The first day of PrivSec Global February 2022 took audiences on a deep-dive into themes dominating the privacy and security landscape.
Viewers of the livestream experience enjoyed experts’ keynotes, panel debates and presentations broadcast across a packed content agenda.
The morning sessions got underway with an exploration of cloud migration which has skyrocketed since the move to remote and hybrid workplaces.
Commenting on the advantages of moving to cloud infrastructure, Willem Balfoort, Director at JAPAC Privacy, Salesforce, said:
“You’re going to be much better off from a security point of view when using the cloud. Cloud operators are good at storing data in a safe and secure way.
“As a cloud company, we have such a strong incentive to not just avoid messing up, but to be really state-of-the-art,” Balfoort continued.
Amit Tenglikar, Associate Director – Technology Advisory Services, BDO UAE, underlined:
“Cloud services were a lifesaver through the pandemic, but they also bring down costs; it helps with scalability and security.”
In the next session sponsored by Exterro, South Africa’s Protection of Personal Information Act (POPIA) fell under the microscope.
Andrea de Jongh, Privacy Governance Specialist, at Moonstone Compliance, said:
“Cookie regulation in South Africa is not as stringent as that in the EU. But you must understand what you have when you craft your cookie notice. Some companies start collecting cookies as soon as someone starts entering the website.
“When you are drafting your cookie notice, know what you have – is it necessary for you to contract someone in? Are your third parties processing information that you shouldn’t be, because that makes you liable. You need to understand what essential and non-essential cookies are.
“In South Africa, we don’t want people to allow you to use their data if they don’t understand what that will mean for them.
“In terms of differences between GDPR and POPIA – it’s not a requirement for all entities to register a data protection officer under the GDPR, but in south Africa, registering a DPO is mandatory.
“One of the difficult points that GDPR-compliant firms must consider, is that the DPO must be based in South Africa, so the responsibility can’t be contracted out. They must also be of senior level,” de Jongh continued.
PrivSec Global then explored ESG issues, asking if an environmentally-friendly way of doing cybersecurity exists. Sponsored by Onapsis, the session saw Tony Proctor, Principal Lecturer / Consultant at the University of Wolverhampton tackle this critical topic.
“We need to think about what organisations are going to do to take an environmental approach to cybersecurity – how can they embark on this journey? Regarding green IT – think about what devices are consuming, what systems utilise,” Proctor said.
“There’s a question around our thirst for technology in our throw-away society: do you need to have 24/7 systems? Can we power down our systems from 7pm at night until 8am in the morning?
“When you start to dig into ESG, there are so many other aspects of security. One of the main principles is that we only really store data that we need to use. If we’re storing more, we’re consuming more resources to do so.
“We don’t need the carbon footprint that these devices are generating. If we are storing more data than we need, it’s a security risk – there’s more data to breach.
“When we look at good practice that should already apply, already when systems reach end-of-life, they have to abide by processes to satisfy environmental regulations, and we should be sanitising those devices. We have to bring in environmental practice.
“Some of the prerequisites – we need to know what we’ve got in order to secure those things. So, we should have well-maintained asset registers. But while we’re going through these processes, we should be looking at the carbon footprint of these estates too.”
In the afternoon, a panel of experts looked at how organisations can trust employees at a time when internal threats (both intentional and non-intentional) represent a significant blind spot in corporate cybersecurity defences.
Yudha Triarianto Wasono, S.H., M.H., Lawyer at SIP Law Firm, and Indonesian member of the PrivacyRules Alliance, set the scene by defining “insider threats.”
“It’s a threat to an organisation caused by a person who has authority or access to the organisation’s system and resources – by employees, contractors or workers dealing with the organisation,” Yudha Triarianto Wasono said.
“There are two types of threat – it can be caused unintentionally, by negligence or lack of awareness. A mistyped email address, for instance, sending sensitive material to an unknown party. Storage devices can be misplaced, also.
“Intentional threats can be considered caused by malicious insiders – if an insider is motivated to behave maliciously because they are dissatisfied in some way, then this can be a threat,” Yudha Triarianto Wasono continued.
In assessment of how organisations can determine employee controls without being overly intrusive, Victoria Guilloit, Partner at Privacy Culture, said:
“I think where possible it’s about measures that are actually going to help the employee. From a privacy and security point of view, it’s about making employees aware of good practice.
“Anything that an organisation can do to help a worker with technical controls so that employees don’t have to think about that next step – an automated question, for instance, asking “Are you sure you want to send this email?”
“Always communicate to your employees what you’re doing and why, so that actions sound reasonable. Using something like a webcam to watch people while they work – that doesn’t sound relevant at all.
“There are things companies can do without making measures feel over onerous on the individual employee.”
Touching upon the increased threat presented by working from home culture, Guilloit said:
“As people have started working remotely, the element of peer review has reduced – talking about risk with others, as we’re not sitting in an office with other people. Of course, this increases threat and risk.
Noemí Alonso Calvo, Managing Partner/Principal Privacy Consultant at The Privacy ACES, GmbH, said:
“Don’t point fingers at people if things go wrong, but give them the tools and make them feel part of the company’s mission.
“Regarding insider threats – these can also be down to an organisation’s lack of awareness of where threats can come from, lack of software to deal with threats, and lack of communication between departments to tackle these threats.”
The role of privacy in ESG came under scrutiny once again this afternoon at PrivSec Global’s day one, with Marleen Oberheide, CIPP/E, ESG Solutions Engineer at OneTrust, unpacking the motivational issues within the term.
“ESGcriteria and ratings are an increasingly popular way for investors, customers, and employees to choose companies they want to work with that are lower risk and align to their beliefs.
