In relation to Data Privacy Protection Day next Thursday, cybersecurity experts have provided the below commentary around how businesses can improve their data privacy and remove sensitive data blind spots.
<p style=\"font-weight: 400;\">In the wake of an investigation revealing a cache of personally identifiable information (PII) for sale on the dark web, Which? appropriately calls for both businesses and individuals to pay closer attention to cybersecurity. The reality is that effective technologies and best practices are readily available which can thwart incidents like this, preventing peoples’ highly sensitive data from being exposed and leveraged by threat actors.</p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">On this Data Privacy Day, businesses need to give serious and sober thought about how data-centric security, which protects the data itself rather than the borders and perimeters around it, can be a powerful tool in their cybersecurity arsenal. In the reported incident affecting customers of Tesco, Deliveroo, and McDonald’s, had this data been tokenized prior to being breached, any sensitive data within the data set would have been effectively obfuscated. Businesses cannot keep risking situations like this when the answer is abundantly clear—you can implement effective and cost-efficient data-centric security, but you must have the desire and incentive to start that journey toward comprehensive data protection.</p>
<p>There are many layers to data privacy, but one of them centers around a fundamental need for governments to re-think and more aggressively protect our rights as citizens to own our own data if we so choose.</p> <p> </p> <p>Major Tech has benefited and profited from the trust that consumers unknowingly placed in them to protect our data and hold it private, rather than commoditizing it.</p> <p> </p> <p>We’ve inherently accepted that they are allowed to collect our data for their purposes, without disclosing how that data is being used. Today, the major social media companies know so much more about their billions of subscribers than most realize. In fact, in terms of consumer rights and transparency they act a bit like they are their own personal governments and tend to set rules that most aren’t aware of and don’t understand.</p> <p> </p> <p>Documentaries such as “The Social Dilemma” are starting to peel back the layers of what’s involved in examining the current state of privacy rights and allowing consumers to reclaim ownership of their data. Europe’s “right to be forgotten” is a helpful model for what future US legislation could look like, but for the time being, social media’s unchecked data gathering has ballooned, prompting concerns such as about who is choosing the content that is being served to us, who has access to our data, and what they’re using it for.</p> <p> </p> <p>It comes down in the end to how much data harvesting that <em>We the People</em> will awaken to and continue to permit social platforms to conduct. Will the public remain passive or urge legislators to take strong actions? One good start would be shifting from “opt out” practices to “opt in” ones – where decisions about whether and how much personal data to allow a social platform to share begins with the consumer, not with a company whose “opt out” mechanisms may be muddy and hard to navigate.</p>
<p>Privacy management today is complex, siloed and inefficient. Current privacy policies and privacy-management approaches lack the continuous and predictive insights that drive business growth, costing companies tremendous amounts of time and money with the introduction of each new regulatory change. Companies are not only responsible for understanding the changes, but must also react and align larger business objectives accordingly. <br /><br />As the importance of data as a business enabler increases rapidly, organizations are realizing the impact of regulatory challenges far more than before and are beginning to see just how critical it is that information be compliant with current privacy regulations. However, it\’s simply not sustainable or scalable for privacy leaders to manually manage data privacy with regard to each new regulation or regulatory update. Today, the responsibility for implementing and maintaining a privacy program must extend beyond the privacy office to every department within an organization. Companies must implement data privacy programs that: <br /><br /></p> <ul> <li>Are easily scalable to meet each new privacy requirement</li> <li>Ensure ongoing compliance, regardless of how organizational data flows change.</li> </ul> <p>Developing these programs shows customers that the organization has taken the steps necessary to secure ongoing data privacy. This approach to data privacy acts as a commitment to customers, as well as as a differentiator, and business enabler.</p>
<p> </p> <p class=\"paragraph\"><span class=\"normaltextrun\">Companies across all industries have a responsibility to protect data and ensure privacy. We are all in this pandemic together, but organisations that demonstrate responsible and transparent practices in the handling and protection of customer, partner, and employee data can differentiate themselves from competitors and maintain a competitive advantage in the market, while creating a relationship of trust. </span><span class=\"eop\"> </span></p> <p class=\"paragraph\"><span class=\"normaltextrun\">BlackBerry operates based on four simple tenets. Employees of every company can learn to uphold these data protection values:</span><span class=\"eop\"> </span></p> <ul> <li class=\"paragraph\"><span class=\"normaltextrun\"><b>Know What Makes Data Personal</b></span><span class=\"normaltextrun\">. The definition of personal data is broad and applies to any information relating to an identified or identifiable natural person. It’s nearly impossible to protect personal data without knowing what it is.</span><span class=\"eop\"> </span></li> <li class=\"paragraph\"><span class=\"normaltextrun\"><b>Start with Why</b></span><span class=\"normaltextrun\">. There must be a clear and lawful business purpose for collecting personal data. If you can’t credibly answer the “why”, don’t collect it. Also, just because you may be able to access personal data, doesn’t mean you can use it for any purpose. The use of personal data needs to be limited to the original purpose for which it was collected—this is a fundamental pillar of creating and maintaining trust.</span><span class=\"eop\"> </span></li> <li class=\"paragraph\"><span class=\"normaltextrun\"><b>If You Collect it, Protect it.</b></span><span class=\"normaltextrun\"> If you collect personal data, it is imperative to ensure that appropriate security controls are implemented to keep it safe from inappropriate or unauthorised access.</span><span class=\"eop\"> </span></li> <li class=\"paragraph\"><span class=\"normaltextrun\"><b>Security ≠ Privacy</b></span><span class=\"normaltextrun\">. While it’s possible to have security without privacy, it’s impossible to have privacy without security. Privacy is about the ethical and responsible handling of personal data. This is why security is an integral part of ensuring that transparency of privacy practices can be achieved.</span><span class=\"eop\"> </span></li> </ul>
<p>Companies that require access to our data need to take responsibility and ensure they are putting all the relevant measures in place to secure this data as much as they possibly can. Apps often hold the most amount of data and they are tools everyone around the world uses every single day so we need to start at the beginning of this process and consider how we can ensure data privacy when handling applications.</p> <p> </p> <p>Any company that requires its customers to use an app needs to implement Agile development methodologies with a DevSecOps model, leading to system security with operational visibility, that can identify and thwart hackers from attacking and disrupting the privacy of the company’s data. Allowing the entire software development team to have a fully integrated view into the product development lifecycle and allowing them to have the understanding and knowledge of the importance of securing and testing a device will go a long way in helping organisations do their utmost to providing excellent data privacy. This will ensure the company are on track to achieving their business outcomes because consumer trust is intact and their customers are retained – with the proper security measures in place, the chance of a data breach is less likely and therefore, their data remains secure and private and the integrity of the company itself remains intact.</p>
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics