Data Protection Day 2020: De-Risking in the Era of Transparency

By: Daniel Fried, General Manager (GM) and Senior Vice President (SVP), EMEA and Worldwide Channels, Veeam

The issue of data protection and privacy was, until recently, a conversation confined to a specific group of people within an organisation. Unless you were an IT consultant or a corporate lawyer, privacy compliance was something somebody else took care of. So, how have we reached the point where many organizations are bound by law to employ a Data Protection Officer (DPO)? Why are CEOs now so interested in their company’s data protection and privacy policies?

You could be easily fooled into thinking data privacy as a field has only existed since 2018, but nothing could be further from the truth. From an anthropological perspective, human beings have longed for privacy for over 3,000 years. The use of internal walls within buildings which started to become commonplace in 1500 AD proves this. The concept of the ‘right to privacy’ as we know it is indeed younger – eventually being formalised as an international human right in 1948. Sweden became the first country to enact a national data protection law in 1973. Even this, the first tangible effort to regulate data privacy, happened in response to public concern over the increasing use of computers to process and store personal information. 

While our understanding of the current data privacy conversation must operate within this context, there is no denying that 2018 was a watershed moment. The General Data Protection Regulation (GDPR) may be less than two years’ old, but its impact has been significant. As well as its very specific nature which makes the regulation enforceable, GDPR regulators have not been frightened to flex their muscles. To date, it has collected almost €429 million in fines – serving as a constant reminder to any business processing the data of European citizens that there are penalties for not adhering to data privacy requirements.

The privacy skills gap

As well as providing a clearer framework for appropriate data handling practices, GDPR has made data protection and privacy more about people. Rather than talking in terms of technical standards and software requirements, it is based on fundamental citizens’ rights and how people within an organization can uphold them. One of the most specific lines of the GDPR is Article 37, which states that certain companies must appoint a Data Protection Officer to be compliant. More specifically, any public authority, a company whose core activities require large-scale monitoring of individuals or consist of large-scale processing of criminal data. 

Wherever appointing a DPO is not required under GDPR, it is advised as best practice for companies who need to ensure they have the right data processes in place. Given that the latest Veeam Cloud Data Management reportshows that organizations across multiple industries will spend an average of $41 milliondeploying technologies to boost business intelligence, experienced DPOs have become hot property. In 2018, when GDPR was passed, as many as 75,000 vacancies for DPOs needed to be filled – with Europe and the USA accounting for around 28,000 of these roles. 

Especially during this period of transition, organizations across the board must foster a culture of transparency in terms of how data is used. Not every person in the business can be a data protection expert, but all employees must appreciate and understand the basic principles. Furthermore, while the ownership of GDPR compliance lies with the DPO, the buck ultimately stops with the CEO. Data protection is a business conversation as well as a technology one. With that said, businesses must have an IT strategy in place which enables solid data protection practices. 

Minds over matter

Veeam research shows that three-quarters of IT decision makers globally are looking to Cloud Data Management as a means of creating a more intelligent business. Cloud Data Management brings together disciplines such as backup, replication and disaster recovery across an organizations’ entire cloud and data management provision. It ensures that data is always available, recoverable and protected at all times. But like data privacy, IT is a people industry too. In a world where businesses need to protect their data more than ever before, CEOs, CIOs and DPOs alike are looking for trusted partners to help de-risk their data management. This support may take the form of configuring data management systems, providing technical training for administrators, or basic data privacy training for end-users. 

Data Protection Dayis an appropriate time for us to reflect on how we use and view data. 

Moreover, as we begin a new decade, it’s an apt moment to acknowledge that we are still in the midst of transformation. The impact of GDPR will continue to be profound as businesses adapt to its demands and its enforcers become less patient with those who fail to comply. More fines and reputational damage will only add to the demand for DPOs – people with the expertise and appetite to take on the data privacy challenges of an organization. While investing in technologies like Cloud Data Management will be fundamental to the DPO’s strategy, privacy is now a people business. Therefore, the shrewdest investments will be in trusted partners who can guide people at every level of the organization through the rigours of remaining compliant and help create an authentic culture of data transparency.

Using AI to Level the Cyber Playing Field

By Derek Manky, Chief Security Insights & Global Threat Alliances, Fortinet 

Imagine what you would have done differently in your network if you could have just seen a few years into the future. Would you have been quicker to embrace the cloud? What about the time and money spent on technologies that you now don’t really use? Every wiring closet has a number of expensive boat anchors sitting on a shelf somewhere gathering dust. Of course, if your organization has ever been the victim of a serious breach, it’s easy to guess how you may have prepared differently for that.

