Data Privacy Week: What it Means for MSSPs

The National Cybersecurity Alliance has designated January 21-27 Data Privacy Week. With that in mind, it’s time to reflect on how MSSPs can use that information in conversations with customers and take a deeper look at the trends around data privacy and data loss protection.

Data privacy week is aimed mostly at consumers, not businesses. But each individual inside a business is a consumer. As MSSPs and MSPs educate consumers on proper security hygiene and recognizing attack attempts, they also may be helping those same individuals be more aware of how to protect themselves online personally.

MSSPs, Cybersecurity Vendors Help Drive Home the Impact of Data Privacy

Mike Saylor, founder and CEO of MSSP Blackswan Cybersecurity, regards Data Privacy Week as an opportunity for MSSPs to assist client organizations with their cybersecurity awareness, which, he says, “couldn’t happen often enough.”

“The first and most important task is to understand your data, how it is used, where it resides and who has access to it, including your service providers,” Saylor told MSSP Alert. “Do not assume that service providers — or even your internal IT department in some cases — understand the value and sensitivity of your data. Collaborating, educating, verifying, and monitoring are the keys to a successful data privacy partnership.”

Offering a call to action, Aimei Wei, chief technology officer and founder of Stellar Cyber, an open eXtended detection and response (XDR) specialist, emphasized that Data Privacy Week is a “poignant reminder” that businesses must adhere to stringent data protection regulations. Moreover, the week allows MSSPs to showcase their commitment to safeguarding sensitive information.

“This is a great opportunity for MSSPs to educate their clients on the latest security protocols, build trust through robust cybersecurity measures and capitalize on emerging business opportunities,” Wei said. “In a digital landscape rife with challenges, Data Privacy Week propels MSSPs to the forefront of data protection, showcasing their resilience in the face of relentless cyber adversaries."

Putting the week into perspective, Bhagwat Swaroop, president of Digital Security Solutions at identity vendor Entrust, said:

"Data Privacy Week is a great reminder for organizations that privacy is personal. The so-called conflict between ‘seamless user experience’ and security is over. The only answer is that security has to be welcomed as part of the experience. Breaches affect our livelihoods, reputations and families, so a little friction is a feature, not a bug.”

AI’s Impact on Data Privacy: the Good, the Bad, the Unknown

When it comes to data protection, there’s another new tool that may tempt even the smartest professionals to let down their guard on data protection. We’re talking about generative AI applications such as ChatGPT. Several instances have been documented of individuals entering corporate data into these AI tools to generate a result. But once these tools have your data, they can become part of the tools’ training algorithm. Your private corporate data is no longer private.

Nick Edwards, vice president of Product Management, Menlo Security warns that the explosion of generative AI, following the launch of ChatGPT in November 2022, has opened a world of new risks and data privacy concerns.

“Companies must be aware of how these tools can potentially compromise or expose sensitive data,” Edwards said. “By nature, they pose a significant security risk, especially when employees inadvertently input corporate data into the platforms. When data is entered within these models, that data is used to further train the model to be more accurate.”

Edwards offers real-world example, explaining that in May 2023 a group of Samsung engineers input proprietary source code into ChatGPT to see if the code for a new capability could be made more efficient. Because of the model’s self-training ability, the Samsung source code could now be used to formulate a response request from other users outside of Samsung. In response, Samsung banned ChatGPT.

“Our own team of researchers at Menlo Security,” says Edwards, “found more than 10,000 incidents of file uploads into generative AI platforms including ChatGPT, Microsoft Bing, and Google Bard, and 3,400 instances of blocked ‘copy and paste- attempts by employees due to company policies around the circulation of sensitive information.”

To prevent similar data leaks, he advises training employees on how to use these platforms securely. and that brings us to zero trust, which has become a staple of the security industry. In other words, zero trust assumes that every request for access is a potential threat and it requires organizations to continuously monitor and validate that a user and their device has the correct privileges and attributes.

Emerging Tech Poised to Disrupt Data Protection

Another new technology is on the horizon that could also disrupt the cybersecurity and data protections organizations have in place today. As Philip George, executive technical strategist at MSSP Merlin Cyber, reminds us, today’s data encryption standards will be ineffective against advanced decryption techniques fueled by cryptographically relevant quantum computers.

“Although commercial quantum computers exist today, they have yet to achieve the projected computational scale necessary for cryptographically relevancy,” he said. “However, this reality may change quickly, considering the continued investment by nation states and private sector alike. Coupled with the growing application of ML/AI in the areas of research and development, the potential for more breakthrough developments in quantum computing remains high.”

The Risk to Mobile Data

Krishna Vishnubhotla, vice president of Product Strategy at Zimperium, a specialist in mobile security, warns of the risks of data on mobile devices. He notes the Zimperium 2023 Global Mobile Threat Report, which showed that 80% of phishing sites now either specifically target mobile devices or are built to function on both mobile devices and desktops. Now, the average user is 6-10 times more likely to fall for an SMS phishing attack than an email-based one. And it’s not just a consumer threat.

“As we know in today’s workplace, particularly following COVID, many of us are working from home, or working from anywhere,” Vishnubhotla said. “We have clearly seen employees working on personal mobile devices that are accessing all the same data that they were previously accessing via corporate devices. It’s the organization’s duty to protect the data that’s being accessed at all times while at the same time ensuring privacy for the user on the personal device.”

Today, multi-factor authentication (MFA) is considered an essential tool to ensure mobile device cybersecurity as well as API security. Yet more recently, MFA has become yet another attack vector.

As Manu Singh, vice president of Risk Engineering at cyber insurer Cowbell attests, “In today’s threat landscape, we are seeing the continued evolution and sophistication of cyberattack techniques and tactics, including bad actors circumventing MFA and accessing offline backup systems.”

As bad actors find these new attack vectors, it’s up to MSSPs and other cybersecurity pros to continue to ensure data loss protection and data privacy.

“What the industry previously considered ironclad defenses simply aren’t anymore,” Singh said.

Now that we’ve heard from the experts, it’s your turn to reinforce the imperative of keeping your customers, vendors, end-users, even yourselves, cyber safe and live the Data Privacy Week theme: “Take Control of Your Data.”