SFG10: Data rights are human rights

Why is this important? Copy link

Did you know? In 2022 there were 4,100 publicly disclosed data breaches, equating to 22 billion records being exposed, including from companies like Okta, Google, Twitter, Uber, Microsoft, Dropbox, Twilio, LastPass according to cshub.com.

Data rights are human rights because in today's digital age, individuals generate and share an enormous amount of data. This data often includes personal information such as names, addresses, financial information, and even biometric data such as fingerprints and facial recognition data.

The right to privacy is one of the fundamental rights that is threatened by the collection, storage, and use of personal data.

Additionally, data can also be used to discriminate against individuals based on factors such as race, gender, or sexual orientation. This can lead to further human rights violations.

Protecting data rights is essential to ensuring that individuals are able to exercise their fundamental human rights. Data security should therefore be a focused investment from day one of your business. It shouldn’t be taken lightly, as incidents such as a data breach can be very damaging to customers and to your reputation, and could result in substantial fines or other regulatory action.

The responsible handling of data, and in particular personal data, is crucial to protect from cybersecurity risks - the most prevalent being: Copy link

Social Engineering - The process of hacking people rather than systems remains one of the most popular methods for compromising security as up to 85% of all data breaches (Source) include an aspect of human involvement. The 4 common types are Phishing (email based), Vishing (voice based), Smishing (SMS based) & Impersonation.
3rd Party exposure - Attacks facilitated by granting 3rd parties, e.g. contractors or external systems, privileged access to company data from networks and devices that are less well protected, maintained or monitored.
Configuration mistakes - Either from an external source or via privileged internal access, configuration mistakes can lead to security gaps that are unknown to the company security teams.
Ransomware - A method of denying access to a company's data by encrypting it and demanding a 'ransom'. The average cost of this type of attack in the UK is $1million with system access typically restricted for at least three weeks.
Insider threats - Insider threats involve employees or other trusted individuals who intentionally or unintentionally compromise the security of a system or network. This can include stealing sensitive data or inadvertently introducing malware into a network.
Password attacks - Password attacks involve attempting to guess or steal a user's password in order to gain access to their accounts. This can be done through brute force attacks, where an attacker tries to guess a password by using various combinations of letters, numbers, and symbols, or through credential stuffing attacks, where stolen usernames and passwords from one site are used to attempt to access other sites.

There have also been increased data security risks caused by remote working. Like with public Wi-Fi networks, the lack of physical security, decreased visibility for security teams to monitor network activity, makes it more difficult to identify and respond to potential security breaches in remote working environments.

The General Data Protection Regulation (GDPR) was introduced in 2018, to provide a European-wide legal framework for keeping everyone's personal data safe by requiring companies to have robust processes in place for handling and storing personal information. Start-ups based in or doing business in the UK and Europe should build and implement privacy in their business model. They should also take steps to ensure they are GDPR compliant as well as taking into account and complying with data privacy laws of any other countries in which they operate (for example, there are a number of US states which have their own privacy laws, with more states to follow suit).

The California Consumer Privacy Act (CCPA) was introduced in 2018 to give consumers more control over the personal information that businesses collect about them, and the CCPA regulations provide guidance on how to implement the law. Businesses that are subject to the CCPA have several responsibilities, including responding to consumer requests to exercise these rights and giving consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

Where to start Copy link

Pre-seed/Seed Copy link

Understand business model and product-related data risks and obligations
Hire a security-savvy developer
Build and implement data privacy controls by implementing a ‘Security by Design’ culture across the business
Develop appropriate policies and procedures for your business to minimise data security risks
Deploy endpoint security solutions as the first layer in your security stack

