Data Privacy Day – or Data Protection Day if you’re in Europe – is upon us once again. Even Google has gotten involved; reminding everyone of all the tools they have at their disposal to control their privacy settings. Despite some backlash on Twitter from folks annoyed with Google for not using the European recognised “Data Protection Day”, the IT Security Guru for one says let’s not call the whole thing off. If chocolate cake can get its own day (yes, it’s true and you missed it), then why not data privacy and protection? Data is serious business.
Jonathan Sander, VP of Product Strategy for Lieberman Software, gets it and thinks people need to get wise to the realities of what data protection really means. He said, “If you ask the average person on the street about data privacy, they’re more likely to mention Facebook settings than legal protections. Most people are just worried about websites sending them SPAM, and they will consider their privacy well protected if they’re not getting SPAM from an organisation to which they gave their data. The idea that there’s a whole market for their private data and the idea that the privacy policy they hastily clicked to agree lets their data be sold on the open market never occurs to them.”
But he also adds that citizens can hardly be blamed for being confused when the government has yet to form a “rational whole” when it comes to laws concerning data privacy. “Right now, the case of the US Department of Justice (DOJ) versus Microsoft about a subpoena for emails in the cloud is still working its way through the system. The case calls into question all the basics of the privacy question. Who owns an email, the author or the cloud service provider? Can a cloud service provider be compelled to give away a citizen’s data? If the elasticity of the cloud means a document finds itself stored off US soil, does the DOJ have the right to get it without dealing with the other governments involved?
“Privacy, in the end, is a legal matter. Both the high courts and the legislature have yet to have their full say on privacy. Can we blame the average person if they also have more questions than answers when they attend their local Privacy Day event?”
And when it comes to data, which is after all at the heart of the matter, the amount is growing at an enormous rate, especially in organisations, who have a duty to customers and employees to keep that data responsibly and protect it from fraud. David Gibson, VP of strategy and market development at enterprise data security specialist Varonis said that most organisations today are data driven, whether they realise it or not, and that opens them to risk.
“Detecting and preventing fraud and abuse is a Big Data challenge because of the scale of the problem—thousands of users accessing millions of files constantly means that the kinds of processing needed to detect insider attacks requires new approaches to management and monitoring.
“Fraud and abuse detection starts with monitoring. You can’t manage what you don’t monitor, and it’s impossible to detect the abuse of an asset unless you’re monitoring how it’s being used.”
Gibson goes on to argue that if organisations aren’t monitoring their data in a meaningful way, then it makes it extremely difficult to detect fraud. “The proof that traditional methods don’t work is in the increasing frequency and magnitude of data breaches related to unstructured data. Not only is there more data to worry about, but it’s containing more sensitive and valuable information and it’s getting easier for attackers to exfiltrate that data since it’s typically not monitored. If what you’re trying to steal isn’t being watched, you have a much better chance of getting away.”
He said that the answer lies in User Behavior Analytics, but only if it has the right components as part of the analysis, such as access activity, content and accessibility. “You can’t analyse behavior if you’re not monitoring actual access. Companies that prioritise actual data access monitoring are getting a leg up on UBA and insider threat detection on unstructured data. The better the monitoring, the better the analytics, and the more effective the solution is likely to be.”
If it’s still not clear why data and data protection need to be given more consideration, beyond just one day of the year, then maybe the fact that new privacy regulations targeted at businesses take effect this year will be more convincing. The European General Data Protection Regulation is a new privacy regulation that can see fines as high as four percent of annual global revenue issued for companies that fail to safeguard data of EU citizens and residents.
“Data privacy day is a great opportunity for organiations to re-evaluate their privacy programmes,” said Tim Erlin, director of IT risk and security strategy for Tripwire. “Privacy is often treated as part of larger security initiatives. While this approach addresses some key privacy issues, others may not get the attention they deserve.”
To conclude, Erlin presents the top five data privacy mistakes businesses make:
- Failure to keep only essential consumer data: Many organizations keep a lot of customer data in case they need it “someday.” While this approach may seem prudent this data can easily become a major target for cyber attackers and, because it isn’t business critical, it may not receive the same protections as other, more sensitive data.
- Failure to encrypt customer data: While there are some regulatory requirements for encrypting customer data, companies need to establish internal processes to keep data encrypted. Leaving customer data unencrypted makes it much easier for attackers to grab.
- Failure to secure access paths: Encrypting customer data is important, but it must be decrypted for use in an application at some point. Attackers will aim to compromise the applications that use customer data in order to get to that data. “Don’t worry, the data is encrypted,” is a dangerous mind set.
- Failure to patch known vulnerabilities: Security experts may be more interested in the technical analysis of the latest malware, but successful attacks are more likely to exploit the three year old web server vulnerability that gets them access to high value data. Patching systems isn’t glamorous but it’s essential to protecting data.
- Failure to monitor and control simple misconfigurations: More than one of the breaches that have been in the headlines recently has been the result of a misconfigured database or server. If you’re not monitoring sever configurations for change, you have a blind spot in your security that attackers can leverage.
Whether it’s your own personal data you’re considering this year, or the security of the organisations you work for, IT Security Guru strongly urges everyone to take a closer look at data protection practices and start making changes for the better today.