Data privacy - Not a prerogative but a prerequisite

By Shrikant Shitole, Managing Director, India, Symantec

In today’s interconnected world, data is increasingly becoming the currency that connects individuals, enterprises and Governments. As the fuel that’s powering our world – data and information is linked to individuals and their rights. Data lives in our critical infrastructure that runs our economy and its value has soared enabling economic growth and prosperity. Data also plays a powerful role in national security and protecting it is becoming a fundamental human right.

The importance of data is being driven by four technology megatrends: Smartphones and tablets; cloud computing; social networking; and the emerging internet of things, especially the potential of connectivity of critical infrastructure – from electricity grids to transport and water supplies. At the same time, with the volumes of data being created in today’s hyper-connected world, it is no longer a question of, if you will be attacked—but when. In this scenario, while at one hand access to information is a given, keeping the information private and confidential can no longer be an after-thought. As many countries observed the Privacy Awareness Week (PAW), an initiative of the Asia Pacific Privacy Authorities forum (APPA) to promote awareness of privacy issues in the past week, the time is now to take cognizance of what we know about protecting our data and treating Data Privacy as a Prerequisite.

2014 saw reports of hackers stealing 1.2 billion internet credentials, including usernames and passwords along with millions of e-mail addresses. While the ripples of this hack may not have reached many of us, we are not immune from bearing the brunt of the attacks given the captive user-base in the country. Not surprising that according to the Symantec Internet Security Threat Report (ISTR), India ranks number 3 in overall global detections for malicious activity.

Cyber-attacks and data leaks undermine our confidence in technology that enables information sharing, in the infrastructure, in the quality of our data and ultimately impact in real world situations and values. Understanding the gravity of situation, while activists have positioned internet privacy as important as ‘human rights’, even the  government is taking measures to make the rules more stringent (The Information Technology Amendment Act 2008). 

India Online: Connected yet Vulnerable

India of today, whether an individual, the government or an organization, is riding the digital wave which makes data privacy and information protection relevant for each one of us. Frivolous access of your data may result in anything from minor inconveniences to loss of reputation, money and much worse.

At an enterprise, the three most prevalent types of data breaches can come from well-intentioned yet uninformed employees, malicious internal employees and external targeted attacks. In the case of well-intentioned employees, they may inadvertently violate security policies by accessing social media and personal email while at work; platforms which are popular distribution pathways for malware and phishing campaigns. These expose the vulnerabilities and hence become an easy catch for targeted attacks from outside sources. Malicious or disgruntled employees can attempt to steal and distribute data for personal gain.

Targeted attacks from outside sources are typically carried out in four ways: exploiting system vulnerabilities, hacking weak passwords, SQL injections and targeted malware. The Symantec ISTR highlighted how cyberattackers have been infiltrating networks and evading detection by hijacking the infrastructure of major corporations and using it against them. They have been trojanizing software updates and breaching networks with highly-targeted spear-phishing attacks. In fact, they have been taking advantage of companies’ management tools and procedures to move stolen IP around the corporate network before exfiltration.

The ISTR revealed that last year India saw a rise in targeted attacks aimed at businesses dealing with critical infrastructure. Symantec saw an increase in the number of attacks on key sectors such as financial services (17.1 percent; up from 11.1 percent in 2013), transportation and communications (4.4 percent; up from .8 percent in 2013). Rise in such attacks impact not just the organizations, but also end users.

Making Data Accessible, Private & Secure

The border less nature of information over the Internet complicates online privacy, as individual's data is subjected to different levels of protection depending on which jurisdiction it is residing in. Owing to the understanding amongst enterprises and consumers that their data holds value, data privacy is becoming a concern increasingly. Providers of technology should pay more attention to this aspect. To ensure better data privacy practices, organizations should analyze the data, embed security within the value chain and regularly communicate with their customers to replicate the best practices for data protection. It is time to move beyond antivirus because these distinct threats require advanced security, including at the device-level, which will render malware useless because it won’t be allowed to run on the device or on the network. Disposing old technology, keeping the software updated, constructing and implementing a data breach response plan and educating employees to recognize threats are the security 101’s that enterprises should bear in mind. Choosing reputable, experienced thought leaders as partners in conceiving such complex deployments is an important step in safeguarding an the data of an organization and users.

The old models for data security - a castle and moat approach to ring-fence valuable information has become irrelevant because the perimeter of defense has become elastic. Prevalent technology trends – social, mobility, IoT, offer huge opportunities - enriching our lives, empowering our work, offering huge economic potential; enterprises have to be vigilant in analyzing and curbing the threats they might pose. We have to tackle these issues head on, and find resolutions posed by the challenges to protecting information - whether we are consumers, companies or in government. As we do so, we have to strike the right balance between usability, regulation and corporate transparency, as well as between security and privacy.