Editor’s Note: Here’s a crazy thought – what if organizations resolved to meet the customer’s needs, wants and tolerances across the entire spectrum of engagement – including their customer data? Forgive the sarcasm but the idea that data privacy is a separate conversation from customer engagement is an antiquated one.
Privacy and cybersecurity continue to be top of mind for global regulators and consumers. In the United States, Europe and the rest of the world, a plethora of new legislation is giving consumers more data rights and protections — and enacting stricter consequences for businesses who violate these laws.
The only way to adequately protect consumer data is to understand the intentions and motivations of its end users and design data privacy policies with their interests in mind.
A Quickly Shifting Privacy Landscape
Between the nightly news or social media feeds, people are confronted on a regular basis with the latest data breach and have, in turn, become more security aware than ever before. The exposure of Facebook’s questionable business practices surrounding user data, alongside major data breaches at organizations including Equifax, British Airways and Marriott, has caused damage for consumers and companies alike. It’s also pushed governments across the globe to embrace regulations that better protect consumer privacy. The EU GDPR and the California Consumer Privacy Act will hardly be the last attempts at ensuring companies’ business practices appropriately conform to societal expectations of personal data privacy and rights.
As enterprises develop data optimization and protection strategies, they’re faced with a constantly shifting information landscape. Increasingly, more applications and transactions are happening over the internet, the cloud is redefining our notion of the “perimeter” around which we can build protective walls, and worker mobility and use of personal devices (also known as “shadow IT”) is impacting the role of IT. Organizations must grapple with a future of data privacy that’s tied to ever-evolving disruptive technologies — technologies that result in increasingly more data and more opportunities for breaches and misuse, whether accidental or intentional.
Tips for Creating Stronger Security Programs
So, what does this mean to the economics of a security program? How can you (and should you) protect everything against everyone?
1. Make systems easy to use securely and difficult to use insecurely
This is a critical point and probably one of the single largest opportunities for security programs to be revamped. Make it easier for your end users to do the right thing than the wrong thing. Consider an internal app store or identity-based security system to help employees access the applications they need while preventing them from using unsecure alternatives that haven’t been approved by IT.
2. Create common sense policies, rules and IT controls
Audit your current technological offerings to ensure employees have the tools and systems they need to do their jobs effectively. Don’t set up policies that are so cumbersome and restrictive that your employees are pushed to use private cloud options (Dropbox, Google Docs, etc.). At the end of the day, your employees will do what they need to do to get their job done. Join them in making it simple to use the systems you can control.
3. Confirm that users are properly managing sensitive information
Either intentional or unintentional, insiders represent the greatest threat to your data protection program. Fortunately, they’re also the threat you can do the most to alleviate. While it’s important to trust your end users to appropriately identify and classify any sensitive data they’re handling or creating, you should also verify that they’re doing so. Using a combined or “layered” approach to data classification can ensure that the policies, training and tools you provide are properly understood and integrated into the day-to-day tasks of your workforce.
4. Adopt a risk-based approach to your data protection program
To have a holistic and effective data privacy and data security program, you must understand there is no such thing as perfect security. A risk-based approach often starts with the legal and compliance team and ends with the CISO — but don’t lose sight of your everyday business user in the process. Additionally, privacy professionals need to look beyond their legal backgrounds to understand the rapidly evolving world of technology and its practical uses. They should align closely with their security and IT counterparts for a big picture perspective of the technological limitations and possibilities affecting their company.
Think of Your Privacy Controls as a Safety Mechanism
Creating a pervasive culture of security and privacy within your organization requires a comprehensive understanding of why and how employees are engaging with data and information. Once you know these motivations and intentions, you can establish policies and protocols that enable your business to use data to its maximum capacity. Think about the brakes on cars — most people assume they simply stop or slow you down. But they’re also the safety mechanism that enables cars to go as fast as they do. Your privacy and security controls should work the same way. Rather than impeding your business from doing its job, proper security protocols allow you to realize the full potential of your data.
Dana Louise Simberkoff is the Chief Risk, Privacy and Information Security Officer, AvePoint, Inc. She is responsible for executive level consulting, research and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts and solutions for risk management and compliance.