By Jack M. Germain
Feb 4, 2021 4:00 AM PT
Cyberattacks are increasing in frequency, ramping up the data privacy threats they pose to government agencies and businesses alike. Governments both domestic and foreign need to step up efforts to pass legislation that bolsters technological defenses this year, warn privacy groups.
Stiffer privacy laws are gradually being reviewed and signed into the U.S. market. But that process is mostly taking place at the state level.
Meanwhile, cyberattacks present IT experts and legislators with a war on two fronts. The software industry struggles with security issues that make cyberattacks viable. Government officials and business execs struggle with complicated legal issues involving outdated or missing privacy protections.
Bigger and more successful incursions into government, business, and personal computers are common events. Phishing campaigns and ransomware attacks are finding new victims regularly. The situation is much like a game of Whack-a-Mole.
Privacy advocates see better opportunities for privacy laws taking hold as they focus on pushing federal legislators to enact stronger consumer privacy laws in the coming years. These new laws need to pay prime attention to emerging technologies such as artificial intelligence (AI), machine learning (ML), cloud computing, and blockchain.
“I expect increasing regulation, especially when it comes to state laws that focus on sensitive personal data,” says Scott Pink, special counsel in the Silicon Valley office of the international law firm O’Melveny & Myers, and member of the firm’s Data Security and Privacy Group.
Pink regularly advises media and technology companies on how to comply with the current patchwork of state and industry-specific privacy regulations. He believes that 2021 could mark a new era in privacy laws aimed to safeguard a wide array of valuable digital information.
“COVID-19 health data is of immediate concern as we move into the pandemic’s next phase. Governments and health care systems are collecting vast amounts of contact tracing and vaccine-related information. Implementing laws, policies, and procedures to ensure the integrity of that data will be key,” Pink told TechNewsWorld.
Cyberattacks are a significant risk, especially as remote working and the increasing sophistication of phishing and social engineering attacks create more vulnerabilities than ever before, he emphasized. Cyberattacks and their impact on data privacy can severely impact the operations of government agencies, companies, schools, and beyond.
RATs in the Attack Mix
The most prevalent threats lurking in 2021 are RAT infestations. The acronym RAT stands for Remote Access Trojan, a form of malware that allows hackers to control devices remotely.
Once a RAT program is connected to a computer, a hacker can look at local files, acquire login credentials and other personal information, or use the connection to download viruses that can then, unbeknownst to the user, be spread to others.
Remote access intrusions can be problematic, especially with millions of people now working from home, noted Robert Siciliano, cyber social identity protection instructor at ProtectNow.
“Microsoft’s remote desktop protocol and numerous third-party remote access technology services dramatically increase the attack surface for hackers wanting to break into corporate and government networks,” he told TechNewsWorld.
Some of the cyberattacks are based on escalated tactics made available since the pandemic and are different from those prior to last year, he noted. Neither corporate America nor local, state, and federal governments never saw this coming.
The Cloud Factor Counts Too
Still, hackers are not succeeding strictly by using modern-day- high-tech tactics. Today’s threats are an escalation of existing threat methods that have been around for years and that have been accelerated by even more prevalent use of cloud computing and agile development, according to Naama Ben Dov, associate at YL Ventures, an American-Israeli venture capital firm that specializes in seed stage cybersecurity investments.
The cloud migration is a big part of the data privacy troubles we are seeing today. Data remains the highest value target for attackers. As such, data theft is the most prevalent threat this year, insisted Eldad Chai, co-founder and CEO of Satori Cyber, a data access and governance firm in Tel Aviv that is one of YL Ventures’ portfolio companies.
“Through access to a corporation’s data, attackers can inflict reputation, legal and operational damages that are disproportional to any other attack vector,” he told TechNewsWorld.
Of course, much of that data is in the cloud. The trend of moving data to the cloud has accelerated over the past years and is now at a record high with the success of platforms such as Snowflake and the boost 2020 provided to cloud migration programs, Chai noted.
“The massive migration of data to the cloud, the democratization of data within an organization, and the work-from-home environment have expanded the attack surface for data and make it extremely hard to operate an effective data protection program,” said Chai.
WFH Also Problematic
The work-from-home scenario has made the hacker’s job so much easier. Attackers follow where their targets go, observed Ben Dov. Right now, more than ever, that data is dangling between home workers’ computers, in-office workspaces, and cloud storage banks.
Conventional wisdom has always been workers are more productive in an office environment; and when COVID hit, IT managers were mostly unprepared, Siciliano said.
