How to navigate critical data security and privacy policy challenges
By 2020, there will be 40x more bytes of data than there are stars in the universe as we know it. And with data growth comes more security and privacy obstacles for organizations and business leaders to overcome. Unfortunately, there isn’t any room for error – with the average cost of a data breach at almost $4 million and the potentially irreparable brand damage that comes with mishandling user data and privacy. How can organizations stay ahead of the curve to avoid the worst-case scenarios?
Let’s break down at a macro level how security professionals can proactively solve tough security and privacy policy problems.
Measure time and effort
It’s no secret that security takes time and effort. And in an organization that is encountering security and privacy challenges for the first time, it may even take a change of culture. Culture changes don’t happen overnight, no matter how much the CISO wishes for it.
It’s essential to ‘measure’ out how much time and effort it will take to implement defenses against new threats, integrate new technologies, or refine privacy policies – to stay ahead of the curve and put the whole organization on the same execution timeline. The facts are that spending time, effort, and even money on ensuring data security and privacy will likely always outweigh the cost of a data breach or the bad PR that comes along with a serious data incident.
Setting aside time and effort to keep up to speed with the changing threat and policy landscape is a critical first step towards a robust cybersecurity posture. Don’t ever be lazy or ‘too busy’ – that’s negligent – and your organization likely can’t afford it.
Know your new technology inside and out
We love what new technology can do for business. New tech can help streamline complex processes, reduce the need for headcount, or even save your organization tons of money in the long run. But with new technology comes new security threats – and some that you may be unfamiliar defending against.
When employees bring new devices to the corporate network, share data in broader cloud services, or begin to use new software, the possible exposure to new risk exponentially increases. Knowing what technology is being used, what data is being collected by that technology, and how and where the data is being stored and protected is paramount.
Of the seven different causes of data breaches the Identity Theft Resource Center (ITRC) identifies, three of them are linked to poor data visibility and mismanagement (accidental web exposure, data on the move, employee negligence).
For example, consider the notorious configuration problems AWS S3 buckets pose. It’s your responsibility as an organization to understand the nuances of new technology, like S3 buckets, to keep user data secure and private. Learn how to effectively operate the native functions of the technology, or research what third-party solutions you need to make a piece of technology truly safe.
Understand and prioritize the changing regulatory landscape
GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), and CSL (China Cybersecurity Law) are just a few of the new regulatory acronyms that data security professionals are coming to terms with – and they surely won’t be the last.
As the world becomes increasingly aware of and concerned with data breaches and privacy, legislatures around the globe are responding with a daunting patchwork of compliance regimes that require organizations to adapt and change, often in costly ways. Doing business in this environment requires security professionals to stay current and plan strategies to navigate an uncertain path ahead and blend the roles of lawyer, engineer, strategist, educator and leader.
It’s critical for organizations to thoroughly move through the different stages of integrating a compliance program: design, implementation, education, and maintenance. Every step is vital, and short cuts for any shouldn’t be on the table.
Most importantly, know the geographies of your business. If your business isn’t “everywhere” just yet, then you get the chance to be strategic about what geo-specific regulatory practices you need to implement ASAP vs. as you grow, calculate their costs, and analyze what expanding would do for your business model. And if your organization is already “everywhere,” the challenge of dealing with regulatory quicksand can be handled, but you must be extra wise. Treat it like triage. Assign degrees of urgency to regulatory problems, decide the order of treatment, and then get to work. Outside expert consultants can help immensely in these types of situations.
Third parties: Do you know who has your data?
Many enterprises use third-party vendors and contractors, but relying on those third-parties means it’s the enterprise’s responsibility to monitor what those parties are doing with the data they receive or have access to. We’ve watched Facebook deal with the fallout when the public learned what some of their partners and contractors did with user data. Each organization should treat the Facebook case study as a cautionary tale. Make sure you’re asking a lot of questions, and the right questions when dealing with third-parties. Questions like: Do you store information in the cloud? Is it hosted off-site? Is data stored in the country, or does your server vendor utilize servers in foreign countries?
Organizations should recognize that giving others access to data does not relieve them of ultimate responsibility for the safety of the data – and doesn’t save them from backlash. In June, Customs and Border Patrol disclosed that at least 50,000 photos of vehicles, license plates, and their drivers were involved in a breach. A subcontractor “had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network. The subcontractor’s network was subsequently compromised by a malicious cyber-attack.” Although this was an unauthorized practice by the third-party, it still happened – and the Customers and Border Patrol still has to answer to the public and the law.
Remember, managing technology subcontractors is like managing every other facet of your business – you need to know enough to ask the right questions and you have to keep asking them to stay ahead.
Complete due diligence when merging / acquiring
When one business acquires another business, both sides conduct due diligence. Before recommending to either the acquiring or target board that the deal is sound, we investigate and audit financial records, contracts, past practices, potential claims, etc. It’s critical that security decision-makers perform similar examinations of cybersecurity practices, either of their organization or those they propose to partner with, acquire, or sell.
The SEC, the FTC, and other regulatory bodies are placing more and more weight upon cybersecurity and having buttoned up data practices. This interest in cyber from these regulatory bodies will only increase as more faulty mergers and acquisitions with inadequate data security and privacy at the core put customers and users in danger.
Executing ‘due diligence’ also includes running frequent self-checks to make sure that basic policies and plans work as intended well before a merger or acquisition is even on the table. Have you tested your emergency response plans recently? Were there any follow-ups on vulnerabilities that such tests revealed? Are sufficient resources being devoted to security? Does someone know if the backups work?
Again, ask yourself and your team smart questions, and you’ll get ahead.
Keeping up as business evolves
Ensuring data security and privacy is an ongoing process, and if you want your plans to be effective, both these principles must be at the foundation of your company culture and your business strategy.
Make sure you’re educating not only your security team – but all your employees, your vendors, and your customers. Having qualified and experienced experts in place will be your saving grace when the unexpected occurs. And most importantly, be proactive. Make sure your staff takes continuous data security and privacy education seriously. Do whatever you can to make sure those efforts are supported and integrated across the organization. And lastly, keep the lines of communication open and give your customers every reason to continue to trust you, even when you’re faced with adversity.