This week, many of the world’s leading privacy, data protection and cyber security professionals turned on and tuned in to our PrivSec Global virtual event
The event, organised by PrivSec Report publisher GRC World Forums, featured four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths.
Here we outline some of the key themes that emerged across the four days.
1. Covid-19 is just the latest example of cyber-criminals exploiting global events
Set against the unavoidable backdrop of 2020’s global Covid-19 pandemic, world events were not so much the elephant in the room as the very room itself, and our professionals returned again and again to the turbulent global forces that have shaped their information strategies and priorities.
On Tuesday, McMafia author, journalist and broadcaster Misha Glenny gave a fascinating keynote on Geopolitics, Cybersecurity and the Future of Organised Crime, sponsored by NetApp, tracing the history of organised crime through the turbulent political and market developments of the 20th and 21st centuries, up to the emergence and evolution of the newest generation of organised criminals – cyber attackers.
“Geopolitics and cybersecurity are now intimately entangled” was Glenny’s key message.
“These days, cyber security is not just about tech. In fact cyber security these days is more or less about everything”, including political psychology, military doctrine and anthropology.”
Former FBI Special Agent Jeff Lanza also spoke of the futility of seeing cyber crime as separate from other types of organised crime, when he shared tales from his remarkable career as a former FBI Special Agent, and the role of law enforcement in combatting cyber threats. Like Glenny, he observed how cyber crimes, such as ransomware attacks, have evolved in tandem with other criminal endeavours: “if you pay money to get your money back, that money can just be used to fund other criminal enterprises” Fundamentally, he noted,
“we need to consider the importance of international cooperation when fighting cybercrime”.
Inseparable from the day-to-day working lives and priorities of the information professionals who shared their expertise with us was, of course, the coronavirus pandemic – a vivid illustration of a global event that has permeated the imaginations of the global workforce and has therefore proved ripe for criminal cyber exploitation.
Security specialist Zoe Rose observed that any media-worthy event – whether it’s Covid, vaccinations, even tax issues – creates inspiration for phishing attacks. World events continually hand criminals a storyline they can use.
The exploitation of such narratives centred around our most vulnerable points was also front of Lanza’s mind when he said, of ransomware attackers: “they’re not letting up during Covid, they’re stepping up, knowing that hospitals are more vulnerable and research centres as well.”
And attackers not only utilise real-world events, they cause them too, as former GCHQ Director Robert Hannigan noted in his keynote, The Future Cyber Threat Landscape, sponsored by OneLogin. He described the first possible death following a cyber attack in Germany a few months ago as being “significant not just for the poor individual but it shows the scale of what could happen, [the] collateral damage in cyber”.
2. When it comes to a distributed workforce, businesses are now entering a period of reflection and future-planning
As privacy and security professionals looked back upon their organisations’ rapid adaptation to the pandemic, we heard frequent references to the challenges and risks of shifting from office-based to remote working on a large scale. Whether these issues really result from Covid or a general lack of preparedness for an evolving workplace culture spotlighted by the pandemic is unclear. But, initially in the pandemic at least, we may have seen an overreach in personal data collection in some spheres, and in a slip in privacy standards.
“In a pandemic, maybe we need to accept that there may be a lowering of our expectation of privacy but you definitely need to pay a lot of attention to how that’s managed and make sure that everything is time-limited”, said Gus Fraser, CEO of Revoke.
Professionals and providers underscored the importance of transforming security from an on-premise model to one that fully accounts for home-working risks. Adoption of new technologies, use of home networks and devices – and the resultant proliferation of shadow IT and unstructured data – with perhaps lowered guard against threats as employees are tempted to cut corners, have all contributed to an explosion of phishing attacks in the last year. Confidential information is at risk of exposure.
“Bring your own device is like ‘bring your own disaster”.
Gal Ringel, Co-founder and CEO of Mine
Writing on one of our discussion boards, Dave Williams, Global Integrated Marketing Manager at 3M Privacy Solutions Business, explained that ““Ensuring software and network integrity and protection is vital, but don’t forget the physical security aspects, human error, malicious visual hackers, device protection. An increasing number of breach initializations can be traced back, to these.”
But now that we are past the initial phase of simply keeping business going, our professionals’ have been reflecting on the technologies, processes and policies implemented early in the pandemic, and plugging the gaps that allow risk in.
