Published April 11, 2019
What’s happening with our online data? How is it being used? And by whom?
Are the strings of ones and zeroes that make up digital information also private property?
To discuss these questions and others, experts in data, technology and law met Monday for the UBIT Data Privacy Forum in the Student Union Theatre on UB’S North Campus.
“In 2015, UB hosted ‘Digital Challenges,’ focusing on issues surrounding IT technology and security,” J. Brice Bible, UB’s vice president and chief information officer, said in his opening remarks for the event.
“Today, as an institution, the information we generate makes us a bigger target than ever before. The safety of our data depends on the state of our security and the development of our policies,” Bible said.
“It’s time to update our thinking. Where are we with our data security and where are we going with it?
“This forum will focus on the future of data privacy, how people and organizations can strike the right balance between personal privacy, data security and the open exchange of ideas, as well as the critical importance of security planning,” said Bible.
To address those issues, the forum presented thoughts and viewpoints from three keynote speakers, along with a panel discussion.
“Today, the legal landscape regarding data security and privacy, cyber incidents and information governance is continually changing,” said Jennifer A. Beckage, managing director of Beckage PLLC.
“The legal landscape of data security and privacy laws do have an impact on innovation. The regulatory environment is also moving at a rapid pace,” said Beckage, who holds a bachelor’s degree from UB, and is also a graduate of the UB School of Law.
“Buffalo — and UB — are up-and-coming, moving forward. I was at a conference in another part of the country recently. When I said I was from Buffalo, the response from one woman was not snow jokes, but, rather, ‘Buffalo! They’re the new Austin.’
“Our community’s understanding of the laws and regulations affecting innovation, data security and privacy can help set the stage for this region, and the university, to continue competing on a global scale,” said Beckage.
Following Beckage, Snir Ben Shimol, vice president of cybersecurity at Varonis, told the audience the future of innovation and enterprise lies not only in the data stored by an organization, but, also, what value they can extract from it.
“That data tells a story,” Shimol said. “What’s valuable, how it’s being used and who is trying to exploit it.”
Today, all threats are advanced, and persistent, said Shimol, who began his career in the IDF Technology and Intelligence unit in Israel’s Defense Forces.
“You need to understand your organization to understand how to better defend it. Internal threats — how they differ from external threats — and all of the variance of threats in between,” he said.
“There is new malware. Expanded attack surfaces, such as the hybrid environment in the cloud. And weaknesses in the supply chain, which are also represented within large universities: Defense of your data and organization depends on your weakest link,” Shimol told the audience.
Shimol said successful data security means monitoring.
“Who is accessing your data? How often, and how are they doing this? Where is the access being made?”
During the forum’s panel discussion, moderated by Martha Buyer, principal in the Law Offices of Martha Buyer, PLLC, UB’s information security officer, Mark Herron, was asked what steps the university is taking to protect its data.
“We were on the internet very early, before it became commercialized, so it was always about getting information,” said Herron.
“Now it’s a different world, with greater amounts of information, much of it shared through third parties. Accordingly, the university has developed robust data security, a breach response with an entire set of controls, together with a crisis management plan,” he said.
Herron stated that one of the big pieces of value any organization possesses is the volume of information it has. “UB possesses — and generates — a vast amount of information. To safeguard that, you have to start getting beyond the edge, beyond perimeter security.”
Herron said UB is part of a world-wide threat network, “which helps keep us aware of what is happening elsewhere. We track the landscape. We want to keep the bad actors out of UB.”
Buyer asked another panel member, Andrew Lison, an assistant professor in the Department of Media Study in the College of Arts and Sciences, whether top-down, single sign-on is still workable in today’s multi-threat environment.
“I access different computer systems across the College of Arts and Sciences every day,” said Lison. “It is necessary to log on in multiple locations, so single sign-on is a convenience.
“But while it is an issue of centralization, there are increasingly important questions regarding where we put the emphasis on personal data privacy issues versus how we share information today,” Lison added.
“Collaboration in sharing information between individuals, whether students, faculty or staff, goes on every day,” said Herron. “That is central to how we function as a university and as a society. Some people are willing to send and share information without regard to where it came from or where it is going.”
“The degree to which each individual cares about this depends on a number of factors,” added panel member Craig Vincent, a lead technologist with Splunk, a multinational producer of software for searching, monitoring and analyzing machine-generated big data, headquartered in San Francisco.
“For some, using a ‘free’ service may mean they will be less aware of issues inherent in information sharing, such as freedom of speech, rights-of-usage and licensing.”
Buyer went on to ask panel members, “What is the biggest vulnerability that we, as a society, are not paying attention to?”
“The growing sprawl of devices connected to the internet should be a huge concern,” said Vincent. “Their numbers and functions — including devices connected to health care — are rapidly multiplying, and, increasingly, not well understood. Many are easily hackable, and the risk is rising.”
“Digital information versus that portion that is viewed as private property,” said Lison. “What some see as strings of ones and zeroes, others are adamant that this is personal data. Where is the line drawn?”
“The human factor,” said Herron. “The sophistication — and numbers — of threats to data security posed by hackers are constantly increasing. It doesn’t take much, often just a click, to be taken in. And we are all vulnerable.”
In his presentation following the panel discussion, The Hacking Age, data security expert David Kennedy, founder of TrustedSec and Binary Defense Systems, emphasized the point, “It is usually the basics that end up getting us in trouble.”
After presenting basics for personal data protection, Kennedy told the audience: “Getting caught as a hacker remains an extremely low risk.”
For organizations, taking an asset inventory — knowing what information you have and where it is located in your system — is critical, Kennedy said.
“Focus on the highest probabilities for attack. Detection has to become your biggest priority. Normal precautions aren’t going to cut it against even average hackers.”