Align your policies with your actions. Many companies can run into regulatory trouble if their actions with consumer data are handled differently than to publicly stated by the company. Companies must ensure that their actions and promises align with their use or customer data. For example, if a company says they secure consumers’ passwords using encryption and that company suffered a cyber-attack where the company did not encrypt this data, the company may face regulatory issues the lack of promised security of these data.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Debbie Reynolds.
Debbie Reynolds, “The Data Diva,” is a technologist, thought-leader, and advisor to Multinational Organizations for handling global Data Privacy, Cyber Data Breach response, and complex cross-functional data-driven projects. Ms. Reynolds is an internationally published author, highly sought speaker, and top media presence about global Data Privacy, Data Protection, and Emerging Technology issues.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
My mother was a nurse who was extraordinarily kind and compassionate, and my father was a brilliant mechanic who could fix anything from cars to aircraft engines. Education was a top priority for my parents, and I did a lot of learning inside and outside the classroom. As a child, in addition to my school work, my parents had me read the newspaper every day. I would read extracurricular books during the week about many topics including, art, philosophy, literature. Some of my favorite memories were going to the library on weekends to explore even more books. Although I did not realize it at the time, my parents filled my days with learning, which positively affected my life.
Is there a particular story that inspired you to pursue a career in Cybersecurity? We’d love to hear it.
Two stories in my life inspired me to pursue my current career in technology. After college, I became fascinated by computers, and I taught myself to use them. I read every book I could find and practiced on the computer I purchased until I understood its operation and how it could manage data. Around that time, as a favor to a friend, I jumped at the opportunity to assist a university library with a digital transformation project by creating databases of media collections previously maintained using paper records. I fell in love with data and was fascinated with data flows.
Around the same time, my mother read a book called “The Right To Privacy” by Caroline Kennedy and Ellen Alderman. She found the book so interesting that I read it too. I was fascinated by contemplating what is private and what is not private in the U.S. according to the law. After reading this book, I was on a mission to learn as much as I could about privacy regulations in the U.S. and around the world. So over the past few decades, I have had a front-row seat watching technology advances while also imagining the impact of emerging technology has on data privacy issues because of the digital age. I had no idea that I would now have a successful business where I advise leading firms and organizations worldwide on technology and data privacy issues.
Can you share the most interesting story that happened to you since you began this fascinating career?
Around 2014, I was closely monitoring the regulatory framework the European Union was developing called the General Data Protection Regulation (GDPR). I knew that, once this regulation became enforced law in 2018, that it would have a tremendous impact on companies and countries around the world and make Data Privacy a C-Suite priority. I began speaking at conferences and writing about data privacy and data protection topics for many years. To my surprise, in 2015, a lawyer from a Fortune 100 Company took notice and invited me to speak to her corporate law department about the GDPR, data challenges, and how it could affect corporate litigation. My plans must have worked well because out of the blue, in May of 2018, a producer from PBS asked me to do a live television interview about the GDPR. People on six continents have viewed that PBS interview, and people still watch it and contact me about that interview.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
The particular people I am grateful to who helped me get where I am are my parents. My mother taught me to be a thinker and always to be curious to learn more throughout my life. My mother was always curious about the world and different ways of doing things, which taught me to be creative in how I look at the world. My father taught me to be fascinated with the extraordinarily challenging problem that would help me achieve great things. For me, solving complex issues feels like I have climbed and conquered Mount Everest. I love that feeling.
Are you working on any exciting new projects now? How do you think that will help people?
I am working on some exciting projects that will enable companies to use biometrics to tie digital identities to humans, massively reducing consumer fraud and identity theft. These systems must be developed and implemented to respect individuals’ privacy rights around the world. As we know, passwords can be breached or stolen, but what if companies could have a way to identify that a person is who they say they are without a doubt? These systems will also help countries that do not currently have robust identity systems, help people who previously could not do banking, and reduce fraud.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
The advice I would give to colleagues to help them thrive and not burn out is not wasting time worrying and getting some rest. I taught myself a relaxation method in college that still helps me significantly today. I used to worry and not be able to sleep at night because my mind would be racing. I got tired of being fatigued during the day, so I decided that, at bedtime, I would take off my worries like I was taking off an old coat and lay it down so that I could sleep. I realized that worrying did not improve my problems, it only made them worse, so I clear my mind and go to sleep like I have no worries. I can pick up those concerns again in the morning, but I get a great night’s sleep. It works for me.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
Cybersecurity and Data Privacy have a symbiotic relationship and work together. Cybersecurity involves protecting systems and data, while Data Privacy is about finding ways to protect individuals’ rights for companies who handle their data. The analogy I like to make is comparing Cybersecurity and Data Privacy to protecting a Bank. Cybersecurity is about protecting outside and inside of the bank. Cybersecurity can protect the logins, accounts, money, technology, and information in the bank. Data Privacy is about what is in the vault and why. Not all data has the same privacy rights, so Data Privacy is all about the rights attached to the vault’s data and how companies deal with that data.