“A lot of tech had to be set up very quickly to get companies functions working […] there will be things that will need to be revisited” said Emma Wright, Partner at law firm Kemp Little.
Undoubtedly, Covid-19 has been an engine for innovative tools, solutions and processes – and also, conversely, for the profile of privacy professionals.
“All of a sudden, data protection, data privacy, all of these things have suddenly become really, really hot topics”, said Jonathan Craven, Head of Information Governance / Data Protection Officer, Central and North West London NHS Foundation Trust.
“We are pretty much in a period of unprecedented change and that’s something I’ve seen in the volume of the developments that we’ve seen, the adaptation that we’ve had to do in terms of policy, process, the systems we have in place… We’ve just had a complete sea change”.
He added: “I think now is the time, not just for the NHS organisations, but specifically for NHS organisations, to take a period of reflection and say can we just check all of our rationale and our decision-making processes that we went through from April to September, October time… to check that we are comfortable with everything we did”.
3. Unstructured data has control risks but huge opportunities also
Many of our presenters focused on the ever-present challenge of achieving and maintaining control over data, particularly unstructured data.
On a discussion board, Sonia Cheung, Managing Director of FTI Consulting, predicted that: “In 2021, I am seeing a focus on unstructured data remediation efforts – how to get control over their loose files everywhere. I am also working with global financial institutions on data hygiene efforts – classifying where personal/sensitive data is, using data governance platforms to track sensitivity and also decommissioning applications that are no longer of business value and are not subject to legal or regulatory obligations. There is a strong push towards defensible disposal/data minimisation which also requires firms to refresh their retention schedules and setup repeatable processes to operationalise these rules at scale.”
The issue of data retention came up frequently, as organisations grapple with how to manage often wieldy, unclassified, and often aged data sets, which frequently contain sensitive elements – much of which is unused.
“most organisations are significantly over-retaining data beyond its use”.
Nina Bryant, Managing Director at FTI Consulting
“One of the most common scenarios that we come across is where you’re in the middle of trying to make sense of a large pile of information that is already dated – most of your data, around 80% is very rarely accessed”, said Ariel Zamir, R&D and Product Director of NetApp’s Israeli Innovation Center, said in his session on Data Discovery as a Platform.
Many of our panellists were keenly aware not only of the risks of unstructured data, but of the opportunities of good quality data, however.
According to Heather Federman, Vice President of Privacy and Policy at BigID: “once you know that you are working with data that is privacy friendly, data that is good quality data, that is secure, that has the right consents in place, well that actually gives the business a really great opportunity to say ok, now we have this really great data set what can we do with it?”
Sam Gillespie, GRC Solutions Engineer at OneTrust GRC, voiced a similar view: “We see organisations realising that they’re perhaps not unlocking the potential in that data that they should be, and that the value that they’re gaining from data could be increased by broader data governance”.
Ultimately, privacy programmes need not be incompatible with commercial realities, and Sonia Cheung, Managing Director at FTI Consulting, had this to say about the importance of demonstrating return on privacy investment:
“Privacy spend also should be connected with revenue generating activities that come from being able to analyse and create more useful, transparent services to consumers. Privacy should be a business enabler vs. a business blocker.”
4. Cross-disciplinary connectedness between privacy and security has never been more important
As Alan Turner, Global Privacy Risk & Compliance Officer at dunnhumby, said: “A really good point is that security and privacy go hand in hand so [it’s about] having a really strong relationship with your information security team and your technology teams and making sure that they’re not making decisions that have an impact on privacy”.
The importance of relationships was returned to continually, and we heard how building a culture – of both privacy and security – is as important as any cutting-edge tech tools or business processes. Establishing, building and embedding that culture boils down to people and, at an organisational level, bringing people together, being persistently visible and communicating effectively and frequently.
Gemma Withams, Group Privacy Officer at Skyscanner summed it up thus: “Just get out there and talk to people.”
But a culture of privacy and security goes far beyond the organisational level – whether that’s to the nation states, regions, industries, or even across industry and law enforcement spheres.
5. There was excitement, but also caution, over the rise of AI, machine learning and other emerging technologies
Throughout the event, we heard much about the growing importance of technological solutions to the challenge of data governance and hygiene, with AI and machine learning the technologies on many lips, for areas like data discovery and retention, as well as spotting and mitigating cyber security threats.
