If you give your house key to your neighbor, he has the opportunity to snoop around through your vinyl album collection. That has lessons for enterprise security (with fewer copies of David Bowie to worry about).
Whenever I read an article about data privacy, especially when it comes to breaches, I think of my neighbor. I give my neighbor the key to my house in case of emergency, such as a plumbing problem when I’m on vacation. An odd thought goes through my head sometimes: My neighbor has teenage kids; what if they decide to raid my classic ‘80s vinyl collection when I’m not home? Maybe that makes me a bit paranoid (not to mention overstating the long-term appeal of Oingo Boingo and Siouxie and the Banshees), but it highlights the difference between security and privacy, two terms that are often meshed together and confused.
The security piece is the lock on my door that needs a key. Because I handed a copy of that key to my neighbor, I’ve given him authorized access to my home. That creates an ethical contract between us: He won’t rummage through my stuff without me knowing. That’s the privacy bit (he is a trusted party), when someone is given authorized access.
Let’s say the police come to my home when I’m not there. Upon showing my neighbor a warrant, they’re provided access to my house. I might not like it, but that’s legally authorized access — though from a privacy perspective it’s questionable. Why the access? What for? How are the police using what they find? Do I have any unreturned library books? What if the individuals who show up are not really the police but people pretending to be so?
And so we enter the muddy waters of data privacy—because this process (and its moral issues) is as true for your personal data as it is your enterprise data, or for the data of your customers whom you are trusted to protect.
Of course, when it comes to data, the locks are much different, the controls are different, and (hopefully) we make written contractual agreements with vendors and employees to ensure those controls are enforced. And, if you’re fortunate, your neighbor who might also have your key (think encryption key and your service provider) will at least tell you the police rummaged through your house even if he can’t tell you what exactly for, as in Dropbox’s transparency report.
But these “obvious” business processes around how your employees must handle Personal Identifying Information (PII) or Personal Healthcare Information (PHI) often get neglected. Or we forget about them, in the stack of all the other things to sign and agree with (like we tend to glaze over all that mortgage paperwork we spend hours signing but have no clue what any of it actually means). Throw in the sometimes ambiguous global data privacy acts enacted by countries around the world (see Data Protection Laws of the World) and the fun really begins for your IT department.
I don’t need to look hard to find examples of the dangers of procrastinating on data privacy policies and implementing them. The Federal Communications Commission fined AT&T $25 million, just this month, for failing to protect customers’ personal information from misuse, including Social Security numbers, from their own internal teams. As an AT&T customer, I cringed, and of course I thought about my vinyl collection.
I’m not the only one to cringe about the challenges of data privacy. A recent study conducted by Dimensional Research, on the behest of Druva, discovered that 93 percent of respondents are challenged by data privacy. One big concern is that, for 82 percent of respondents, their employees don’t always follow the company’s existing data privacy policies (citing sales and marketing as the most egregious violators). Not that the employees necessarily know what to do; a large subset of those employees have “insufficient” knowledge to know what’s required to protect sensitive privacy-protected data. (The survey was conducted in March 2015 with 214 IT and business professionals directly associated with enterprise security and privacy.)
This data also aligns well with a recent posting by 451 Group which discovered that data privacy tops the IT priority list of security challenges.
I’m sure we in the computer industry will address data privacy challenges, just as we’ve gotten better (mostly) at IT security. We’ll keep creating better locks, that’s a given. But we also need to become more consciously aware, innovative, and diligent in building and implementing technologies for protecting data privacy as locks are just deterrents, not the complete solution. In the meantime, maybe I should move my vinyl collection into the cloud...
About the Author: Dave Packer is Senior Director of Product Marketing, at Druva.
Antivirus software is not enough. Apex Technology Services used its decades of IT and cybersecurity
experience to create budget-friendly network security packages every company needs.
Please take a moment to fill out your information so we can contact you directly regarding your request.
Live casinos have been around for some time, but they are still widely considered the new kid on the block. They've been a revelation for thousands of…
Designers use the latest technology to bring you the great games you see at real money casinos in 2021. It is complex to the average person who simply…
A 2019 Google study found that 75% of the Americans admit to struggling with so many passwords, that many end up reusing the same password across mult…
Bitcoin is one of the most sought-after assets in any investor's portfolio. The price of BTC has exceeded $60,000, and its market cap has also exceede…
Mobile gaming is fantastic. It is possible to sit on a train and play some of the latest video games using a mobile phone. If you look back at some of…