When it Comes to Data Protection and Privacy, it is Important to Evaluate Where You Are, and Where You Need to Go
If you find yourself reading SecurityWeek articles, you are a person who is aware of and appreciates the importance of (and the difference between) both data protection and privacy. In the pursuit of securing data and maintaining privacy, we all come to realize that it is both a moving target as well as one that has legal, ethical, and, of course, financial implications. As such, I’ve been pondering easy frameworks for which everyone can get a better grasp of what’s required. I have come to this conclusion: think 360, demand 360.
Long gone are the days where data and privacy could be protected by putting in the password between what’s important and unknown adversaries. Now you need to think 360. That means protection from those adversaries, protection from an overreaching authority, protection from your employees and insiders, and finally, protection from yourself. If any of those vectors remains uncovered, the job is not done.
Protection from adversaries is self-explanatory. Protection from an overreaching authority refers to governments taking liberties when they are not authorized. Protection from employees refers to your workforce deliberately or unintentionally accessing information they ought not to have, ranging from salary information to protected intellectual property. And finally, protection from yourself refers to the accidental release of information.
Considering all of these angles, and I’m sure there are others I have not articulated, is, of course, a tall order. I would say that in the not so distant past, it might not have even been remotely possible. But today it’s more possible, more actionable – and more affordable than it ever has been. You just have to understand the 360 nature of data and privacy protection, and you have to have a strategy to address each individual element. Some technologies and processes can cover more than one, but you have to realize that many of these protections and processes protect one angle but can ignore others.
Let’s take one tiny example: your cloud CRM provider. How do they protect your data from their employees? What about their privileged employees? Do they detect anomalies in data access and movement? How do they respond to government subpoenas? If subpoenaed, do they have the power to release your data, or do you have the only power to do so? How your data is physically secured? In what physical locations does it reside? What is their patching strategy for vulnerabilities? There are 100 questions like this, and while there’s no perfect answer to all of them, you will never know where you stand if you don’t know the questions to ask… And ask them.
If you embrace 360 thinking and put everything in place, that’s good only until the ink dries on your plan. You need to regularly review it because what you’re protecting yourself from, who your adversaries are, and what techniques they use are constantly changing. Not only must you have a 360 mindset, but you also have to realize that the job is never done. You have to continuously evaluate where you stand relative to this complex and moving environment.
In subsequent columns, I will explore in more detail how to put this framework into action, how to evaluate where you are, and where you need to go. And when I say this, it does not matter whether you are a small business or a large enterprise. The considerations are quite similar even though the tools and methodologies, and of course the costs, vary widely. Regardless, I hope that this 360 framework serves as both a tool, evaluation criteria, and, most importantly, a mindset representing not only what’s at stake but the actions we all need to take in the pursuit of data protection and the preservation of privacy.