{"id":26531,"date":"2022-08-05T15:10:15","date_gmt":"2022-08-05T19:10:15","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=496120"},"modified":"2022-08-08T14:08:04","modified_gmt":"2022-08-08T18:08:04","slug":"cyber-security-today-week-in-review-for-friday-august-5-2022","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-week-in-review-for-friday-august-5-2022\/","title":{"rendered":"Cyber Security Today, Week in Review for Friday, August 5, 2022"},"content":{"rendered":"<p>Welcome to Cyber Security Today. This is the Week in Review edition for Friday,August 5th, 2022. I\u2019m Howard Solomon, contributing reporter on cybersecurity for<em> ITWorldCanada.com.<\/em><\/p>\n<p><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/23900523\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\"><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\"><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\"><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>I\u2019m off this week so there won\u2019t be the usual review of news highlights with a guest commentator. Instead we\u2019re presenting a repeat interview with privacy expert Ann Cavoukian. A privacy strategy is a vital component of any organization and her insight should be considered by the C-suite.<\/p>\n<p>A former Information and Privacy Commissioner for the province of Ontario, she\u2019s best known for creating the <a href=\"https:\/\/www.ipc.on.ca\/wp-content\/uploads\/resources\/7foundationalprinciples.pdf\" rel=\"noopener\">Privacy by Design framework.<\/a> It calls for privacy to be taken into account throughout an organization\u2019s entire IT and operating processes to protect personal and financial information. Privacy by Design has been adopted by numerous companies and countries. It\u2019s a fundamental obligation of firms coming under the European Union\u2019s <a href=\"https:\/\/www.itworldcanada.com\/article\/gdpr-advice-to-canadian-firms-chill-out-but-get-working-on-it\/405631\" rel=\"noopener\">General Data Protection Regulation.<\/a><\/p>\n<p>Currently, Ann is the executive director of the Toronto-based <a href=\"https:\/\/gpsbydesign.org\/\" rel=\"noopener\">Global Privacy and Security by Design Centre,<\/a>&nbsp;a senior fellow of the Ted Rogers Leadership Centre at Ryerson University and a faculty fellow of the Center for Law, Science and Innovation at the Sandra Day O\u2019Connor College of Law at Arizona State University.<\/p>\n<p>I started by asking Ann to describe her work at the Global Privacy and Security by Design Centre.<\/p>\n<p><strong>Ann Cavoukian:<\/strong> There is so much interest in privacy these days and my messaging has always been you can\u2019t just look at privacy. You have to look at privacy and security together. They complement each other. Instead of thinking of one versus the other, or some kind of \u2018zero-sum either-or model,\u2019 get rid of that dated view and create a web of both privacy and security intertwined. It\u2019s very important to protect your data.<\/p>\n<p><strong>Howard:<\/strong> So you see privacy and cybersecurity as intertwined.<\/p>\n<p><strong>Ann:<\/strong> Absolutely. You know why? The term privacy subsumes a much broader set of protections than security alone. In this day and age of daily phishing and hacking, if you don\u2019t have a strong foundation of security from end to end with full life cycle protection you don\u2019t going to have any privacy. So you have to address both.<\/p>\n<p><strong>Howard:<\/strong> The center will certify organizations. Tell us about the certification process, what it means and why it\u2019s important for an organization to be certified.<\/p>\n<p><strong>Ann:<\/strong> I work with KPMG on the certifications for Privacy by Design. And the reason it\u2019s important and why so many companies are coming forward is there is such a trust deficit now. People don\u2019t trust companies. They don\u2019t trust anybody, understandably. When you are certified for Privacy by Design it is the highest level of protection. You can extend to your customers, and people get this. They\u2019re looking for it. So I tell companies who come to us to be certified so that they can demonstrate to their customers the lengths they\u2019re going to protect their privacy. Shout it from the rooftops, put it on your website, go to great lengths to tell your customers the lengths you\u2019re going to protect their privacy. They love it. It builds trust like no other and it restores trusted business relationships with your customers. Which is out the door for the most part.<\/p>\n<p><strong>Howard:<\/strong> I asked you to be on this particular episode because today [January 28th] is Data Privacy Day. What does that mean to you? What should organizations be doing today and thinking about in terms of their privacy strategy their privacy policies?