Data Privacy Week 2024, Jan. 21-27, is an annual international effort to raise awareness about the importance of respecting privacy, safeguarding data, and educating individuals and businesses on data protection challenges.
A second group of thought leaders from across cybersecurity and tech space provide even more information on the importance of this week as well as insights into how organizations can best safeguard their private data.
Nick Edwards, VP of Product Management, Menlo Security
“The explosion of Generative AI use following the launch of ChatGPT in November 2022 has opened a world of new risks and data privacy concerns. Companies must be aware of how these tools can potentially compromise or expose sensitive data. By nature, they pose a significant security risk, especially when employees inadvertently input corporate data into the platforms. When data is entered within these models, that data is used to further train the model to be more accurate. In May 2023, a group of Samsung engineers input proprietary source code into ChatGPT to see if the code for a new capability could be made more efficient. Because of the model’s self-training ability, the Samsung source code could now be used to formulate a response request from other users outside of Samsung. In response, Samsung banned ChatGPT. Our own team of researchers at Menlo Security found more than 10,000 incidents of file uploads into generative AI platforms including ChatGPT, Microsoft Bing, and Google Bard, and 3,400 instances of blocked “copy and paste” attempts by employees due to company policies around the circulation of sensitive information.
“To prevent data leakage similar to the one described previously, employees should be trained in how to use these platforms securely. Organizations need to prioritize data security tools that prevent information from being shared with Generative AI platforms in the first place. While data loss protection (DLP) tools are useful, organizations need a layered approach that could include, for example, limiting what can be pasted into input fields, restricting character counts or blocking known code.
“Another data privacy concern was uncovered last week, when OpenAI launched the GPT store, which allows OpenAI subscribers to create their own custom versions of ChatGPT. As exciting as this is for developers and the general public, this introduces new third-party risk since these distinct “GPTs” don’t have the same levels of security and data privacy that ChatGPT does. As generative AI capabilities expand into third-party territory, users are facing muddy waters on where their data is going. Securing access to generative AI tools is just one of the topics covered in Menlo’s State of Browser Security Report, launched this week, which talks to the wider landscape of evasive threats targeting users in the browser.”
Krishna Vishnubhotla, VP of Product Strategy – Zimperium
“The biggest risk to our private data lies in the mobile devices we use everyday and the applications that are on them. In fact, the Zimperium 2023 Global Mobile Threat Report showed that 80% of phishing sites now either specifically target mobile devices or are built to function on both mobile devices and desktops, and that the average user is 6-10 times more likely to fall for an SMS phishing attack than an email-based one. As we know in today’s workplace, particularly following COVID, many of us are working from home (or working from anywhere). We have clearly seen employees working on personal mobile devices that are accessing all the same data that they were previously accessing via corporate devices. It’s the organization’s duty to protect the data that’s being accessed at all times, while at the same time ensuring privacy for the user on the personal device. Organizations must ensure that the device accessing its data is safe; the network it’s connecting from is safe and trusted; and the applications on the device are not hostile.”
Manu Singh VP, Risk Engineering, Cowbell
“In today’s threat landscape, we are seeing the continued evolution and sophistication of cyberattack techniques and tactics, including bad actors circumventing multi-factor authentication (MFA) and accessing offline backup systems. What the industry previously considered ironclad defenses simply aren’t anymore. This Data Privacy Day, organizations should prioritize staying ahead of threats through:
- Conducting a risk assessment to identify the vulnerabilities within the organization, and actioning on the findings. A risk assessment shows organizations what their architecture looks like, their vulnerabilities, and more. Addressing issues identified in a risk assessment puts an organization in a better position to deal with cyber incidents. If you work with a cyber insurance provider, ask them for your organization’s risk assessment report and how they can help you improve your cyber hygiene.
- Upholding good cyber hygiene. While cybersecurity measures should be tailored to an organization based on its risk assessment, it’s important to follow basic best practices: adopt MFA, deploy an Endpoint Detection and Response (EDR) solution, keep up with patching, maintain good password hygiene by adopting a password manager, and have offline and tested backups/copies of all data.”
Darren Guccione, CEO and Co-Founder, Keeper Security
“This Data Privacy Day, industry experts may warn about the new and novel ways attackers are violating your privacy and breaching your data. From the threats that come with generative AI to the rise of attacks targeting genealogy companies like 23andMe that hold highly sensitive personal information, it’s certainly clear the tools in a cybercriminal’s arsenal are growing more sophisticated. But the fundamental rules of protecting oneself in the digital landscape remain as relevant as ever. Basic cybersecurity measures, such as creating strong and unique passwords, enabling multi-factor authentication and keeping software up to date, are frequently overlooked. A recent study by Keeper found a quarter of IT leaders confessed that they even use their pet’s name as a password!
“Take the following steps to proactively protect yourself in the evolving digital world:
1. Use strong, unique passwords for every account
2. Enable multi-factor authentication
3. Regularly update software
4. Employ strict privacy settings on apps and browsers
5. Avoid oversharing on social media
6. Back up your important data
“Before finding yourself overwhelmed by all the ways cybercriminals can attack you, sit down and consider these basic cybersecurity measures and whether you are following them. Number one is critical, but difficult to achieve using just your memory, so consider using a password manager to safely and securely store and manage passwords. By taking these proactive steps, you can significantly strengthen your data privacy and reduce the risk of falling victim to both current and evolving cyber threats.”
John A. Smith, Conversant Founder and CSO
“Cyberattacks are the top global business risk of 2024. Data Privacy Week provides organizations an opportunity to raise awareness about data privacy issues and associated security risks, educate individuals about protecting their personal information, and promote more secure organizational data practices.