Predicting the Future

The truth is, that last one isn’t really just wishful thinking. Cybersecurity professionals, myself included, have been warning organizations about the threats just around the corner for years. Some require years of experience to understand threat actor trends and malware trajectories. But others just stare you in the face. For example, much of the recent success of the cybercriminal community has been due to their ability to successfully exploit the expanding attack surface and the resulting security gaps resulting from digital transformation that are not being properly closed. This shouldn’t be news to anyone.

While predicting what cybercriminals are going to do next can be tricky, the reverse isn’t true. When it comes to the cyber arms race, the criminal community has always had a distinct advantage in knowing what’s coming next. Organizations are constantly looking for new ways to squeeze more value out of their networks, or gain that sliver of competitive edge through the use of new technologies. And cybercriminals can predict with a high degree of certainty where many of those organizations will also neglect to apply proper security to those efforts.

According to one report, cybercriminals cost the global economy a total of $1.5 trillion last year. And the rate of growth for cybercrime looks likely to continue for some time unless organizations make a significant paradigm shift as to how they think about and deploy security.

Gaining the Upper Hand

To get out ahead of the traditional cycle of buying new cybersecurity solutions in response to the latest threat trends, organizations need to begin using the same sorts of technologies and strategies to defend their networks that criminals are using to compromise them. That means adopting an intelligently integrated approach that leverages the power and resources of today’s enterprise.

Much of this is detailed in a Fortinet’s Security Predictions report for 2020. In addition to my usual predictions around the tactics and technologies that cybercriminals are likely to develop and adopt over the next few years, this year’s report focuses extensively on ways organizations can successfully gain the upper hand when it comes to their cyber adversaries. And that strategy relies heavily on two things: the development and deployment of solutions built around machine learning and artificial intelligence, and shifting to a security-driven networking strategy that takes the principle of “look before you leap” to a new level.

The Evolution and Future of AI

One of the objectives for a security-focused AI strategy is to develop an adaptive immune system for the network similar to the one in the human body. In the body, white blood cells come to the rescue when a problem is detected, acting autonomously to fight infection. In the network, Artificial Intelligence can potentially perform much the same task by identifying threats and initiating and coordinating a response. A quick review of its history can help us predict its trajectory.

The first generation of AI is already in place in some sectors. Leveraging artificial neural networks and massive databases, systems using machine learning can rapidly sift through mountains of data to provide analysis and determine a proper course of action, all at network speeds.

The next generation of AI, currently running in labs and some production environments, is able better able to detect patterns by distributing learning nodes across an environment. This enhances its impact on things like access control. Some AI systems are now able to identify individuals using complex bio-footprints such as typing patterns or heartbeat rhythms, and detect even the most subtle deviations in normal network traffic to identify malicious actors and malware. Implementing this in today’s networks will require deploying regional AI-enhanced learning nodes that can collect and process local data for quick responses to events, and also share that data back to a central AI brain to deeper correlation to not only better detect suspicious patterns of behavior, but also immediately respond in a decisive manner before an attack can even be fully formed.

The third generation of AI, however, is where things begin to get really interesting. AI will still require a central brain, but rather than a hub and spoke model, it will instead exist as an interconnected web of even more intelligent regional learner nodes, much like an organic neural network. Direct information sharing between nodes will not only play a pivotal role in identifying threats in true real time, but also ensure that central protections and controls match local requirements and variations.

Getting from Here to There

Of course, none of this will matter if security isn’t deployed where cybercriminals strike. Today, different segments of the networks can’t see or talk to each other and collected threat intelligence often exists in isolation. The result is a fragmented security implementation that cybercriminals are all too eager to exploit. And this challenge is being compounded as more and more organizations rush headlong into adopting new technologies – today it’s the cloud and tomorrow it will be 5G and edge computing – without first properly considering all of the security ramifications. And that has to include prioritizing how the security to be deployed in new areas of the network will interoperate with existing systems.

Getting from where most organizations are today, to the sort of integrated and distributed security that the future will require, underscores the need to take a new approach. To start, organizations need to focus on interconnectivity and deep integration between their security devices. For machine learning systems to be successful, they not only need access to critical security information, but that data will need to be seamlessly and instantly shared across the network so can be adapted to each networked environment’s unique configuration. This will also require taking a security-first approach to new network expansions to ensure that all network and security systems and devices are visible and consistently controllable from anywhere in the network.

The ability for machine learning and AI systems to take over many of the menial and detail-oriented tasks previously assigned to human resources will take a significant bite out of the growing cybersecurity skills gap. By shifting responsibilities to autonomous self-learning processes that function similarly to human autoimmune systems – hunting for, detecting, and responding to security events autonomously and in true real time – valuable cybersecurity professionals will be able to focus their unique skillsets on higher-order planning and strategy. This transition will be critical as organizations move to adopt the advanced security-driven network strategies that will help their businesses succeed in the digital marketplace of tomorrow.