Organizations are taking data privacy more seriously, but a new survey suggests many systems audit professionals feel they still don’t have enough money to accomplish their goals.
The survey by ISACA of 1,873 professionals who work in data privacy or have knowledge of their organizations’ data privacy functions showed 49 per cent of respondents felt they have inadequate privacy budgets. Thirty-five per cent of respondents said their privacy budgets are adequate.
It was one of a number of privacy-related surveys released this week by vendors for ahead of annual International Data Privacy Day, observed Jan. 28.
Cisco Systems said its annual Data Privacy Benchmark Study showed “strong evidence that privacy has become an even more important priority during the pandemic. Privacy budgets have increased over the last year, organizations have more resources focused on privacy, and privacy investments going above and beyond the law are translating into real business value.”
Privacy isn’t an “afterthought,” the report says. “It is core to how we work and interact with each other. The Age of Privacy has arrived.”
In the ISACA survey, circulated in the third quarter of 2020, respondents were also asked to list the causes of common privacy failures they’ve seen. Sixty-four per cent of respondents pointed a finger at lack of or poor training; 53 per cent of respondents said a failure to perform a risk analysis; and 50 per cent said bad or nonexistent detection of personal information.
Survey respondents noted that the most helpful methods in overcoming these obstacles are using a privacy principles framework, experience-based credentials and privacy training.
The Cisco report came from its annual Cybersecurity Benchmark Survey. Privacy-specific questions went to more than 4,400 respondents around the world who said they are familiar with the privacy processes at their organizations.
Among the highlights of the Cisco study,
- Respondents said their privacy budgets doubled in 2020 to an average of US$2.4 million.
- 93 per cent of respondents said their privacy teams played a significant role in helping them navigate and respond to the challenges brought on by COVID-19.
- They estimated their return on investment on privacy spending was down slightly compared to 2019, but still reasonable. Thirty-five per cent estimated the benefits were at least twice the investment.
- Respondents believe firms with more mature privacy practices are getting higher business benefits
- than average and are much better equipped to handle new and evolving privacy regulations around the world.
- 93 per cent of respondents said their organization reports privacy metrics (e.g., privacy program audit findings, privacy impact assessments, and data breaches) to their boards.
- In an interview following the release of the report, Robert Waitman, a director of data privacy at Cisco said that in a crisis, privacy usually gets pushed aside by management. “But what the report is showing … is that privacy is even stronger (now), that they maintained their commitment and interest and investment in keeping privacy protections in play despite the challenges we’re all facing.”
Of the 200 Canadian respondents, he added 77 per cent said privacy regulations had a positive impact on their organizations.
Asked what organizations should do to improve their privacy maturity Waitman listed three things:
- Ensure employees know and think about what they need to do to protect customer data. “It’s everyone’s job,” he said. To do that organizations must have privacy champions within all business units as well as senior management;
- Get external certifications of their process, like ISO 27001. “This is an investment that organizations can and should make to assure their customers they are doing the right things to protect data,” Waitman said;
- Ensure they comply with privacy laws and regulations in every jurisdiction the business operates in.
- Finally, “do a good job of checking yourself” to find where gaps are and where investments are needed to lower risk.
Dave Lewis, Cisco’s global advisory CISO, added this advice:
- Encrypt sensitive data at rest as well as in transit fight and at rest.
- Use multifactor authentication to protect logins.
- And review the privacy processes of supply chain partners if they handle or have access to your data. “You don’t want to have inadvertent leaking of data,” he said. “Whether it’s personal data or intellectual property.” For example, an organization with a flat network that allows partners to connect through an unencrypted connection may inadvertently give outsiders access to data that wasn’t intended. The solutions include network segmentation and access control.
Iman Ahmad, the co-chair of the data protection, privacy and cybersecurity practice at the Norton Rose Fulbright Canada law firm, noted that the regulatory environment in Canada may toughen shortly.
