Data Privacy Day: what to expect in 2023

1,224 Views

Just weeks into the year, T-Mobile, PayPal and MailChimp have all announced significant data breaches. While at the grassroots, experts (undoubtedly in both the blue and red team) are exploring what role ChatGPT will play for cybercriminals in the year ahead.

To better understand the key threats and trends that will define the year, we reached out to experts from the fields of cybersecurity, risk and data to share their thoughts for Data Privacy Day:

Jonathan Wood, CEO of C2 

“Businesses and consumers alike need to heighten their vigilance for phishing and social engineering attacks generated by ChatGPT that puts Private Personal Information at risk. While there are certain barriers that have been introduced to prevent highly personalised content generation, for example not allowing you to input someone’s LinkedIn Profile. However, a strong persona built from the data harvested from such a profile would have much the same effect. Such a persona coupled with a common hypothetical situation, like an email from an employee apologising to a senior stakeholder for a mistake or from a customer service representative from a trusted supplier, could generate highly convincing phishing messages for those specific scenarios to up attackers’ success rate of accessing sensitive data.”

Glen Hymers, Head of Data Privacy & Compliance and Information Assurance, at Cabinet Office Digital

“Data protection is of the utmost importance in a public sector environment! We are entrusted with all aspects of information including very sensitive information about individuals, as such we have a legal responsibility under the various pieces of legislation here in the UK to protect it. Not only that, we need to protect our citizens from breaches which can cause suffering and detriment such as identity theft, financial loss, and damage to their reputation. In the case of a government organisation, a data breach can also compromise national security and undermine the trust of the public in our ability to protect their data. However we have a greater moral imperative, as government organisations, we have a duty to serve the public and act in their best interests. Protecting their personal data is an important part of this, and it is our responsibility to do everything in our power to keep it safe.”

Jordan Giddings, Non-Executive Director at Met Office 

“A holistic approach to data privacy drives trust through the supply chain, increases business agility, delivers velocity and ultimately can help define an organisation as a partner of choice. In today’s competitive market, it is not an option for suppliers to sidestep taking stringent data privacy measures, as it is too great a priority to businesses. Implementing the right governance and assurance controls, for instance through a risk management platform, will help suppliers stand out in a selection process.”

Luke Beeson, Group CISO at Aviva

“As enterprises increasingly look to external partners to support the delivery of products and services it’s imperative that data security is front and centre of these partnerships. While many providers will naturally be looking at areas where they can make cost savings in the current climate, cutbacks on cybersecurity defences will ultimately increase their risk profile. Indeed, thriving as a trusted partner in the digital economy ultimately comes down to better controls to minimise risk.”

Andreas Wuchner, former global CISO and cyber security advisor

“With DORA coming into force earlier this week, financial services companies – from banks and insurers, to crypto wallets – should start planning for how they will meet the new level of digital operational resilience required by this EU directive. The new requirements on incident management will be critical in helping companies quickly respond to threats, as well as in understanding what information has potentially been compromised, so they can take quick steps towards minimising any risk to their clients or customers’ data. With security breaches rife in the financial industry in 2022, from Revolut to Crypto.com, companies should not sit on their hands then later rush to meet the 2025 deadline for DORA. Instead, we need to encourage them to implement the measures required by the new directive today to better protect their and their customers’ data.”

Andy Palmer, Co-Founder & CEO of Tamr 

“Across the industry, there is strong consensus that data privacy and security is more important than ever before. No company can afford the devastating reputational harm that results from a data breach or the steep fines associated with non-compliance to privacy regulations.  But even though organizations acknowledge the importance of data privacy and security, today, many organizations are still not appropriately investing in it. This year, we’ll see organisations begin to realize that they need greater focus – and more budget – to ensure they remain in compliance and can realize value from the promise that their data holds.

Jonathan Wright, Director of Products and Operations at Global Cloud Xchange 

“Changes in the cybersecurity insurance market driven by the continued stretching of actuarial predictability over the scale and impact of cyberattacks mean that security leaders need to be able to show that they are taking a dynamic approach to managing their security posture. Insurers will only cover you when they are confident that the house will win. And showing that you have the capabilities to proactively monitor who has access to what, which patches have been applied, and which accounts have been compromised, among other measures, will give them the confidence that you are able to dynamically manage your IT environment and ultimately lowers their risk when providing insurance.”

Max Buchan, Founder and CEO of Worldr 

“Followed by the pandemic, the mass adoption of flexible working has radically increased our reliance on communications and collaboration platforms such as Microsoft Teams, WhatsApp and Slack. Companies rightfully want to encourage their team members to collaborate using these tools however with the varying data privacy laws and regulations globally, it has become extremely challenging for businesses to balance data governance with their strategic objectives. Today, about 70% of countries have legislation in place for protecting data, and in most cases, firms also have the responsibility to comply with the local data and privacy laws of the jurisdictions where their customers are located. Mitigating potential risks of privacy and breach becomes a key priority for companies that operate in these highly complex and globalized environments. That is why helping companies retain ownership of and secure the data shared across communication platforms is so important. I think one of the biggest vectors of risk when it comes to being a multi-jurisdictional organisation is around how you communicate and share sensitive information. Implementing solutions that empower companies to own their data ensures the opportunity for data sovereignty and significantly limits their privacy risk.”