Many organizations think data security and data privacy are separate concerns. Adam Laub thinks differently, and his thoughts on the subject are worth paying attention to. Adam is the general manager at Stealthbits Technologies, a cybersecurity software company focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data. Recently, I asked Adam to explain why companies often separate the idea of securing their business data from safeguarding the privacy of their customers’ personal information. What follows are some thoughts that he shared with me on this important subject.
Data security and data privacy: Two sides of the same coin
A brief look into the history of data privacy will quickly and clearly reveal how the concepts of privacy and security collided over a decade ago when the U.S. attempted (and failed) to pass the Personal Data Privacy and Security Act of 2009. Interestingly, privacy and security are often spoken about as two disparate subjects, rather than a fusion of disciplines and capabilities that ensure data is protected from unauthorized use and access.
As cybercrime wasn’t really the “thing” it is today when the first data privacy laws came into existence in the 1970s, it’s not a complete mystery why some people may still silo the subject of privacy purely into how data is processed. A survey conducted by KPMG in July 2020 (New Imperative for Corporate Data Responsibility), however, revealed a definitive conflation of data security and data privacy concerns among consumers, as to them, they are the same. And you know what? They aren’t wrong.
Different perspectives on data
Managing and controlling how data is processed is different than detecting and responding to a ransomware attack. But in the eyes of consumers, or the more modern data privacy regulations their information is governed by, a failure to use or protect consumer information properly is a failure all the same. After all, what is the difference between an organization using your information in ways they said they wouldn’t, or you never said they could and an attacker doing the same without your input?
For years, consumers’ personal information has been harvested en masse by many organizations they’ve done business with or shared with, only to be sold to other businesses and seldom managed in accordance with sound security principles. Stored in virtually every possible data format across virtually every conceivable location, this personally identifiable information (PII) is specifically targeted and easily exfiltrated by cybercriminals. This results in the compromised identities of millions of individuals around the world, trillions of dollars in loss, and thus, the rise of data privacy regulations like the EU’s GDPR and California’s CCPA.
From a use-case perspective, we can still treat data security and data privacy as two separate concepts (the former focusing on keeping data safe and the latter about the processes surrounding the use and handling of regulated data). It’s really not one vs. the other. It’s purely the lens through which the data is viewed that makes the difference in terms of an action that needs to take place.
Who’s to blame?
When looking at how so many breach scenarios begin these days, it’s tempting, and perhaps even appropriate, to point the proverbial finger at a number of key contributors.
Take credential stuffing, for example–an attack technique where username and password pairings commonly obtained from a prior breach are used to gain access to another business’s systems or services. Respondents to the aforementioned KPMG survey reveals consumers have a responsibility to protect consumer data. About 75 percent of Americans say they consider it risky to use the same password for multiple accounts, use public WiFi, or save a card to a website or online store. Yet, more than 40 percent of consumers engage in those behaviors. So, are consumers to blame for our global data breach conundrum? After all, so many breaches begin with their insecure online behaviors.
On the opposite end of the spectrum, what about when the organizations that consumers have entrusted to keep their data safe leave the doors wide open for anyone with an internet connection to walk away with 49,000,000 user records? In 2019, there were 7,098 breaches and 15.1 billion records exposed within Amazon S3 environments alone, many due to human error in securing access rights and other misconfigurations.
The point is there’s plenty of blame to go around. Still, there’s no doubt that both record-givers (consumers) and record-holders (companies) need to do a better job ensuring data is protected from unauthorized use and access.
What can we do?
For consumers, simply engaging in better habits online could pay tremendous dividends. Better identification and avoidance of phishing schemes or the use of password managers, like LastPass, Dashlane, or 1Password, could mean the breach of one organization they do business with doesn’t mean a breach of all organizations they do business with.
While the focus on the data is critical to the data security and privacy equation, it is but one aspect requiring serious time and attention. From an organizational perspective, there are dozens of factors to consider based on the makeup and intricacies of one network versus another. For starters, organizations can strengthen security and privacy by removing accounts, maintaining persistent privileged access rights across all possible systems and applications. Equally important is locating and securing sensitive consumer data across all data repositories. The former helps drastically mitigate the risk of lateral movement associated with ransomware and other advanced threats. The latter helps align with concepts such as privacy by design and facilitate data subject access requests when consumers invoke their Right to be Forgotten.
For primarily cloud-based organizations invested heavily in Microsoft, solutions like Microsoft Information Protection and Azure Privileged Identity Management are popular options. For those operating in more hybrid and heterogeneous capacities, solutions from Stealthbits, such as StealthAUDIT and Stealthbits Privileged Activity Manager (SbPAM), provide the capabilities needed to make significant strides in these areas and others.
The next step
While data security can be achieved without consideration of data privacy, data privacy cannot be achieved without data security. It is because of this that data privacy is data security — not just a series of processes and procedures to be argued over by compliance officers and legal teams. When addressed from a security perspective, organizations can, and most often will, achieve greater privacy and compliance outcomes. It’s all about the lens through which you look at data.
Featured image: Rawpixel.com