Stephen Cavey, Co-founder & Chief Evangelist at Ground labs, said: “Automation is such a key thing. And look, we’re in a world where in some case there’s reduced budgets or less people to work with, so the ability to automate as much of that security work and ongoing compliance verification work…. is incredibly important and a lot of organisations haven’t invested enough.”
Amid enthusiasm for technology in data governance was also a note of caution about not neglecting the human factor, however, particularly when building buy-in and a sense of collective accountability for privacy across an organisation.
Anthony Hemond, Privacy Counsel, Air Canada, said: “Tools are very important but the end user will say it’s just a tool, it’s IT ownership of that, it’s not us. There’s a disconnect when we rely only on a tool to classify the information.”
“Technology is now perhaps doing more of the decision making for us and there is a challenge there ensuring that we can build accountability and validation into the decision-making logic of those systems”, said Sally Annereau, Senior Data Protection Adviser at Taylor Wessing LLP.
On the cyber front, while organisations are utilising deep learning algorithms and behavioural analytics to systematise cyber attack detection and mitigation, care was taken by some to point out that the centrality of the person in cyber security. Any strategies and processes must inevitably incorporate awareness raising, training and accountability for the workforce.
“We have to be careful to put machine learning in its place and to actually say, well, this is a small addition to good cyber practices, good cyber hygiene, it’s not a universal panacea”, said Trevor Luker, VP of Information Security at Tessian.
He added: “We work in the human area of security and it’s what motivates people, what are people after, what makes people more effective in defence – and it’s about people.”
6. The shift to cloud requires new approaches to risk, with trust more crucial than ever
Chief among the digital acceleration journey undertaken by organisations in the midst of Covid-19 and the escalation of remote working has been a shift from on-premise to cloud – and whether companies are looking at a hybrid model or a complete transition, cloud is here to stay.
David Barnett, Director of Edge Protection EMEA at Forcepoint: said: “We don’t need to teach people now that cloud is a good thing, it’s the default for most organisations”.
But a more off-premise has meant that traditional risk review approaches are no longer enough, necessitating a revised approach to identity and data access.
In tandem with a successful shared responsibility model, we heard how the development of a trust relationship between organisations and cloud service providers was fundamental.
“Since we moved into providing cloud services for enterprises and hosting their data, making sure that those companies trust us with their data and making sure we handle it responsibly is crucial to adoption” said Kim Howell, Senior Director of Privacy at Microsoft.
7. International data transfers are becoming a major concern
It’s hard to imagine a topic that strikes at the heart of trust more than international data transfers, and unsurprisingly this came up frequently over the course of the four days. Indeed in a survey, more PrivSec Global attendees, 56%, picked the topic as the greatest emerging challenge to GDPR compliance than any other topic.
With the trend towards greater privacy awareness and data protection regulation spreading across the globe and a unified global standard or approach to privacy not likely at present, regulators are grappling over how to reconcile one regime with another.
Professionals are dealing with the fall-out of July’s Schrems II decision to remove the UE-EU Privacy Shield, a ruling that “created waves that you will see throughout the system in Europe but also throughout the whole privacy discussion in the world”, according to Wojciech Wiewiórowski, European Data Protection Supervisor, in his opening keynote on Wednesday.
Watching the debate play out is the UK, poised to exit the Brexit transition period at the end of this month, and eager to obtain an adequacy decision from the European Commission.
For many organisations, the principal practical implications of Brexit boil down, we heard, to the need for non-UK data controllers or processors the personal data of UK citizens to appoint a UK representative, and for non-EEA organisations processing EU resident data to have an EU Representative.
But the issue of data transfers promises to be thornier, as the jury is currently out about the UK’s changes of obtaining adequacy.
Sjoera Nas, Senior Privacy Adviser at Privacy Company, was not hopeful: “I’m going to say two words about Brexit: non-adequate”.
On the other hand, James Snook, Director at Department for Digital, Culture, Media and Sport (DCMS), suggested a more confident Whitehall: “We see no reason why the UK should not continue to be found adequate, given that we were considered adequate while we were a member of the European Union. I think we have one of the best implementations of GDPR in Europe.”
