Sapsiwai - Fotolia

Business urged to take action on data privacy

Security professionals use Data Protection Day to encourage businesses to do more to protect personal data

Global businesses are re-evaluating their data privacy programmes this year as new privacy regulations targeted at businesses start to gather.

The European General Data Protection Regulation (GDPR), which is expected to come into force in 2018, provides for fines of up to 4% of annual global revenue or €20m, whichever is greater, for failure to safeguard data of EU citizens and residents. 

In the US, 16 states recently introduced data privacy legislation supported by the American Civil Liberties Union (ACLU) and designed to enable citizens to take control of their personal privacy in the digital age.

However, despite the introduction of this legislation, many enterprises are still not doing enough to protect consumer data, according to security and privacy industry experts.

Businesses are being urged to take action on data privacy to mark European Data Protection Day, known as Data Privacy Day outside of Europe.

“Data privacy day is a great opportunity for organisations to re-evaluate their privacy programme,” said Tim Erlin, director of IT risk and security strategy for security firm Tripwire. “Privacy is often treated as part of larger security initiatives. While this approach addresses some key privacy issues, others may not get the attention they deserve.” 

According to Erlin, the top five data privacy mistakes businesses make are:

  • Failure to keep only essential consumer data
  • Failure to encrypt customer data
  • Failure to secure access to data at all times
  • Failure to patch known vulnerabilities
  • Failure to monitor and control simple misconfigurations

Many organisations keep a lot of customer data in case they need it, he said, but it can easily become a major target for cyber attackers, and may not receive the same level of protection as business-critical data.

Erlin said companies need to establish internal processes to keep data encrypted. “Leaving customer data unencrypted makes it much easier for attackers to grab.”

And while encrypting customer data is important, it must be decrypted for use in an application at some point, with attackers trying to compromise those applications so they can get to that data, Erlin warned.

Successful attacks are more likely to exploit vulnerabilities that are several years old if that gets them access to high-value data, he said. “Patching systems isn’t glamorous but it’s essential to protecting data.”

More than one of the security breaches that have been in the headlines recently has been the result of a misconfigured database or server, said Erlin. “If you’re not monitoring server configurations for change, you have a blind spot in your security that attackers can exploit.”

Reputational damage

And it is not only the new privacy legislation in Europe and the US that is a factor. Lawrence Munro, European director at security firm Trustwave for Europe and Asia-Pacific, said the mounting number of breaches involving consumers’ financial and private data means that people are increasingly aware that their information is at risk, and much less willing to forgive businesses that betray their trust.

The Information Commissioner’s Office (ICO) has also highlighted the potentially devastating effect of reputational damage as a result of a personal data breach.

Munro said security professionals see “Password1” as the most common password year after year. “Such abysmal security presents an open door to hackers. Likewise, phishing scams over email and phone continue to trick droves of workers,” he said.

According to Munro, security in many organisations continues to be seen as a “box to be ticked” as cheaply as possible rather than an essential operation necessary for survival.

“Practices such as regular intensive network testing using real experts rather than occasional automated scans are crucial if businesses are to avoid the reputational and financial fallout of a breach this year,” he said.

No place to hide

Jason Hart, CTO data protection at Gemalto, said that when the GDPR is enforced, companies will no longer be able to hide breaches, which could have fatal effects on a business.

“Businesses must act now to ensure they have the correct security processes in place before the regulation takes effect. Being a better steward of customer data is not just good PR, it makes good business sense too,” he said.

Richard Anstey, European CTO at Intralinks said that while cyber attacks are becoming more common, human error is still a huge problem and causes a significant number of data leaks.

“Many employees bring bad cyber-security practice from home into the workplace, and businesses don’t realise the implications that can have on an organisation. Educating the workforce is as critical as implementing technology solutions to manage data flows, especially when handling very sensitive information, such as intellectual property,” he said.

Anstey said that businesses need to know the value of their data, where it flows across the world, where it is encrypted and how it is being used by its employees. “Only then can organisations make informed decisions about how to manage and secure data appropriately. For this reason, you’ll see more chief privacy officers on executive teams in the coming years.”

Conflicted over data

Raj Samani, CTO for Intel Security in Europe, said: “As a society, we continue to be in a state of conflict when it comes to data. On the one hand, we’re often outraged over regular news around data breaches, while on the other hand we think nothing about trading our identities for a chocolate bar or less, often volunteering intimate data such as medical or financial information.

“In 2016 we’re only going to further see the exploitation of people’s data and the expansion of what we call the data economy, especially as the internet of things becomes part of our day-to-day lives, with smart homes fast becoming a reality.

“Data Privacy Day serves as a reminder for us as a society to wake up to the fact that what an organisation knows about us is among its most valuable and marketable assets. It’s time we stop declaring ourselves ‘data bankrupt’ – which is what we’re doing when we assign zero value to our information, buying patterns and preferences.

“When we think about our data and where it’s going, who is using it and what we’re giving it away for, we need to be even more cautious and hard-nosed about entering into data transactions by driving harder bargains and asking ourselves smart questions such as who our data will be shared with and how it’s going to be protected,” he said.

Read more about data protection

  • The EU’s data protection rules will impact every entity that holds or uses European personal data both inside and outside of Europe.
  • Alzheimer’s charity is warned to comply fully with all data protection recommendations in six months or face prosecution.
  • More than two-thirds of global companies expect EU data protection laws to dramatically increase costs of doing business in Europe.

Cloud security firm Skyhigh Networks marked Data Protection Day by highlighting the risks posed to privacy by the UK’s proposed Investigatory Powers Bill.

While the UK is observing Data Protection Day, the draft legislation shows that the government is “failing to put privacy rhetoric into practice”, said Nigel Hawthorn, European marketing director at Skyhigh Networks.

“When you compare our recent encryption policies with the likes of the Netherlands, which recently said no to encryption back doors, it’s clear which country is walking the walk as well as talking the talk,” he said.

He called 28 January an “iconic” date because it marks the anniversary of the Council of Europe’s Convention 108 for the protection of individuals when personal data is automatically processed.

Hawthorn said: “For 35 years the treaty has been considered the cornerstone of data protection. Yet, with a draft surveillance bill that doesn’t specifically state that companies won’t have to weaken their encryption for the authorities, consumers arguably have even less say today about how their data is being used.

Read more on Privacy and data protection