“Ever since the European Union’s General Data Protection Regulation (GDPR) came into force, increasingly prescriptive privacy and data protection laws are being adopted around the work. Canada is no exception with the proposed laws in Quebec and the proposed new federal Bill-C11. If passed, the cost of non-compliance will increase materially. We are seeing and anticipate organizations investing significantly in privacy compliance programs in the coming 12 -24 months.”
The advice doesn’t stop
“Data protection is definitely something that is now firmly on more radars than not,” said Kris Klein, managing director of the Canadian division of the International Association of Privacy Professionals (IAPP) and a member of the Ottawa privacy law firm nNovation. “It’s become mainstream to talk about privacy and security. A day doesn’t go by without at least one major data breach being reported in the news. All this to say, organizations still make mistakes and some do not prioritize having a privacy management program in place, a component of which is to properly safeguard data. One common mistake we see when dealing with data breaches is that vendors who are entrusted to process personal information are not being properly vetted, and the contracts between controllers and processors don’t have the necessary safeguards. So, vendor screening is a big issue that organizations need to do better at.
“Another common mistake is that organizations do not spend enough time and energy training their staff on what is the right thing to do with data. Ethical issues are abundant but people are often left to their own devices in trying to figure out what is right and what is wrong. More training on these issues is needed.”
“Data Privacy Day is an ideal time to build awareness and start an open dialogue about how individuals’ data is being leveraged by companies,” said Jasen Meece, CEO of Cloudentity. “It’s important to put the power of data back into consumers’ hands so they can decide how their data is being used and shared.”
Rene McIver, chief privacy officer of Toronto-based SecureKey Technologies, said Data Privacy Day helps promote data protection and sharing between consumers and organizations, who both play a critical role in moving awareness of this topic forward. “This helps bridge the gap for safer digital practices in Canada and around the world, which has never been more critical in today’s ever-evolving digital landscape. Digital transformation globally over the past year has been exponential, which gives data privacy a whole new level of importance in 2021. This has increased the initiative’s progress by shedding a spotlight on why it’s important to reflect on the digital progress in Canada and abroad, while continuing to advocate for further actions to close the remaining gaps that are often the source of online vulnerabilities.
“Data Privacy Day is an opportunity for organizations to manage reputation, enhance growth and cultivate trust with consumers by being transparent about how they collect, store and use data.”
Start with basic hygiene
Ian Pitt, CIO of LogMeIn, offered these tips to managers:
- Start with basic security hygiene. Having the best collaboration tools and security software won’t do any good if the security basics are not implemented. In fact, many “hacks” exploit known vulnerabilities for which patches are available. Make sure all deployed software is patched and regularly update firmware and anti-malware and ensure that all data backups are up to date. Tracking all applications being accessed should also be part of the cybersecurity program, as many threat actors target unattended apps.
- Develop a security-aware culture. It can often be the human element that is the weakest link in security, with employees failing to change default passwords or using the same credentials across multiple accounts. This is especially true when no emphasis has been made on security awareness. Keep your employees educated on what is confidential and sensitive data, and the steps they can take to protect both their own and their customer’s information. Creating a stronger “cyber smart” security culture takes time and lots of education, but is critical to data security in a work from anywhere environment.
- Implement an access management tool. Using enterprise password management and single-sign-on technologies will not only helps reduce potential unauthorized login risks, but also provide the IT team further visibility into who has access to specific resources. Moreover, organizations are able to integrate their domain, SaaS applications and even customer applications, ensuring every entry point is secured.
- Limit information shared on public channels. It’s tempting to share logins or passwords with colleagues through email or messaging platforms, but attackers can easily compromise the shared information. Instead, call the co-worker that needs the login details rather than writing it down, or utilize a secure password-sharing application that requires additional verification of a user’s identity before granting access.
- Utilize passwords and end-to-end encryption for all video meetings. Virtual meetings also provide an opportunity for attackers to listen in on private information. Always mandate passwords when setting up new meetings and share that information with participants separately from the meeting invite itself. Most major videoconferencing providers now also offer end-to-end encryption for meetings, and utilizing this feature adds another layer of security, making it more difficult for anyone outside the meeting to access the conversation.