Business urged to take action on data privacy

Reputational damage

And it is not only the new privacy legislation in Europe and the US that is a factor. Lawrence Munro, European director at security firm Trustwave for Europe and Asia-Pacific, said the mounting number of breaches involving consumers’ financial and private data means that people are increasingly aware that their information is at risk, and much less willing to forgive businesses that betray their trust.

The Information Commissioner’s Office (ICO) has also highlighted the potentially devastating effect of reputational damage as a result of a personal data breach.

Munro said security professionals see “Password1” as the most common password year after year. “Such abysmal security presents an open door to hackers. Likewise, phishing scams over email and phone continue to trick droves of workers,” he said.

According to Munro, security in many organisations continues to be seen as a “box to be ticked” as cheaply as possible rather than an essential operation necessary for survival.

“Practices such as regular intensive network testing using real experts rather than occasional automated scans are crucial if businesses are to avoid the reputational and financial fallout of a breach this year,” he said.

No place to hide

Jason Hart, CTO data protection at Gemalto, said that when the GDPR is enforced, companies will no longer be able to hide breaches, which could have fatal effects on a business.

“Businesses must act now to ensure they have the correct security processes in place before the regulation takes effect. Being a better steward of customer data is not just good PR, it makes good business sense too,” he said.

Richard Anstey, European CTO at Intralinks said that while cyber attacks are becoming more common, human error is still a huge problem and causes a significant number of data leaks.

“Many employees bring bad cyber-security practice from home into the workplace, and businesses don’t realise the implications that can have on an organisation. Educating the workforce is as critical as implementing technology solutions to manage data flows, especially when handling very sensitive information, such as intellectual property,” he said.

Anstey said that businesses need to know the value of their data, where it flows across the world, where it is encrypted and how it is being used by its employees. “Only then can organisations make informed decisions about how to manage and secure data appropriately. For this reason, you’ll see more chief privacy officers on executive teams in the coming years.”

Conflicted over data

Raj Samani, CTO for Intel Security in Europe, said: “As a society, we continue to be in a state of conflict when it comes to data. On the one hand, we’re often outraged over regular news around data breaches, while on the other hand we think nothing about trading our identities for a chocolate bar or less, often volunteering intimate data such as medical or financial information.

“In 2016 we’re only going to further see the exploitation of people’s data and the expansion of what we call the data economy, especially as the internet of things becomes part of our day-to-day lives, with smart homes fast becoming a reality.

“Data Privacy Day serves as a reminder for us as a society to wake up to the fact that what an organisation knows about us is among its most valuable and marketable assets. It’s time we stop declaring ourselves ‘data bankrupt’ – which is what we’re doing when we assign zero value to our information, buying patterns and preferences.

“When we think about our data and where it’s going, who is using it and what we’re giving it away for, we need to be even more cautious and hard-nosed about entering into data transactions by driving harder bargains and asking ourselves smart questions such as who our data will be shared with and how it’s going to be protected,” he said.

Cloud security firm Skyhigh Networks marked Data Protection Day by highlighting the risks posed to privacy by the UK’s proposed Investigatory Powers Bill.

While the UK is observing Data Protection Day, the draft legislation shows that the government is “failing to put privacy rhetoric into practice”, said Nigel Hawthorn, European marketing director at Skyhigh Networks.

“When you compare our recent encryption policies with the likes of the Netherlands, which recently said no to encryption back doors, it’s clear which country is walking the walk as well as talking the talk,” he said.

He called 28 January an “iconic” date because it marks the anniversary of the Council of Europe’s Convention 108 for the protection of individuals when personal data is automatically processed.

Hawthorn said: “For 35 years the treaty has been considered the cornerstone of data protection. Yet, with a draft surveillance bill that doesn’t specifically state that companies won’t have to weaken their encryption for the authorities, consumers arguably have even less say today about how their data is being used.