Not all data collection is evil: Don’t let privacy scandals stall cybersecurity
Facebook continues to be criticized for its data collection practices. The media is hammering Google over how it handles data. JPMorgan Chase & Company was vilified for using Palantir software to allegedly invade the privacy of employees. This past June marked the five-year anniversary of The Guardian’s first story about NSA mass surveillance operations.
These incidents and many others have led to an era where the world is more heavily focused on privacy and trust. We’ve seen this reflected in several ways. Europeans have enacted the GDPR. Some global businesses have voluntarily halted certain data sales practices. Many Americans have left Facebook since its privacy scandal erupted. California passed its own version of a consumer privacy protection act.
Simultaneously, we are seeing how ineffective cybersecurity measures are impacting bottom lines and changing the course of world history. The Tesla and Apple insider data theft and sabotage incidents, Waymo vs. Uber case, and attacks on the Hillary Clinton Campaign are examples of what happens when weak security gives way to insider threats.
The privacy violations, deception and cybercrime taking place are creating new challenges that public and private sector organizations face. They are now operating in a world where all data collection and analysis practices are increasingly portrayed as evil. Despite this, business and government leaders can’t lose sight of the fact that it is absolutely necessary to continue to collect and analyze information in order to remain secure and to mitigate risk.
Ensuring security, respecting privacy
The privacy and security incidents that have emerged over the past several years should be motivating all organizations to adjust their data and cybersecurity practices. Business and government leaders need to ensure that they are adequately minding their stores without violating their users’ trust or invading their privacy. This is, of course, easier said than done.
Buried in the details of an effective security and privacy strategy are layers of stakeholders, opposing voices, policies and politics that have to be considered. To complicate matters further, most organizations are already heavily invested in legacy tech that contributes to privacy violations and security failures.
Organizations should not view these factors as deterrents. There are steps private enterprises and government agencies can take that will allow them to maintain security without violating user privacy. A few are outlined below.
Be transparent
Deceptive data collection practices (the drivers behind the aforementioned scandals) are what’s cast data collection and analysis into a negative light. This doesn’t change the fact that organizations have to monitor digital activities taking place in their environments if they hope to remain protected against breaches and attacks.
Businesses and government agencies can mitigate the negativity and suspicion that gravitates into online monitoring programs while decreasing risk. They simply need to start being transparent about how and why they are tracking digital activities.
Openness will create a sense of trust rather than suspicion. It won’t weaken security. Studies show that candor will turn people into security advocates as opposed to skeptics. Real-world use cases demonstrate how organizations can reduce overall risk when they place their people in the know.
Rethink visibility
Cybersecurity operations are multi-layered and include combinations of humans and machines working together. A key outcome all security operations seek to achieve is visibility. With visibility over what’s taking place in computer networks, organizations can see, neutralize and remediate threats.
Until recently, most technologies available, especially those that illuminate human behaviors, were very invasive. These legacy solutions provide heavy-handed surveillance that includes everything from key-stroke logging to video-like screen capture of everything users do. This level of granular detail and over-the-shoulder eavesdropping isn’t needed to address threats. Not only does it invade privacy and violate regulations, it also creates an overload of data and false positives that lead to wasted resources and security misses.
Organizations can now improve security postures and increase privacy levels by replacing aggressive reconnaissance layers. Today, there are more light-weight tech options available. Many can be tuned to only collect and analyze the critical data needed to detect risky user behaviors, shield user identities, and deprioritize non-threatening actions.
Embrace education
Organizations that want to defend people against attackers and empower them to help strengthen overall security need to invest time and money into educating them about both subjects. Research does show that with security training, humans can significantly reduce their susceptibility rates to attacks.
Organizations gain added benefits when they leverage technologies in use to provide educational moments to users. They not only advance users’ knowledge of how to help strengthen defenses, they also deliver further on the promise of transparency. By providing users with teachable moments learned from security controls in use, they will gain a better understanding of how their own activities and behaviors are being observed and how changing them can reduce risk.
Next steps
Regulation is one big game changer hitting the security and privacy playing field. The world may feel a bit uncertain over the direction both will head in as we wait to see what regulatory actions the fed takes, how GDPR law suits play out, and how the California Consumer Privacy Act is enforced. One thing is for certain, the world, its governments and citizens are starting to take a more privacy-centric stance when it comes to digital activities. The smart money will be bet on strategies and technologies that respect privacy, promote trust among user bases, and that approach regulations as an opportunity.