“Companies across industries want a framework or methodology to measure their impact and report on ESG. This expands SR and business ethics by emphasizing the impact on the enterprise value (EV) (revenue, brand, etc). Strong regulatory trends are driving ESG, and there’s been a steep rise in the number of global regulatory bodies overseeing ESG implementation (49 in 2010, up to 206 in 2020), according to OneTrust ESG data.
“In terms of what ESG means in relation to privacy, the decisive metric is trust: trust of employees in the organisations, customers, business partners, investors – the reason they do business with you is trust,” Oberheide said.
Establishing strategic drivers of trust, Oberheide detailed the following:
- Competitive differentiation: Differentiate your brand with trust and transparency commitment to customers
- Facilitate rapid digital transformation: Enable agility in digital transformation by embedding real-time “Trust by Design”
- Attract investors: Appeal to investors with new trust & ESG demands
- Simplify compliance: Meet compliance and regulatory obligations
- Improve company culture: Attract and retain top talent who demand organizations take accountability and operate with trust and transparency
In the panel debate that followed, specialists delved into the dreaded “Reply All” pitfall, and offered signposts out of the potential chaos caused by sending of an email to the wrong person.
Exploring potential sources of the tricky situation, Steve Bond, Information Rights Manager, The Open University, said:
“The rise in cloud solutions feeds into helping this – you can share links for documents with the interested parties, as opposed to sending the documents themselves. This means if you do send an email to the wrong person, then they won’t have that access because you also manage access to the document.”
Kristen Pennington, Partner, Privacy & Data Protection, McMillan LLP – Canadian member of the PrivacyRules Alliance, said:
“We know the pandemic has contributed to more emails being sent and more online interaction, this includes externally with clients and customers. We expect this trend to continue as we move to more hybrid arrangements, so simply by definition this increased use will lead to more mistakenly sent email errors.
“Ransomware and phishing attacks have led organisations to identify the need for greater cybersecurity measures, as these kinds of attacks increase. As organisations become more privacy and cybersecurity aware, they’re realising that there are several steps that need to be taken in order to mitigate a breach.
Offering guidance should the worst happen, Pennington said:
“In terms of steps to take in the event of a breach, if you’re the individual who’s sent the email in error, time is of the essence, so do try to recall the email if possible to stop the email from being opened by the wrong recipient. If you’re successful, then keep records of the steps taken.
“We want employees to internally escalate the matter as soon as possible, if the email is not recalled. The Privacy Officer should then be given key details – specific content, the intended recipient, what was the attachment, was there encryption?
“The Privacy Officer should then asses if there’s personal information involved. If there is, we look at the quantity of that data and the sensitivity of that data. Other factors also might include where the individuals are located and harms that could be incurred as a result.
“In terms of mitigation, organisations should take all steps possible and these will change depending on the circumstances of the breach. You might need to contact those who received the email in error and ask them to delete that email, then confirm deletion of that email.
“You may have a legal obligation to contact individuals whose sensitive details have been exposed. You may have to include steps and guidance that those individuals can follow in order to protect themselves as much as possible. The breach may then have to be reported to the relevant data protection authority, dependent on where you are operating and where your organisation is based.”
“A lot of things have to happen and it all happens quickly if one of these events take place, which is why it’s essential to have a data breach action plan in place, and it’s important to test policy and procedure for this in a non-urgent exercise, maybe a mock-breach exercise to make sure everyone is on board with what to do.
“Keep adequate records of all the steps you take in the event of a breach. Accurate documentation is essential,” Pennington concluded.
Robert Fleming, CMO, Zivver, said:
“This is a very real problem. Last year I read a report that showed there were 14,000 data leaks in the UK, 50% of which were caused by misdirected emails.
“We have so many data breaches due to this human error, so what can we do? Inherently, legacy email providers such as Microsoft and Google have quite limited functionality in this respect, and it’s led to the emergence of smart technology that catches possible mis-sent email before it’s sent.
“But how smart can these solutions be? In our product, we have contextual error correction before sending that will prompt the sender in the event of potentially sensitive information being sent. It can learn trusted parties.
“With traditional email, you can recall emails but that doesn’t do anything. With our tech, we have a revoke access function, so as long as the email hasn’t been opened, you can revoke access to it. There’s a lot of tech out there that can help, and I think it’s incumbent on tech providers to create solutions to this problem, Fleming continued.
PrivSec Global day one concluded with look at understanding risk and associated cyber resilience strategies.
Graham Croock, Co-Founder, nCyriskco, said:
“I think risk and business go hand in hand. But we can’t bury our heads in the sand. There’s an element of fear, doubt and uncertainty in all business people’s vocab. We need to systemise the actual chances of an attack, quantify the chances of it happening, and then acting accordingly to ensure there’s return on risk.
“If you over-control any business you’re going to get no return, but then you can’t under control and not be sustainable. You need to balance the equation, taking the right amount of risk and then ensuring sustainability through return on investment,” Croock added.
Defining vigilance within cyber-risk, Croock said:
“It’s time for all businesses to rethink old models and get more in tune with digital transformation and connectivity that’s happening globally, post-pandemic. It’s a matter of when not if, in terms of your business suffering a data breach.
“Without continuous assessment of risks on a real-time basis, businesses are not going to be sustainable unless they actually act fast in the time that these attacks take place.
“Attackers are so much more sophisticated, and now the budget attached to becoming aware of the risks is going up also.
Fred Streefland, Director Cybersecurity EMEA at Hikvision, advised:
“Make risks your KPIs and you will get results.”
Don’t miss day two at PrivSec Global, where two content-packed livestreams will address the latest talking points, themes and challenges shaping today’s privacy and security landscape at this pivotal time for corporate data protection.