“In today’s digital age, most enterprises obtain personal and confidential data from their employees, customers, and stakeholders, making them vulnerable to a cybersecurity attack or data breach. All organizations have a responsibility to protect their data; many (such as law firms and healthcare institutions) have a fiduciary duty to protect sensitive information regarding clients. These businesses are built on trust; and in many cases, lives and financial well being depend on it; both can be easily and irreparably harmed if data is compromised. Organizations should consider the following to increase data privacy and security within their company:
- Adhere to regulations and compliance requirements: Enterprises should constantly review and be aware of data privacy regulations, such as GDPR, CCPA, or other regional laws.
- Understand that compliance isn’t enough: While security frameworks and mandatory compliance standards must be met, they in no way guarantee security: These frameworks and compliance standards should be viewed as a minimum floor. Threat actors are not limited to the guardrails within these frameworks, and threat actor behavior simply changes faster than the frameworks and standards can keep pace with. It’s essential to have a layered security program across people, process, product, and policy that protects the entire security estate with redundant controls.
- Measure your secure controls against current threat actor behaviors: By implementing robust security protocols and conducting regular security assessments against current threat tactics, organizations will know where their vulnerabilities lie and how to protect them. Threat actors are exploiting things that make the users’ experience easier, such as Help Desks that provide easy access and few verification steps, self-service password tools, weak forms of MFA, etc. To keep up, companies must trade some levels of user convenience for more stringent controls. Know your limitations: Most organizations have gaps in security controls and orchestration because they lack access to breach intelligence—how threat actors are causing damage technically. It’s those very gaps that threat actors seek and prey upon. It’s important to seek expert assistance to gain breach context and act without delay. While addressing these gaps may require additional capital investments, it will be far less than the cost of a breach, its mitigation, and the long-term fallout.
- Change your paradigms: Systems are generally open by default and closed by exception. You should consider hardening systems by default and only opening access by exception (“closed by default and open by exception”). This paradigm change is particularly true in the context of data stores, such as practice management, electronic medical records, e-discovery, HRMS, and document management systems. How data is protected, access controls are managed, and identity is orchestrated are critically important to the security of these systems. Cloud and SaaS are not inherently safe, because these systems are largely, by default, exposed to the public internet, and these applications are commonly not vetted with the stringent security rigor.
- Most breaches follow the same high-level pattern: While security control selection and orchestration are important, ensuring a path to recovery from a mass destruction event (without paying a ransom) should be the prime directive. Organizations should assume a mass destruction event will occur, so that if it occurs, they can have confidence in their path to recovery.
“Data privacy is not just a technical concern, but a crucial tenet of ethical business practices, regulatory compliance, and maintaining the trust of individuals who interact with your business. It has become an integral part of building a secure and resilient digital economy.”
Ratan Tipirneni, President & CEO of Tigera
“This Data Privacy Awareness Week, enterprises and small businesses alike should prioritize holistic cybersecurity. While Kubernetes adoption has taken off, most Kubernetes teams haven’t implemented adequate posture management controls. They continue to implement the minimal level of security mandated by compliance requirements. This bubble is about to burst. This will manifest as stolen data (data exfiltration) or ransomware. However, this can be easily prevented through effective posture management to ensure that the right egress controls and micro-segmentation is in place.”
Rick Hanson, President at Delinea
“The end of privacy as we know it might be closer than you think. The world is increasingly relying on more AI and machine learning technologies. This reliance could result in privacy becoming less and less of an option for individuals, as AI’s capabilities in surveillance and data processing become more sophisticated.
“2023 marked a significant leap in the authenticity of deepfakes, blurring the lines between reality and digital fabrication, and that is not slowing down any time soon. Our digital identities, extending to digital versions of our DNA, can be replicated to create digital versions of ourselves, which can lead to questioning who actually owns the rights to our online personas.
“Unfortunately, advancements in AI technologies are evolving more swiftly than current regulations can keep pace with. In 2024, we can expect stricter data protection requirements across more countries and regions. But until these regulations evolve and can keep pace, it is important to reduce our risk and protect our privacy however possible.
“One of the best ways to do this is to continuously check each application including what data is being collected and processed, and how it is being secured. Use a password manager or password vault to securely store credentials, and leverage multi-factor authentication (MFA) to ensure credentials don’t get exploited by forcing whoever the user is to prove its identity beyond just a username and password. In the event that a data privacy breach does occur, it is also important to have a cyber insurance policy in place to ensure you’ll have the means to continue to operate and recover.”
Michael Brown, Vice President of Technology at Auvik
“The evident tension between employee monitoring and personal privacy makes it imperative for companies to find and maintain an appropriate balance that upholds critical visibility while respecting boundaries and adhering to data privacy laws.
“With the continued expansion of remote and hybrid work, there is a heightened necessity for employers to keep a close eye on the way that employees are utilizing devices and applications in their daily routines. In addition to providing valuable information about the types of and ways in which technology is being used, employee monitoring ensures that installed applications are up-to-date, protects against known security vulnerabilities, and identifies potential productivity improvements. However, maintaining data privacy during this process is critical; when boundaries are overstepped and certain kinds of information is collected, this can feel invasive to employees and result in reduced morale as well as the potential violation of data privacy laws.
“On one end of the spectrum, monitoring an employee’s every action provides deep visibility and potentially useful insights, but may violate an employee’s privacy. On the other hand, while a lack of monitoring protects the privacy of employee data, this choice could pose significant security and productivity risks for an organization. In most cases, neither extreme is the appropriate solution, and companies must identify an effective compromise that takes both visibility and privacy into account, allowing organizations to monitor their environments while ensuring that the privacy of certain personal employee data is respected.”