Ensuring Positive Security
This past week (2nd-9th May) has been Privacy Awareness Week, an annual initiative that brings together public sector leaders and businesses around the world to highlight of the importance of protecting personal information and navigating the privacy landscape.
It’s an important reminder that amid ongoing global uncertainty, organisations are continuing to grapple with securing company data as they rely on hybrid work capabilities. In this context, this week provides an opportunity to raise awareness of best practices for organisations and employees to follow.
But what does the tech industry think? Five experts working across data analytics, cybersecurity, network communications, and talent development, discuss the challenges and opportunities presented by the demand for data privacy in 2022.
The privacy landscape has intensified
“Real-time data is one of the most valuable resources for modern businesses; it enables organisations to make the right decisions in the business moment,” according to Adam Mayer, Director, Qlik, and this has certainly never been more true. However, as use of business data continues to grow, so the threat from cyber criminals is also on the rise.
Indeed, according to Jonathan Smee, Cybersecurity Technical Coach at Grayce, “We’ve entered an era where the threat of cyber attacks has never been greater. It is becoming increasingly paramount for companies to assess their cybersecurity measures continually. And as a Technical Coach for Grayce, I have seen first-hand how cyber threats are ever-changing and becoming more advanced. Despite this ongoing threat, many businesses underestimate how much investment is needed to protect their core infrastructure, assets and Intellectual Property.”
Technology that addresses the privacy age
The solutions to the growing threat landscape are not obvious either. Simon Mullis, Chief Technology Officer at Venari Security says, “When it comes to increasing awareness around data, protecting privacy should be at the forefront and there is no single solution. End-to-end encryption is often touted as a silver bullet in reducing the consumer risk of enterprise data breaches, with 62% of the top 1000 global websites now supporting the latest version of TLS 1.3. But cybercriminals are now also reaping the benefits of the total encryption of network traffic to conceal malware communications and exfiltrate data undetected.”
And as Paulo Henriques, Head of Cyber Security Operations at Exponetial-e, points out, “The average person has approximately 100 different passwords according to NordPass research, begging the question: how can one individual remember that many passwords?
Quite simply, we can’t. Hence, many of us are guilty of using the same combination of numbers, letters and characters over and over again, even though the risks from doing so are high. Where passwords are involved, multi-factor authentication (MFA) simply has to follow. The additional security information it requires users to present above passwords, including “something you know”, “something you have”, and “somewhere you are” – i.e. biometric information – makes it far more difficult for attackers to profit from credential abuse.
David Higgins, Senior Director, Field Technology Office at CyberArk, argues, “It’s not just humans that are susceptible to clicking on the wrong link or too cavalier about what they share about themselves; when thinking about data privacy, bots must also be taken into consideration.“Software bots – little pieces of code that do repetitive tasks – exist in huge numbers in organisations around the world. The idea behind them is to free up staff to work on business-critical, cognitive and creative work, and improve efficiency, accuracy, agility and scalability. If you think about repeatable tasks like bank transfers, scraping web data and moving customer data files, there’s a chance bots are involved.”“They are a major component of digital business. But these bots need info – and access – so they can do what they do. In fact, sixty-eight percent of non-humans or bots have access to sensitive data and assets according to our recent research. And given machine identities now outweigh human identities by a factor of 45x on average, that brings privacy concerns.
Qlik’s Adam Mayer suggests that, “Privacy Awareness Week is also a timely reminder to take a look beyond the usual access controls and think about how analytics could be used to support compliance. Analytics programmes can help IT teams visualise who has access to what information and if that remains relevant to their role. For instance, this could be through bringing together disparate data sets on user access controls and HR lists of leavers, starters and changers to ensure that there are no anomalies where people retain access to information that is no longer appropriate to their role."
Continuous learning to foster privacy champions
“Overcoming the compliance and security risk posed by end-to-end encryption is essential to maintaining data privacy. Current approaches that rely on decryption then detection simply cannot scale to the volume of encrypted traffic on our networks and often consequently lead to missing malicious activity. Instead, security teams need to adopt a “measure and mitigate” approach,” says Simon Mullis at Venari Security.
Additionally, David Higgins at CyberArk, “Human error will always persist. Awareness training remains a must, but not simply at the level of identifying phishing attempts. It has to genuinely alter behaviours and embed access controls into every aspect of employees’ workflows, to complement MFA and reduce the scope for credential-based attacks.”
And according to Jonathan Smee at Grayce, ultimately, “If organisations want to close the gaps in their security systems, business leaders must be more proactive in mitigating potential threats. Organisations should look to provide continuous learning opportunities and adequate training to keep their employees up to date with the latest cyber threat trends. At Grayce, we kicked started a community-lead initiative, the Digital Community of Practice (DCP), as a way to ensure cyber security remains at the forefront of our employees’ minds. DCP educational, founded to raise awareness of trending digital topics.
Bio: Five tech experts working across data analytics, cybersecurity, network communications, and talent development, discuss the challenges and opportunities presented by the demand for data privacy in 2022. With contributions from: Adam Mayer, Director, Qlik; Jonathan Smee, Cybersecurity Technical Coach at Grayce; Simon Mullis, Chief Technology Officer at Venari Security; Paulo Henriques, Head of Cyber Security Operations at Exponetial-e; and David Higgins, Senior Director, Field Technology Office at CyberArk.