Series A Copy link

Formalise data security responsibilities across your team and consider hiring a CISO (Chief Information Security Officer)
Continue developing appropriate policies and procedures to address additional risks
Engage a third party to conduct regular security assessments and promptly remediate issues highlighted
Invest in a training platform and schedule regular, mandatory, cyber and regulatory training for all
Adopt a fundamentally zero-trust approach to infrastructure and architecture. Only work with vendors who adhere to these principles
Invest in solutions that will help you manage cybersecurity threats (e.g. email phishing) and allow for secure software development (e.g. source code scanning for sensitive information).
Maintain regulatory compliance with GDPR, CCPA and other relevant obligations
Plan and document what you will do in the event of a breach

Series B onwards Copy link

Continue monitoring for data-related risk across your business and all applications and developing appropriate corresponding policies and procedures
Maintain regulatory compliance: improve adherence to compliance mandates like GDPR, CCPA and other relevant obligations, develop strong audit of email security risk
Hire a CISO (Chief Information Security Officer) if you haven’t already done so, and, if appropriate, build a dedicated security team
Build software with a fundamentally zero-trust approach to infrastructure and architecture. Only work with vendors who adhere to these principles
Audit your suppliers to check their GDPR/other data compliance
Consider cyber insurance
Invest in enterprise risk solutions helping to:
- Enable secure software development by scanning source code to detect API keys, passwords and other sensitive information in real-time. For example, GitGuardian
- Support zero-trust architectural decisions that help ensure your company’s software and the data you store is secure by design
- Manage cybersecurity threats in real-time by reporting key areas of insider risk (like unusual credential use or data movement).
- Improve employee behaviour through regular simulations of phishing and training
- Deploy an ASM platform to fully understand your risk profile

The suggestions above are just some of the key areas to watch, there are many others including: pen testing, bug bounty programs, security logging and investigation tools, application security (which starts with secure designs), supply-chain security, implementing a zero-trust architecture, securing your cloud infrastructure, running internal phishing campaigns to raise awareness, proper 2FA...

Data collection Copy link

Number of data breaches
Number of cybersecurity threats/attacks
% employees completing cybersecurity and other IT training
% employees failing phishing tests

Useful resources and further reading Copy link

GDPR Checklist available to ensure GDPR compliance
Common attack vectors on authentication available from Ory here
Cybersecurity Template/Checklist available here
Guidelines to detect phishing
Secure identity management with Ory
Platforms helping against code breaches/data breaches (eg: Gitguardian)
Small Business Guide: Cyber Security - NSCC
Secure design principles - NSCC
10 Steps to Cyber Security - NSCC

Examples and testimonials Copy link

Merama sees cybersecurity and consumer data protection as fundamental elements of its ESG approach. The company has implemented seven information security policies and created a Cyber Awareness Program to promote cybersecurity and personal data privacy awareness throughout the organization. During 2022, the team carried out a Data Protection Compliance risk and gap analysis and documented the Data Protection Management System for Merama’s holding companies and 20 subsidiaries.

“We’ve invested a lot to design and implement an efficient, globally standardized data protection infrastructure by providing systematic rules to cover policies, processes, and activities that involve personal data processing. This effort includes hiring knowledgeable, hands-on data protection professionals who undertake the DPO’s responsibilities and understand and ensure compliance with the Data Privacy Laws applicable to all countries where we operate. This topic was of utmost importance to our stakeholders and us, so we started to assess and address the most critical aspects firsts, the Privacy Notices.” Luana Rosa, Global Head of ESG at Merama.

Tessian has pioneered a new category of security software called Human Layer Security, tackling the most vulnerable asset of an organisation when it comes to cybersecurity: people. Today, 90% of today’s data breaches are caused by some form of human error and Tessian uses machine learning to stop data breaches and security threats caused by human error - without disrupting employee workflow. Customer stories can be found here.

“People make 35,000 decisions every day; it just takes one wrong decision or one instance of human error for an employee to cause a catastrophic security breach. In the same way we have firewalls to secure networks, and endpoint detection and response platforms to secure devices, enterprises now need advanced security technology to secure their people.” Tim Sadler, Co-Founder and CEO at Tessian.