In the digital age, enterprises across industries are actively engaged in the privacy vs. security debate. It’s an important discussion that every organization must have to respond effectively to the threat of data breaches and ransomware attacks.
In 2018, we’ve already seen some significant security events targeting leading businesses like Reddit, Timehop, Exactis, and Under Armour. These security breaches exposed millions of sensitive customer data and reaffirmed the need for companies to take a proactive and balanced approach to data security and privacy.
To have a better chance of successfully protecting enterprise digital assets, you have to first understand the differences between cybersecurity and privacy.
What Is Privacy?
The definition of privacy has evolved. In fact, the privacy our parents and grandparents enjoyed doesn’t exist today. In 2018, it’s safe to say that we all live in a data-centric world where our personal data is continuously captured and mined by both enterprises and governments.
From a business perspective, privacy can be defined as the ability of a company to collect, manage, and protect sensitive data (including personally identifiable information and other regulated data) ethically and transparently.
So when companies focus on privacy, they have to ask themselves the following questions:
- What data are we going to collect?
- How will the data be collected?
- How are we going to use this information?
- Who will have access to this information?
- Are we sharing this data with third-party vendors?
- How long are we going to store this information?
- How are we going to secure sensitive data?
The moment we talk about protecting data, there is an overlap with security that can cause some confusion. What’s more, if your business is planning on monetizing strategic data assets, security vs. privacy again becomes part of the equation as you have to find ways of achieving business goals while protecting personal privacy interests.
What Is Security?
Security can be defined as protecting enterprise networks, data, and infrastructure from unauthorized access. The challenge here is to secure digital assets while maintaining availability and integrity—and this opens the doors to the privacy vs. security discussion.
Companies put security controls in place to enable controlled access to information. This is done to provide customers with better service and user experiences. For example, if you lose your credit card while traveling, you can call customer service from anywhere in the world and the customer service agent will be able to access your account and cancel that card within minutes.
However, when we add privacy into the mix, it becomes a little more convoluted. For example, while the customer service agent may be provisioned to access your account details after going over some security questions, privacy won’t allow the same individual to check the account of a family member, even though they have access privileges to that information.
In terms of business application, it’s important to find a balance between cybersecurity and privacy. For example, if your IT department is monitoring employees by keeping track of every click, email, and keystroke to maintain security, it will compromise privacy. On the other hand, if your employees are gaining access to internal work-related services from an external mobile device, without some monitoring, it can leave both the organization and employee exposed to unnecessary risk.
When engaging in the privacy vs. security debate at your next meeting, it’s always best to focus on finding a balance that ensures cybersecurity privacy. Finding a balance starts with identifying the right solutions that allow a certain level of visibility to detect malicious activity on the network, but high-level enough to protect the user’s privacy.
So it’s not a matter of data privacy vs. data security anymore; you don’t have to choose one over the other—you can have both.
Cybersecurity and Privacy Best Practices
Securing enterprise networks, infrastructure, and vast oceans of data will require more than firewalls and antivirus (and malware) software. But that doesn’t mean that they’re not important, so make sure that they’re always updated while you develop a robust backup plan.
Going forward, companies will have to leverage advanced monitoring and reporting technologies to rapidly identify and respond to internal and external threats. Real-time monitoring can be achieved by deploying artificial intelligence, machine learning, and data analytics to detect anomalies that often go unnoticed by human IT security teams.
Attribute-Based Access Control (ABAC)
In a highly collaborative business environment, the role-based access control standard doesn’t work anymore, so it’s now important to make the transition to ABAC—which is highly adaptable, comprehensive, and dynamic—to meet the demands of modern business operations.
This approach will provide a wealth of authorization requests and activity log data that can be used to improve reporting and monitoring protocols. ABAC can also help the company meet regulatory standards while functioning as the first line of defense against a security breach.
Customer Identity and Access Management (CIAM)
If your business model is focused on providing enhanced customer experiences, you can leverage CIAM to strike a balance between security and customer experience. This approach helps enterprises control user access to applications and services while securely capturing and managing customer identity data.
As CIAM doesn’t demand that you trade privacy for security, you can minimize risk while delivering great end-user experiences.
Implement Clear Processes and Policies
Even if you have developed a good governance framework to enhance privacy and security, it won’t make a difference unless employees are familiar with the policies and processes involved. When developing clear processes and policies, it’s also important to test them to ensure that they work.
When testing your processes and policies, it will be critical to measure their success. This is because business owners and leaders must demonstrate a return on investment for privacy and security products.
In 2017, digital transformation was the dominant trend where enterprises across industries moved their infrastructure to the cloud. This makes it important for businesses to invest in cloud-native security products.
One way to approach cloud-native security is to incorporate the three pillars of DevSecOps:
People: Businesses should create a culture of security and privacy throughout the organization. This can be achieved with proper training and restructuring to meet security needs. All new employees should also receive data privacy and security awareness training on your company’s security policies and procedures. This can be as simple as showing them how to fully encrypt and store sensitive information or how to identify a phishing email.
Processes: It’s important to align and implement common business processes to encourage cooperation and achieve secure operations. This approach will help boost employee buy-in as they don’t have to learn a whole new set of skills to work in a highly secure environment.
Technology: It’s also critical to effectively manage technical security debt by leveraging technologies that can reduce the enterprise attack surface.
You can also take it a step further and develop a compliance-as-a-code framework to mitigate risk. To ensure compliance, you can support these initiatives with regular audits. To make sure that your privacy and security protocols actually work, you have to engage in (routine) penetration testing.
Incident Response Plan
Regardless of where you stand on the privacy vs. security debate, it’s imperative to devise a detailed incident response plan. Having a plan is vital to address business issues, assign roles, identify key performance indicators to measure the event, implement the right tools, and establish your organization’s communication strategy.
When everyone is clear about their role during an active incident, you can quickly respond to the threat and effectively deal with the aftermath.
Internet of Things (IoT)
If your company’s digital transformation activities include the incorporation of smart devices and sensors, managing IoT on a separate network can diminish your exposure to risk. Even if they’re on a separate network, IT teams should also actively change all default passwords when adding IoT to enterprise infrastructure.
As security historically has been an afterthought for IoT manufacturers, it’s crucial for businesses to practice caution and take extra steps to ensure enhanced privacy and security.
The privacy vs. security debate will continue to rage on for some time, but it’s safe to say that it won’t go on forever. While privacy and cybersecurity protocols will differ from one industry to another (based on regulation), it will be critical to find a balance to maintain brand value and business continuity.
Interested in learning more about cybersecurity and privacy? Springboard’s Cybersecurity Career Track is a mentor-guided online cybersecurity bootcamp designed to get you certified and hired.