News Insights: Former Twitter employees charged with spying for Saudi Arabia by digging into the accounts of kingdom critics

Former Twitter employees charged with spying for Saudi Arabia by digging into the accounts of kingdom critics

The case raises concerns about the ability of tech firms to protect users’ data from repressive governments.

Former Twitter employees charged with spying for Saudi Arabia by digging into the accounts of kingdom critics


News Insights: Cybersecurity veteran Pravin Kothari, founder and CEO of CipherCloud, issued his perspective:

“As more and more information, the “crown jewels” of businesses and personal information of individuals, migrates to the cloud and Internet services, users just do not have visibility and control over who all are accessing their information, when and how. Criminals are also finding it far easier to target the cloud to access and steal a huge amount of information.

No matter what defensive measures security professionals put in place, today’s attackers are able to circumvent them.  Organizations need to change their security approach from network centric and access centric to data-centric. It’s even more important to protect your data with encryption than just control the access as you can assume that hackers would get to your data, sooner or later.

With the rise of hacking and exposures in the cloud, organizations need to focus on cloud security and cloud data protection in an unconventional way.  Migration to the cloud presents many unique challenges in protecting your data, and has given rise to a new generation of cloud data protection solutions especially with seamless rights management and such capabilities.

Organizations must be aware of the growing risk with their data in the cloud and always protect personal identifiable information (PII) and protected health information (PHI). With the growing number of regulations on data privacy of individuals, such as EU GDPR (The General Data Protection Regulation), PCI DSS, HIPAA and California Consumer Privacy Act (CCPA), exposing such data opens the organization to breaches, reputational damage as well as stiff penalties.

We’ll see more and more regulators “bring the hammer down” and levy some of the largest fines ever seen to raise the sense of urgency on businesses to protect their client sensitive information. It could be FTC, European GDPR, upcoming California Consumer Privacy Act, and many other privacy regulators worldwide.

European GDPR has a fine of up to 4% of global revenues while FTC seems headed towards much heftier fines with about ~9% on Facebook and ~25% on Equifax recently. This sets a new precedent and a wake up call to all businesses to be extremely careful with data privacy.

Cybersecurity and privacy are hot megatrends similar to cloud, mobile, and AI. Businesses are focused on finding new opportunities in the later set and not paying enough attention to risk exposure, privacy and cybersecurity.  Many businesses are not doing enough to protect their client sensitive PII information. They do not realize that internet and cloud services are not bullet-proof. They assume that their information is safe with service providers.  But a simple misconfiguration, malicious insider, or abuse of API could cause major exposure and havoc as we saw with Facebook and Equifax.

The primary measure companies should take to minimize risk is to anonymize all PII data prior to sharing it with third-parties, which also includes before sending it to applications in the cloud such as Twitter, Office 365, Salesforce, Dropbox, AWS and Azure.

Organizations should select tools that automatically protect your sensitive information and keep the information always protected.  For instance, they should access all cloud applications via a cloud encryption gateways and cloud security brokers with automatic rights management and end-to-end data protection.  They should require their service providers to be fully compliant with GDPR, CCPA, HIPAA, etc.

I believe that in the very near term, businesses will begin to weigh the risk and reward of doing the minimum in stepping up to strong encryption and anonymization techniques.  I also believe that they will review and revamp their entire data privacy practice or start one if they do not have one. In these times, an organization cannot stick their head in the sand and do nothing.”