Where Data Privacy and Cybersecurity Intersect (and Don’t)
A significant evolution is altering the way all organizations must regard the security of information systems. Many are not yet fully aware of it. At the core of this evolution is the blurring or even outright erasure of the line between organizational data privacy and employee privacy. There has always been an intersection between data privacy and cybersecurity. However today, there is a growing gap between employee privacy and cybersecurity, bypassing this crucial intersection and increasing risk of costly data breaches and.
Once considered two separate concerns, organizational or internal data privacy was historically a far higher priority than the employee data privacy. Today they are virtually one and the same. For businesses and other organizations that haven’t yet grasped this fact, the risks to cybersecurity are heightened. Balancing data privacy with cybersecurity must regard employees’ personal data as critical to risk mitigation as the customer data or operational data an organization collects.
An eye-opening report titled, “The Intersection of Data Privacy and Cybersecurity” produced by data access management company OKERA, polled Chief Data Officers, CIOs, Chief Privacy Officers, and CISOs from 125 North American companies. Large companies. 93% having at least 1000 employees and 61% more than 10,000. Of the many revealing findings in the report, was the following contradiction.
45% of the leaders polled said they were not concerned about the fines associated with non-compliance with privacy laws. They factor privacy breaches into their cost modeling. Yet 94% see compliance as a top priority.
This contradiction illustrates the disconnect at what used to be the clear intersection between data privacy and cyber security. So, what’s changed and why?
Organizations are aware that data privacy as a concept has evolved over time. And from a financial and reputational standpoint, they’re eager to achieve compliance with new and emerging regulations designed to ensure standards for proper data handling and privacy are achieved. The research supports this conclusion according to the International Association of Privacy Professionals (IAPP).
In 2019 by the IAPP together with data security company Virtru, published a paper titled, “Succeeding at the Intersection of Security and Privacy”. Among the paper’s findings was the fact that, “privacy compliant organizations are better prepared to respond to data breaches and experience fewer data breaches. In a recent survey, [it was] found that GDPR-compliant companies experience fewer data breaches. When compliant companies are breached, fewer records are lost, the costs are less, and system downtime drops by a third. Compliance is a win-win for both security and privacy.”
For the large organizations polled in the OKERA and IAPP studies, it is as if the CISOs, CIOs and other responsible leaders are resigned to the fact that there will be breaches despite their efforts to protect data privacy.
Simply accepting that breaches will occur is not sustainable practice for organizations serious about ensuring the intersection remains between data privacy and cybersecurity. Yet it is easy to understand why many organizations (as well as most private individuals) are inclined to feel like the problem is too overwhelming to be effectively addressed. There is a lack of acknowledgement that employee data privacy has become as important as internal/organizational data privacy. Yet, in many organizations, employee data is not treated with the same care as other privacy concerns. How did this disconnect arise and what can proactive organizations do to similarly evolve their privacy and security policies?
First, organizations need to understand the disconnect. The terms “privacy” and “security” have long been central to those concerned with protecting data – the lifeblood of every modern organization. In so many facets of business, the pace of technological change forces ideas and practices to evolve rapidly. Terms, processes, policies, techniques, and technologies that were cutting edge yesterday are quickly replaced by new and different ones tomorrow. Nowhere is this more evident than in the field of cybersecurity. So, it is not surprising that the definitions of “data privacy” and “security” have evolved beyond what they meant even a few short years ago.
1969 to 1989 | Data Privacy = Network Security
Since the advent of networked computing in 1969, data security has been an important concern. Protecting internal data meant avoiding theft of intellectual property or other trade secrets. It also meant protecting sensitive financial data or other information about an organization that could impact investment capital and competitive advantage – whether in business or political operations.
During this period, when it came to information security, the term “data privacy” referred to the practice of protecting internal data. And that mostly meant beefing up network security.
1990 to 2000 | Data Privacy = Consumer PII in the Cloud
By the 1990s, with the emergence of the modern internet and the explosion of eCommerce, data privacy came into focus as a critical facet of data security. Newly minted online consumers were leery of putting their personally identifiable information or “PII” (like credit card and social security numbers and other sensitive information) into the new and poorly understood cyber space. Identity theft began to present a broadly emerging threat for the first time. But the pace of adoption was unstoppable. The ease and convenience of shopping and other activities online helped consumers to quickly grow comfortable enough with trusting their data would be protected.
However, as more and more economic activity transitioned into the online world, the scalability and efficiency benefits of cloud computing drove all online activity into the cloud. Now it was the not the customers, but rather the businesses’ turn to worry about data privacy. Would these third-party cloud hosting facilities provide enough protection to the swelling volumes of customer data their clients were storing in the cloud? No company, campaign or other organization wanted to suffer the reputational damage that follows a data breach.
Although the cloud model meant that an organization’s data would be stored at sites separate from their other operations, from the customers’ standpoint, the data they shared was still in the custody of the organization with which they shared it. It was still “internal data”. So, companies invested heavily in hardening their information systems. Cloud hosting companies had even greater incentive to ensure security as their entire business model depended on ensuring they were secure repositories of their customers’ data.
During this period, the notion of “cyberspace” and the increased economic activity taking place there married the term “data privacy” with cybersecurity as it related to protecting customer/user data on internal networks.
2000 to the present | Data Privacy = All Internal Data + A Tsunami of External Data
Beginning at the turn of the 21st century, a tsunami of a new category of data began to rise. Driven by the complete embrace of the internet for all economic activities and supercharged by the advent of social media, people’s PII became a commodity traded right out in the open. Some by legitimate businesses like marketing and advertising firms. Others by more nefarious operators – hackers, organized crime, political and religious and extremists. Accelerating year over year, the explosion of social media and continued growth of online commerce overwhelmed cybersecurity professionals with a tsunami of external data which is still largely not the focus of data privacy practices and processes.