Although some companies deployed tech help to those employees using their own computers and routers at home to address security with devices outside the network, it simply was not enough.
“Work at home devices connecting to company networks with misconfiguration is an IT manager’s greatest fear,” he said.
Too Little, Too Late
In the U.S., existing federal laws such as the Telework Enhancement Act of 2010 never quite anticipated this level of work at home, for example. The federal government is unlikely to make any significant changes anytime soon with so many other life-threatening existential concerns, in Siciliano’s view.
One growing threat to data privacy incursions is ransomware. But it is an effect and not the cause of privacy loss. Ransomware ultimately ends up being an effect of a remote access Trojan or technology, he noted.
“IT managers must be more proactive with hardware, software configurations, and security awareness training,” said Siciliano about preventing data privacy disclosures.
Shifting Tech Threatens Effectiveness
Among the most prevalent privacy threats we faced in 2021 comes from a reliance on third-party IT services that increasingly displace, or replace, applications historically deployed on-premises, according to YL Ventures’ Ben Dov.
“Like the SolarWinds incident, many supply chain attacks target IT management systems that were in use long before the rise of the cloud. Organizations still depend on these tactics, and this attack will force a rethink of the extent of IT supply-chain exposure,” she told TechNewsWorld.
The same applies to software applications, she continued. Recent years have seen an explosion in the amount of third-party software. This reality makes organizations lose visibility into the risks entailed with being exposed to said third party components.
That situation will no doubt get worse before it gets better, Ben Dov warned. Increased data privacy breaches, particularly private data, is increasingly on the sprawl.
“As long as there is a lack of meaningful technological approaches to identifying and securing data, many leakages are bound to happen,” she said.
Fix What’s Broken
Many existing solutions focus on data governance and adherence to compliance. These goals are important but do not aim at the root of the problem. They are only good to the extent that certain regulations go, according to Ben Dov.
“We need solutions that are able to track and monitor data through an entire lifecycle, in a way which will meaningfully integrate with existing business units of organizations and enable them to execute rather than stifle R&D, sales, and marketing. Security should be a cross-enterprise interest and goal which supports business processes,” she countered.
Currently, the lawmaker is mostly focused on our rights as individuals to privacy. While this is welcomed and needed, it overlooks the implementation of privacy programs, and every company has its own way of meeting the privacy requirements, offered Satori Cyber’s Chai.
“Focusing the laws on the outcomes, such as if data is lost you get fined, does not deal with many of the underlying issues in actually protecting individuals’ privacy,” he said.
Chai is not sure it is likely to happen this year. But he hopes that governments will do a better job in defining and standardizing data protection programs in a manner that will guide the industry in implementing effective and sustainable programs.
New Privacy, Security Wrinkles
With adoption of both cloud infrastructure and cloud services (SaaS), more attacks tailored and customized to circumventing the existing guardrails of the cloud will occur. Hackers will seek ways to circumvent cloud authentication mechanisms, suggested Ben Dov.
A related concern involves the trend of companies developing their own in-house applications, becoming their own software company. That opens the door to application-specific attacks, she cautioned.
“Hackers will always choose the easiest path in, and until 2020 exploiting bugs in old operating systems to install malware or social engineering people to install malicious software on their laptops was an easy path in,” added Chai. “With data and servers moving to the cloud, we will eventually see less such attacks and more attacks focused on the cloud environments.”
A key element that needs to be addressed, according to Siciliano, is a lack of concern for the security role employees need to play. That is especially true regarding phishing. Employees need a better understanding of how their ineffectiveness could result in calamity.
“Security awareness training as it pertains to phishing simulation by itself is absolutely not enough and will not solve the problem. The discussion needs to shift from security awareness to security appreciation, and right now most organizations are not doing that,” he complained.
The main gap Chai sees today regarding data security and privacy is that existing solutions are not suitable to a model that leverages the legal context of the data. Models for existing data protection tools are mostly black or white. Either you have or you do not have access to data, he explained.
However, the privacy and legal context of data is much more complex, he reasoned. A piece of data could be authorized for usage based on the consent given when collecting the data, the geographical location of the data, the size and nature of the data set, the way the data will be used, and a set of other considerations.
“Until the legal and privacy context are integrated into existing models for data protection, we will still be behind,” he said.
That process will need increased industry-government-academic cooperation and partnerships to share data pertaining to cybersecurity threats. It will also take knowledge about the threat to counter them, added Ben Dov.