The three things that excite me about the Cybersecurity industry are:
1 — Cybersecurity is vital for businesses. Organizations large and small need Cybersecurity to thrive. The goal should always be to right-size your Cybersecurity posture to meet your business needs. As companies change and grow, Cybersecurity maturity and stature should also change and grow.
2- Cybersecurity is proactive, not just reactive. Unfortunately, some companies will not take Cybersecurity seriously until they experience a loss like a system outage or an incident like a data breach. Although Cybersecurity professionals can help companies in these emergencies, it is far better to engage these professionals to keep your data safer and educate the company.
3- Cybersecurity applies to everyone in the organization. No matter what position someone holds in any organization, they all have their part to play in the cybersecurity program’s success. Every link in the cybersecurity chain is essential.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
The critical threats on the horizon that companies should prepare for relate to Covid-19. Due to Covid-19, companies are now dealing with an unprecedented situation where data about employees’ health is being collected at work. Having new data collected like thermometer checks, infrared cameras, and apps that collect health information will create a need to have even more controls and safeguards to protect this data’s sensitive nature. Since health or other biometric data may have additional laws protecting the data, it will be necessary for companies to be transparent about what they collect about employees and establish a time frame for deleting this data once is no longer needed for the business.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
In many organizations, some senior-level executives often have too much access to data and systems. Sometimes this is because the person may have been promoted within the company, and as they move up, they inherit more rights and keep the same previous rights they may no longer need. Also, executives may have other people checking email or accessing their systems. Hackers love to target executives for this reason. There was a breach situation in which sensitive accounts were accessed. We first checked the executives’ accounts with too much access, and the breach was found and resolved quickly. The company now has a standard to follow for people who get promoted to revaluate their data system access.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
I use four types of cybersecurity tools that I recommend for every company and individual. The four tools are Firewalls, Antivirus, Anti-Spyware, and Password Management. Firewalls protect against unauthorized access to your network or computer; Antivirus helps block and remove viruses from your computer systems: Spyware detects any malicious applications that may damage or take data from your systems; Password managers help users secure passwords and login securely to systems. Businesses should engage a cybersecurity professional who can provide advice and guidance on choosing the best product for their needs.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Not every company needs a vast Cybersecurity team, but Cybersecurity should be a part of any business that uses data or technology to operate. Companies should be monitoring network traffic, logins, external threats, and any data locations daily. If a company cannot achieve this with its resources, I recommend outsourcing these tasks to companies who can do this work. A professional can also describe your risk levels, and the company has to decide where to focus. The larger the company, the more professionals they will likely need to cover the critical cybersecurity areas.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
The three signs that a layperson should look for that may indicate a data breach or a hack would be:
1 — Your computer is running slowly. Sometimes a computer that seems suddenly slower than usual may mean there may be a virus, malware, or spyware on the machine.
2- You are locked out of your accounts. If a hacker has accessed your system, they will try to access your account and lock you out of your accounts.
3- Something about your browser has changed. If you have been hacked, your browser may have changed or may redirect you to sites that do not use or have never seen before.
After a company knows a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
After a company has experienced a data breach, I highly recommend that the companies change their passwords to all accounts and hire an organization that can help them recover their data and improve their overall Cybersecurity footprint. Companies must also back up their data to retrieve it if they have any cyber incidents in the future.
Recent Data Privacy and Data Protection Laws like the California Consumer Privacy Act (CCPA), The California Privacy Rights Act (CPRA), and the General Data Protection Regulation (GDPR) have impacted my business because I am often asked to help companies to navigate how their data and technology are affected and how best to thrive in this new environment. Businesses and seeing how heavily the data held about individuals can affect their businesses like creating barriers to adoption or sales if they can’t comply with these data privacy regulations. Companies are also seeing issues where they are having problems expanding into new markets worldwide without understanding their business choices’ data privacy implications. Although Data Privacy Laws may seem daunting, businesses can thrive when they know how to respect the data shared with them by individuals and be transparent about how the data is being used.