The first social media platforms emerged in the late 1990s (remember SixDegrees.com?) Yet, the adoption and proliferation of social media as a concept really found legs in the early 2000s. The first platforms that really brought the idea of social media to the forefront of popular culture were sites like Hot or Not (AmIHotoroNot.com) in 2000, Friendster in 2002, and MySpace.com in 2003. Early versions of Facebook hit the scene between 2003 and 2005. Business social media giant LinkedIn arrived in 2006 as did Twitter.com. From there, specialized flavors of social media – dating and hookup sites (Tinder, Grindr, etc.) photography sites (Instagram and others), crafting/maker sites (Pinterest) and many others grew the social media market into a juggernaut. In its Social Media Global Market Report, the Business Research Company reports the social media market is expected to grow to $435 billion by 2027.
Over the last two decades the volume of data collected from all sources has ballooned. Internet users all over the world routinely enter all manner of personal data into cyberspace. With every online purchase, every subscription, banking and other services account, the public has grown inured to the requirement of sharing their data. Adding to the collection of data – especially highly specific, personal information – is the popularity of social media platforms of all kinds where users routinely volunteer all manner of personal information in full public view.
During this period and in the present, data privacy is increasingly difficult to achieve because of the vast volume of data that is created every day. Moreover, cybersecurity is no longer adequate if it focuses only on protecting internal data. In recent years, cybercriminals found it easier to exploit the external data of the employees at organizations they target for attacks than to expend the efforts to break into heavily fortified internal data systems.
Weak employee data security has become the primary avenue for cybercrime activity because there is so much unprotected employee data and most organizations aren’t prioritizing employee and vendor employee data privacy. Just look at the vast quantities of data being generated – data that is largely available to the public or for sale at the mushrooming numbers of data brokers and People Search Sites online.
By the Numbers
Every day, the planet generates 1,000 petabytes (a petabyte equals one million gigabytes!) according to data storage company Rivery.
Statistical research company Statista estimates the world had produced more than 64 zettabytes by 2020 and is on course to grow to more than 180 zettabytes by 2025. A zettabyte equals one TRILLION gigabytes!!!
Awareness of the challenge of external data privacy has been growing among organizations and consumers alike. Yet, the problem is so big that many regard it as insurmountable. Too many in the security industry expect breaches as a rule. The public has little faith in privacy protection because there continues to be near daily stories of breaches. In order to regain control and avoid damaging consequences of security breaches, all industries must embrace a new way of thinking about employee privacy as it relates to security.
Individual employees themselves must also consider that their privacy practices can and will have real impacts on the companies they work for. Just like they wouldn’t feel right about drinking or using drugs on the job because it could result in serious liability issues for their company, they must regard their online privacy management as a similar thing. Failure could lead to loss of IP and competitive advantage to say nothing of reputation. Important distinction: Security violations are now more often privacy violations as well. Employees’ personal privacy – their external data – must be considered a risk factor in any company’s security.
What Can Employers and Employees Do to Address External Privacy and Security Challenges?
Privacy Bee for business is one of the few companies today that focuses predominantly on managing external data privacy. Having rightly identified external data privacy as missing the intersection with cybersecurity, Privacy Bee builds and deploys an array of tools, best practices and processes any organization can engage to exert immediate and effective control over the external data privacy of its entire workforce. Since modern organizations typically retain information systems integrations with numerous vendors, contractors, business partners, etc., Privacy Bee solutions are extensible to protect the external data privacy of vendors.
The platform Privacy Bee delivers includes a powerful array of external data privacy management applications. Things like Employee Risk Management for real time monitoring of employee privacy risks. The tools enable visibility and analytics so security leaders can determine which employees and even which departments in the organization are flagged as highest risks. Privacy scoring helps CISOs set compliance goals and manage thresholds.
The Vendor Risk Management solution elements help analyze all third-party vendors’ external data privacy risks. The tools enable organizations to score all vendors according to relative privacy risk, set compliance goals and risk tolerances, and hold vendors accountable for meeting privacy and security governance goals.
These two and many other solutions like the External Data Privacy Audit, Privacy Risk Assessment, Vendor & Cookie Consent tools and more, work in aggregate to dramatically reduce instances of data breach. Through proper management of external data privacy, an organization can expect to nearly eliminate cases of spear phishing, and other social engineering attacks. They can also help guard employees’ physical safety and threats from doxxing. The solution also helps minimize instances of employee poaching and other unwanted solicitations by spammers and telemarketers – all of which protect productivity and profitability.
The beauty of the Privacy Bee solution is that it brings every member of the workforce into the effort to protect their data privacy. Something most people want to do on their own but may not know how to accomplish. The Privacy Bee methodologies rely on buy in and collaboration and they drive success in ways that mandatory training and threat education courses cannot. Direct benefit to all users drives adoption and success in these efforts.
SecurRisks Consulting President and Cybersecurity Consultant Marian Reed told the OKERA report that the shortcoming of most security efforts is that they are applied top down to protect the whole network. Her recommendation is to bring key stakeholders from legal, HR, Privacy and IT depts together regularly to involve them in the “transformation roadmap”. “Don’t design it, bring it to them and then hope for the best,” concludes Reed. “Instead, make them part of the design phase so that they are actually helping you develop the program to meet the needs of both privacy and security.” The Privacy Bee for Business does precisely this and helps ensure the intersection between data privacy and cybersecurity remains intact.
