind goes to that difference between privacy and security.  I’m sure Sony had firewalls and VPNs, intrusion detection and antivirus, policies and procedures — all the usual artifacts of corporate information security.  Those things securely delivered a mountain of information to Sony’s servers, where it was lost all at once.

“When it was lost, the privacy of Sony’s partners and employees went with it.  That’s what corporate privacy is — the privacy of the people in and around the corporation. If we focus on their privacy rather than the corporation’s security maybe we can make better choices.  Many kinds of information don’t need to be stored for long, or at all.  If only participants keep a copy of their correspondence the company can’t lose it.  Imagine how much worse the damage of a security breach would be if companies routinely kept years of recordings of all employees’ phone calls.”

Mark Noctor, director of sales EMEA, Arxan Technologies

“As today marks Data Protection Day and organisations are ensuring the correct security measures are in place, it is important to highlight the increased risks on mobile platforms in the banking and payments sector. We predict that the security risks in the financial sector will be a key threat area for 2015 and with this in mind, it is vital that mobile application security takes priority as bank, payment providers and customers seek to do more on mobile devices.

Data Protection Day is more important than ever, with the app economy in the financial sector rapidly expanding and everything from payment transactions to brokering now occurring on the mobile platform. With mobile banking becoming a main fixture in the financial sector, it is important for application security to be a top priority so that data privacy protections are continuously upheld.”

Chris Babel CEO, TRUSTe

“With the highest number of data breaches on record in 2014, it is hardly surprising that the privacy and security of online data is a big issue in Britain and a growing concern. But with frequent terrorist threats reported on the news it is surprising that so many people consider their personal privacy more important than countering that threat.

Governments tread a fine line between balancing national security and consumer privacy rights; for businesses the stakes are high too. In an increasingly interconnected world, lack of trust can limit growth and strangle innovation as companies are deprived of the data they need to drive sales.

These findings show the scale of the impact as 4 out of 5 British consumers who are concerned about their privacy have modified their online behaviour in the last year meaning less data, fewer clicks and lost sales,. The message is simple: don’t wait for legislation or the next data breach – act now to get your privacy house in order and rebuild trust with your customers.”

Richard Anstey, CTO EMEA, Intralinks

“Many people bring bad security habits from home into business. So educating consumers isn’t just about protecting them, but protecting our economy.

“Telling people to use strong passwords may even be counter-intuitive as it creates a false sense of security which people bring to work. When dealing with very sensitive information, such as IP, people need to know about very secure measures, such as information rights management. Security is about knowing what the danger is and how to deploy the appropriate level of protection.

“If we want a truly data-secure society we need to start by ensuring people know what value their data has, then they can make informed decision about how to secure it.”

Are you a security pro? Try our quiz!