What's The Problem? Overcoming 4 Key Challenges in Data Privacy
Data Privacy Day is recognized internationally as a way to raise awareness of, and discuss solutions for, the growing problem of data privacy vulnerabilities. But every day should be Data Privacy Day. It’s essential for IT and business leaders to understand the full risk potential of data privacy threats and how to address these issues.
1. Data Privacy Is More Than Compliance
Challenge: Compliance is a critical factor driving interest in, and adoption of, data privacy solutions. Throughout the U.S. industrial landscape, compliance mandates such as HIPAA (healthcare), PCI (retail) and Graham Leach Bliley (financial services) are just a few examples of strict regulatory requirements that carry substantial penalties for breaches. Additionally, more than 80 other countries to date have passed their own data privacy laws, and the European Union has adopted its own data privacy standard (Council of Europe Convention 108). However, building data privacy defenses simply to pass an annual audit by a regulatory body is just the beginning when it comes to protecting data privacy. Data privacy must be ensured every day, because privacy threats are fluid and ever evolving. As an example, the incidence of zero-day attacks (security breaches for which IT professionals had no time to prepare a prior defense) for Internet Explorer doubled in 2014 from the year prior.1 There’s also the impact of highly-negative publicity and loss of consumer confidence of privacy breaches that may occur without notice, as evidenced by recent attacks against Target, Home Depot, The New York Times, and Sony Pictures. Widespread attacks also have occurred throughout international markets: A recent study indicated that 226 million personal records about Europeans have been compromised in the past decade.2 In addition, a number of data privacy breaches aren’t covered under compliance statutes, such as theft of intellectual property including new product diagrams, competitive analysis documents and marketing campaigns.
Solution: Data privacy must be protected on a continuous, ongoing basis, far beyond the requirements of simply passing external or internal compliance audits. Protecting data privacy must be part of a comprehensive corporate strategy that embraces the three P’s of Privacy: People, Products, and Processes. Not only do organizations need to ensure that data privacy reports to a senior corporate executive, but the organization must take steps to ensure that all employees and virtual staff (partners, contractors, etc.) use smart privacy protection techniques. In addition, organizations must be committed to investing in solutions that help ensure data privacy beyond the basics, including malware detection and identity management. Finally, privacy should be embedded into all business processes, from onboarding new employees to sharing data over unsecured networks.
2. A Strategic Investment, Not A Cost
Challenge: Measuring the economic impact of a breach goes far beyond regulatory penalties or the cost of securing defenses. Take the well-publicized theft of customer identities at Target. It has been estimated that the company’s failure to make a large, but vitally important, financial investment in data and identity protection may have contributed to a massive breach that ultimately cost upwards of $1 billion in hard and soft costs. A good question to ask: What is the cost of negative headlines about Social Security numbers, user IDs, passwords, and other identities being hacked? According to research from the Enterprise Strategy Group, “It’s important to recognize the financial risk of not pursuing … data protection processes. The status quo isn’t free. Ignoring those measures will incur a cost.”3 Business executives and IT professionals alike can understand the potential catastrophic impact of competitors gaining access to proprietary information such as customer lists, specially negotiated discount pricing, and product launch timelines.
Solution: Organizations need to make well-thought-out investments in technologies to ensure that data defenses are as resilient as possible and that data can be recovered, restored, retained, and reclaimed as circumstances require. Key technologies that should be a part of any organization’s data privacy defense include snapshotting, high availability infrastructure, backup and archiving. In particular, organizations need to ensure that they have an enterprisewide, rules-based and highly automated archiving system that goes way beyond the capabilities of traditional data backup. Archiving is a particularly essential part of any data privacy infrastructure because of the need to prioritize how and where to store information so it’s not only secure, but is handled in the most cost-efficient manner possible. The dramatic growth in unstructured data-emails, attachments, video, voice, social media and other data types has driven a phenomenal increase in data volume, including the creation and storage of numerous copies of data for even the most mundane email. Archiving helps take pressure off backup operations by established a logical path to prioritize information by determining its criticality and its need to be produced more or less frequently. This allows organizations to store less-often-required data on highly reliable, more affordable media like tape, and automatically migrate it to high-performance media like disk only when it is ready to be presented for anything from financial reporting to e-discovery.
3. Build it, Deploy it, Test it, Modernize it
Challenge: Most companies have some sort of data privacy plan, but it’s usually a component in a broader disaster recovery or business continuity strategy. It may be a dedicated chapter or a few isolated passages in that plan document. In reality it needs to be imbued in all aspects of business continuity in real-world practice. Unfortunately, business continuity plan documents often act as shelfware that is rarely tested and updated to reflect changes in business conditions.
Solution: Organizations need a dynamic planning, testing, and deployment strategy for data privacy — one that is developed and supported by senior executives and business stakeholders, not just the IT department or even a chief information security officer. It often makes sense for organizations to seek out and work with an experienced third party to develop the plan, as well to test the plan, surface vulnerabilities, and remediate them before they emerge. While internal IT staff and business leaders have the advantage of understanding the ins and outs of how data is captured, stored, and used within their organization, it’s not unusual for internal staff to become insulated to both external threats and to new ideas on how to ensure higher levels of data privacy.
4. Technology Usage Trends Increase Vulnerabilities
Challenge: From a technology usage perspective, the business environment in which we work is far different from that of just a few years ago due to some dramatic changes in technology adoption. Industry trends such as Bring Your Own Device, the impact of social media, increased adoption of affordable cloud computing services, and widespread use of sync-and-store services for data storage have raised new and potentially damaging data privacy vulnerabilities. The explosion in the sheer volume of data, combined with the trend toward greater flexibility in allowing employees to act as their own IT department in security technology, means that organizations must be increasingly creative in spotting data privacy risks. For instance, many of the latest identity thefts and cyber attacks have occurred as a result of delivering malware as advertising through tablets and smartphones. While the so-called “consumerization of IT” increases employee productivity, many of those end-user devices operate without sufficient IT oversight and security frameworks.
Solution: IT departments and business stakeholders shouldn’t necessarily restrict usage of consumer devices, applications, and services, but should develop smart policies that reflect both their benefits to employees and their threats to data privacy. It’s important to make employees aware of best practices to ensure data privacy, and to do continuous vulnerability testing to surface unexpected problems. Organizations also need to take pains to ensure all relevant parties understand that new uses of technology — especially consumer-class technologies such as mobile devices, downloaded applications, using public WiFi networks, and on-demand services — often increase data privacy risks and must be accounted for.
1Internet Explorer Vulnerabilities Increase 100%, Bromium Labs, July 20
2Privacy Breaches in Europe, Central European University, October 2014
3Archiving and Backup Best Practices, Enterprise Strategy Group, 2014