If adequacy does not transpire, however, organisations wishing to comply with GDPR must rely on an alternative mechanism to guarantee the safety of that data when transferring to so-called “third countries: – often standard contractual clauses (SCCs). Post Schrems II, controllers using SCCs must establish the equivalence (or not) of the personal data protection afforded by third countries before any transfer takes place, on a case-by-case basis. Many professional voiced concerns about how onerous these equivalence assessments could prove to be.
The European Data Protection Board has set out guidance on supplementary measures that may be necessary to bolster such SCCs, but even with such measures available, said Wiewiórowski, not all data transfers will necessarily be possible.
Posting on our discussion board, however, Taj Sallamuddin, Information Lawyer at Information Governance Services Limited, was more relaxed about the situation: “Any competent lawyer should be able to assess the risks around any given data transfer and then draft appropriate clauses to guard against those. We are sometimes over-reliant on regulators/policy makers and I get why but sometimes organisations put everything on hold just to wait on their guidance when quite often the regulators use the very same pool of lawyers that are available to the said organisations anyway.
“Having said all this, we should note SCCs are not an absolute fix and the fact that they can’t bind third parties (such as security services, whose processing activities are quite often disproportionate) shows their limitations.”
8. There is strong support for a US federal privacy law
Fresh in the minds of attendees was the recent US election, which saw Democrat President-Elect Biden selected to head the next administration. With previous attempts to garner bipartisan support for a federal privacy bill having failed – due to a lack of agreement on the nature of such a bill, rather than the notion of a bill itself – eyes are now on Biden to see what developments his administration will bring.
“I think the Biden administration will be somewhat more supportive [of a federal privacy law] than the current administration, but it’s not a first order priority for them” said Kirk Nahra, Partner and Co-Chair of the Privacy and Cybersecurity practice at law firm WilmerHale.
Amid a complex state and sectoral privacy landscape in the US, there seemed to be much support in the (virtual) room for a federal law. Could now be the time?
Some, like keynote speaker Daniel Solove, Professor of Law at the George Washington University Law School, thought it might be. He said: “There’s never been a better time in US history for a desire for a federal privacy law, there is almost a consensus.”
9. The cyber skills gap is causing real problems
One issue that is not going away is that of the cyber skills gap – “the single biggest problem for the whole of the world that relies on technology” according to former GCHQ Director and keynote speaker Robert Hannigan
Writing on one of our discussion boards, Tawhidur Rahman, Senior Technical Specialist – digital diplomacy at BGD e-GOV CIRT, said: “There’s no end in sight to filling the cybersecurity skills gap, and most analysts predict that the shortage is going to get worse, rather than improve. Security leaders are turning to human resources teams to help them recruit and retain talented professionals, but that’s simply not going to be sufficient to solve the problem.”
With a high bar to enter the profession, the prospects look bleak for filling the many empty roles required to futureproof organisations against the cyber threats and challenges of an increasingly digital and data-driven business reality.
For Marcin Szczepanik, Head of Information and Data Security at Essar Oil UK, the issue is one of education – but also of culture.
“From my experience, it’s often about educating the business and HR what is a BIG deal about cyber and why cyber skills cannot be simply compared to any other engineering skills that they have had for 30 years.”
“… Also it takes time to develop culture, awareness and attractive environment for cyber talent. Let’s face it if the organisation does not encourage transparency and privacy – you can’t expect people to be driven to deliver state of the art cyber security posture. Also how do you keep your staff to work for you if they don’t feel that C-Level drive for cyber. And finally sourcing cyber talent is not easy neither. Sometimes HR does not necessarily have experience in that field and not many recruiters with relevant experience.”
He adds: “It’s all about determination of the individuals leading the infosec and privacy posture in your organisation and organisation appreciating their often invisible work and dedication.”
10. There is a strong desire for better training of workforces in data protection, privacy and security
More broadly, the issue of skills goes further than the cyber field. Our own research at the PrivSec Global forum revealed a demand for specific, recognised training and qualifications in data protection, privacy and security for the wider, non-specialist workforce, perhaps in areas like HR, sales, or even IT.
80% of respondents to a PrivSec Global survey said they do not believe their workforce is adequately trained on data protection, security and privacy issues, with a similar percentage saying they would look favourably on a foundation qualification.
Again and again our panellists returned to the centrality of people to any privacy or data security programme – and the need to provide them with appropriate, targeted, and engaging training.
Register here to watch the PrivSec Global sessions on dema