Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Data Protection and Privacy: Think 360, Demand 360

When it Comes to Data Protection and Privacy, it is Important to Evaluate Where You Are, and Where You Need to Go

When it Comes to Data Protection and Privacy, it is Important to Evaluate Where You Are, and Where You Need to Go

If you find yourself reading SecurityWeek articles, you are a person who is aware of and appreciates the importance of (and the difference between) both data protection and privacy.  In the pursuit of securing data and maintaining privacy, we all come to realize that it is both a moving target as well as one that has legal, ethical, and, of course, financial implications.  As such, I’ve been pondering easy frameworks for which everyone can get a better grasp of what’s required. I have come to this conclusion: think 360, demand 360.

Long gone are the days where data and privacy could be protected by putting in the password between what’s important and unknown adversaries.  Now you need to think 360. That means protection from those adversaries, protection from an overreaching authority, protection from your employees and insiders, and finally, protection from yourself.  If any of those vectors remains uncovered, the job is not done.

Protection from adversaries is self-explanatory.  Protection from an overreaching authority refers to governments taking liberties when they are not authorized.  Protection from employees refers to your workforce deliberately or unintentionally accessing information they ought not to have, ranging from salary information to protected intellectual property. And finally, protection from yourself refers to the accidental release of information. 

Considering all of these angles, and I’m sure there are others I have not articulated, is, of course, a tall order.  I would say that in the not so distant past, it might not have even been remotely possible.  But today it’s more possible, more actionable – and more affordable than it ever has been.  You just have to understand the 360 nature of data and privacy protection, and you have to have a strategy to address each individual element.  Some technologies and processes can cover more than one, but you have to realize that many of these protections and processes protect one angle but can ignore others.

Let’s take one tiny example: your cloud CRM provider.  How do they protect your data from their employees?  What about their privileged employees?  Do they detect anomalies in data access and movement?  How do they respond to government subpoenas?  If subpoenaed, do they have the power to release your data, or do you have the only power to do so?  How your data is physically secured?  In what physical locations does it reside?  What is their patching strategy for vulnerabilities?  There are 100 questions like this, and while there’s no perfect answer to all of them, you will never know where you stand if you don’t know the questions to ask… And ask them. 

If you embrace 360 thinking and put everything in place, that’s good only until the ink dries on your plan.  You need to regularly review it because what you’re protecting yourself from, who your adversaries are, and what techniques they use are constantly changing.  Not only must you have a 360 mindset, but you also have to realize that the job is never done.  You have to continuously evaluate where you stand relative to this complex and moving environment.

In subsequent columns, I will explore in more detail how to put this framework into action, how to evaluate where you are, and where you need to go.  And when I say this, it does not matter whether you are a small business or a large enterprise.  The considerations are quite similar even though the tools and methodologies, and of course the costs, vary widely.  Regardless, I hope that this 360 framework serves as both a tool, evaluation criteria, and, most importantly, a mindset representing not only what’s at stake but the actions we all need to take in the pursuit of data protection and the preservation of privacy.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cybersecurity Funding

CommandK announced that it has raised $3 million in a seed funding round for a solution designed to help organizations secure sensitive data.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...