<\/p>\n<p><strong>Ann:<\/strong> I remember years ago when I was [Ontario\u2019s] privacy commissioner when we first established Data Privacy Day globally on January 28th. It\u2019s so important because what it tells to businesses, and, hopefully, governments, is people care deeply about privacy. You have to go these days to great lengths to ensure the protection of your data and your privacy because surveillance is mounting. It\u2019s everywhere and it\u2019s just unprecedented, the amount of surveillance that is taking place. So Data Privacy Day has taken on a new focus globally to remind people and companies \u2014 and especially governments \u2014 you have to protect people\u2019s privacy all the time. You don\u2019t just do it when you feel like doing it or and you think there\u2019s some vested interest for you. You have to do it on a regular basis and you have to embed it. That\u2019s what Privacy by Design is all about \u2014 embed it deeply into your operations bake it into the code so that people can\u2019t forget about it. It\u2019s always present. People are demanding this. They deserve it. Privacy forms the foundation of our freedom. If you don\u2019t have strong privacy you\u2019re not going to have a free and open society. So it\u2019s absolutely critical to preserve our freedom. People have to be the ones to decide how their personal information is used and to whom it\u2019s disclosed. This is essential.<\/p>\n<p><strong>Howard:<\/strong> How often do you hear leaders of organizations say, \u2018I have to be more concerned about revenue and profit than privacy and security.\u2019<\/p>\n<p><strong>Ann:<\/strong> I do a lot of public speaking. I speak to a lot of boards of directors and businesses and whenever I come into the boardroom people are shaking their heads. They think I\u2019m going to shut down their business. And I say, give me 10 minutes let me tell you how Privacy by Design will actually increase your operations your revenue generation, will attract more customers. And then I get their attention. And I say it\u2019s not privacy versus what you\u2019re doing versus your operations. We know you have to generate revenue. But you can do it better if you embed privacy into the process because it will attract more customers to your operations. It will retain the customers you have and preserve their loyalty. It can\u2019t be business interests versus privacy. You have to get rid of that model. It has to be both. So when you go to great lengths to protect your customers\u2019 privacy and let them know what you\u2019re doing they will come to you in droves. They will stay with you. They will attract other customers. It is essential to extend the privacy protection that you\u2019re offering at your company and that will increase your revenues, not the opposite.<\/p>\n<p><strong>Howard:<\/strong> Let me ask the same question in a different way: How often do you hear data privacy officers or IT leaders complain that their management is more concerned about revenue than privacy and security?<\/p>\n<p><strong>Ann:<\/strong> Unfortunately, too often. This is a steep hill and I\u2019m not suggesting we\u2019re there though there are hundreds of companies that have become certified for Privacy by Design. We should have thousands of companies. So yes, it takes time to get this view across to everyone. Increasingly I\u2019m getting more and more contacts and requests to speak to companies because they\u2019re seeing how much people are demanding this. They\u2019ve had it with companies who abuse their information, who make it available to third parties for purposes that are not authorized, that have not been consented to. So if you want to retain your customers and attract new opportunities, lead by telling them the lengths you\u2019re going to preserve their privacy. They will reward you with repeat business and you will gain a competitive advantage by doing so.<\/p>\n<p><strong>Howard:<\/strong> What\u2019s your most convincing argument for getting business leaders to accept Privacy by Design? Do you have a case study?<\/p>\n<p><strong>Ann:<\/strong> I point them to examples where the lack of privacy has led actually to companies shutting down, where people have just walked away from it. I remember Target stores a number of years ago. They opened Target branches in Canada, and this is great because I love Target. I shop there in the \u2018states and I was so pleased that they had it here in Canada now. But a number of years ago<a href=\"https:\/\/www.itworldcanada.com\/post\/stunning-details-in-target-attack-emerge\" rel=\"noopener\"> it had a major data breach.<\/a>&nbsp; The <a href=\"https:\/\/www.itworldcanada.com\/article\/a-lesson-from-the-target-breach-act-fast-or-be-fired\/375059\" rel=\"noopener\">CIO of Target in the United States resigned.<\/a> They were appalled at how much information went out the door \u2026 It shut down all of the Target stores in Canada. They [customers] heard about the data breach and they were going elsewhere. So that\u2019s just one example of how this can how damaging this can be to your business if you don\u2019t take privacy seriously.<\/p>\n<p>[Reporter\u2019s note: There have been <a href=\"https:\/\/archive.canadianbusiness.com\/the-last-days-of-target-canada\/\" rel=\"noopener\">news articles saying the failure in Canada of Target was due to supply chain failures<\/a>]<\/p>\n<p><strong>Howard<\/strong>: Do organizations still collect too much personal data? They\u2019ll tell you they need to know their customers. And because they need to know how many men and how many women and how many from this demographic age group and how many from this part of the country they need to collect it.