What are the most common data security and Cybersecurity mistakes you have seen companies make?
The most common Cybersecurity mistake I see companies make is to presume that a cyberattack, ransomware attack, or malware attack cannot happen to their company. Even large, well-funded companies can fall victim to cyberattacks. Companies must understand that proactive Cybersecurity is the best defense against having incidents that could cripple or end a business. The most common Data Privacy and Data Security mistake I see companies assume is that data privacy laws in other states, cities, or countries do not apply to their company. Many data privacy laws reach beyond the borders of the countries where the laws are enacted. Because data can travel worldwide, the data privacy rights of individuals can travel with their data. This is especially true of companies that sell goods and services to customers on the internet and worldwide. Companies need to understand their current and future customers to ensure they do not run afoul of laws that could cost them customers or end in hefty regulatory fines or restrictions.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Since the COVID19 Pandemic, there has been an uptick in cybersecurity and data privacy incidents. Many people are using their home networks and personal computers to work from home, and not everyone has the same security level that would help them be as secure as they were in the office. Also, hackers take full advantage that people are outside of their previous routines and are stressed out. People are more likely to click on links they likely would not have done before Covid-19 and are vulnerable to new scams. For example, Phishing scams are emails sent out of the blue and want you to click on the email links to access your computer. It is imperative not to click on links in emails from unknown people.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
The five things that every company needs to know to tighten up its approach to Data Privacy and Cybersecurity are:
1 — Minimize your Data. Every company that wants to tighten its policy on Data Privacy should evaluate its data and minimize data no longer needed. Doing this data minimization or “data spring cleaning” will achieve two important things that will help any company’s Data Privacy standing. First, minimizing data to only data that companies need about consumers will reduce compliance challenges with data privacy regulations worldwide that stipulate that companies need legitimate reasons to retain data about individuals. Second, data minimization will help companies minimize data volume that may be the target of attacks by hackers.
2 — Patch your systems regularly. Ensuring that all your computers and servers have regular system updates and security patches is vital to protecting your data and networks. Many of the cyberattacks written about in the news occur because hackers take advantage of companies that rarely update their systems. For example, even one unpatched computer or server can be a gateway for a cyber attacker to infiltrate a network.
3 — Be Transparent with customers. Customers entrust data to companies to receive products and services. Most Data Privacy regulations around the world have stipulations related to transparency. Customers should have the right to know how companies are handling their data. Companies that are more transparent with customers on using their data can achieve greater maturity in their data privacy posture.
3 — Align your policies with your actions. Many companies can run into regulatory trouble if their actions with consumer data are handled differently than to publicly stated by the company. Companies must ensure that their actions and promises align with their use or customer data. For example, if a company says they secure consumers’ passwords using encryption and that company suffered a cyber-attack where the company did not encrypt this data, the company may face regulatory issues the lack of promised security of these data.
4 — Make sure executives follow that same Cybersecurity and Privacy policies as the rest of the company. Since executives are targets of hackers due to their high level of access within businesses, these executives must follow the same cybersecurity policies as the rest of the company. For example, suppose the company policy is to change login passwords every 90 days. The executive should not be exempted from this policy, saving them from becoming a cybercrime victim.
5 — Beware of the dangers of legacy systems. Legacy systems are often out of date, out of warranty, usually too old to receive security patches, and are often no longer supported by the manufacturer. Hackers love to access these devices because they are likely the most vulnerable part of any system or network. For example, a legacy device can be the gateway to a cybersecurity hack of any company. Keeping systems software and hardware up to date and upgrading legacy systems may save your company from a cyberattack.
You are a person of enormous influence. If you could inspire a movement that would bring the most good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
If I could inspire a movement, it would be to make privacy a fundamental human right in the United States. The U.S. has a data and sector-specific patchwork of consumer privacy laws on the federal, state, local levels but not a unifying comprehensive data privacy law. Since not every human is a consumer, I would like to see regulations that cover individuals’ privacy rights, not just customers’ privacy rights. This will make the right to privacy available to more people in our country.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!