<\/p>\n<p><strong>Ann:<\/strong> They do collect too much in personally identifiable form. What I say to companies is, you want all that information? I understand that. Strip the personal identifiers securely from your data because then you\u2019ll have data but you won\u2019t have privacy risks. So you have to use strong de-identification protocols combined with the risk of re-identification framework. Then you dramatically minimize your risk of re-identification to less than 0.05 five percent. Then you\u2019re free to use the data for purposes like you described for research and understanding your operations, but you can\u2019t use that data in personally identifiable form.<\/p>\n<p>Encryption is such an amazing tool, especially if you encrypt your data. You can have tons of valuable data that will not be at risk because no one else can gain access to it. It\u2019s encrypted. You\u2019re the only and who has the key.<\/p>\n<p><strong>Howard:<\/strong> It\u2019s a valuable defence in ransomware attacks where they use the double extortion technique, where not only do they do attackers scramble the corporate data and they first steal a whole bunch of it and then they blackmail the organization: If you don\u2019t pay us for the decryption key we\u2019re going to release your data. Well, if data has been encrypted it doesn\u2019t matter that the thieves steal it.<\/p>\n<p><strong>Ann:<\/strong> Exactly, because what they\u2019ve stolen will be of no value to them in terms of gaining access to personal information.<\/p>\n<p><strong>Howard:<\/strong> A couple of years ago there was a <a href=\"https:\/\/www.itworldcanada.com\/article\/breaking-desjardins-at-fault-for-huge-data-breach-say-privacy-commissioners\/439581\" rel=\"noopener\">data theft from the Desjardins credit union<\/a>. The data of 9.7 million customers was stolen, unfortunately by an employee. But data of about 4 million of those were former bank customers whose accounts had expired, but the bank kept the data. Again, perhaps legitimately, the bank wanted to keep their names and addresses so they could send \u2018Hey, come on back to us\u2019 messages. But I think there\u2019s a perfect example of how holding unencrypted data can hurt an organization.<\/p>\n<p><strong>Ann:<\/strong> Exactly. Why were they holding onto the data if 4 million customers who already left? That is appalling. These are the examples we have to give to companies that retaining data that you no longer need is not a good idea. If you no longer need the data, delete it securely, Give your customers that ease of knowing that their information is no longer at risk, and give yourself the benefit of saying, \u2018I don\u2019t have to worry about that anymore.\u2019<\/p>\n<p><strong>Howard:<\/strong> We\u2019ve talked about protecting data and not collecting more personal data than necessary. What about making corporate data collection policies simpler for consumers so they can read a relatively short description of what information is collected and how it\u2019s going to be used and how partners are accessing it. Then the consumer better understands what an organization\u2019s privacy policy is.<\/p>\n<p><strong>Ann:<\/strong> That is so important. When you tell people to read a five-page policy, forget it. No one\u2019s going to do that. You have to keep it very, very simple. And it can be as simple as, \u2018We use your information for this purpose, and that\u2019s it.\u2019 If there\u2019s more things you say so. You have to keep it simple so people can accept it. They can give their authorization, their consent to it. It\u2019s very important to involve your customer in what you\u2019re doing. Don\u2019t expect them to read reams of information and your policy. Nobody does that, and it\u2019s not because people don\u2019t care. Concern for privacy is at an all-time high. In the past two years all of the public opinion polls have come in at the 90 percentile for privacy concerns. Get rid of these stupid long privacy policies no one\u2019s going to read. Just have little points that identify exactly what you\u2019re going to be doing with their information.<\/p>\n<p><strong>Howard:<\/strong> Before closing I want to encourage IT and business leaders to read some of the decisions of the Canadian federal and provincial privacy commissioners on why organizations have violated their respective privacy laws, as well as their investigations of major data breaches. In the U.S. there will be reports from some state authorities. They\u2019re very informative.<\/p>\n<p>The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-friday-august-5-2022\/496120\">Cyber Security Today, Week in Review for Friday, August 5, 2022<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode features an interview with privacy expert Ann<\/p>\n","protected":false},"author":17,"featured_media":20709,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,361,16],"tags":[389],"class_list":["post-26531","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-podcasts","category-privacy","category-security","tag-cyber-security-today"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/26531","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=26531"}],"version-history":[{"count":3,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/26531\/revisions"}],"predecessor-version":[{"id":26628,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/26531\/revisions\/26628"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media\/20709"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=26531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=26531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=26531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}