Want better information security? Add better privacy practices to your organization.
The results are in: the GDPR is security's new best friend. The new privacy law made a significant impact on how businesses manage information. Since in force, smart organizations who operate in Europe are paying attention. Aside from avoiding fines for compliance, it turns out the law is a boon for cybersecurity. A study by Bitsight reveals organizations within Europe improved their security over the past year. That alone is no small feet, but looking at the timeline it's clear GDPR had a role. Bitsight's analysis show better security rising with the law's effective date.
How could a new privacy law have such a bold impact on cyber security? By mandating practices that raise organization accountability, and reduce risks. Privacy has value, not only to your customers, but to your organizational practices. While it may be tempting to leave privacy purely to the law, those that see it as an IT exercise benefit. Robust privacy enhances information security.
The bonus of data breach notification laws
On the outset, data breach notification laws might appear bad news for security. Revealing too much information about a breach can hurt forensic investigations. It takes time for analysts to understand what went wrong. This is why traditionally security breaches are quiet. Find out what went wrong, call the police, patch the hole. A hacker that believes they've gotten away with it is much easier to catch than one tipped off.
Unfortunately however, staying silent on a data brach can immediately damage users. Information moves fast, and so do successful attackers. Customers unaware of stolen personal data are at risk for other attacks, including identity theft. This, combined with poor past practices, mean privacy legislations are increasingly cracking down on organizations that stay silent. The GDPR mandates companies must disclose news of a breach to data subjects within 72 hours. Other countries are following suite, including Canada, Singapore and New Zealand.
The good news for security professional is that data breach disclosure laws are a boon for buy-in. Disclosure laws mean data breaches can no longer be swept under the enterprise rug. Companies would much rather devote time and energy to keep a breach from happening, than make it news. Organizations uncomfortable with poor public relations are now investing in stronger safeguards. While it's true hackers are a cunning lot, no one wants to announce a breach that was preventable. A data breach becomes a concern of IT, communications and future sales. Investing in better security to stop them gets a higher place on the business budget.
Cutting back on who can see sensitive information
What personal data does your organization collect, and who can access it? A pivotal point of privacy is clear information management. We cannot comply to a law if we don't know when it applies to information holdings. We can't claim personal information is 'private' if we don't know who gets to see it.
Access controls are a natural fit for privacy. A step after establishing who needs to view personal information by confirming they must have permissions. Under paper systems, access controls mean locked offices and cabinets. With cyber security, it means closed server spaces, operating permissions and encrypted files. If staff steals information, a narrow list whose account the leak came from. Some privacy legislations even require log management, to establish when information is accessed and by whom.
Access controls are also significant safeguards for the rest of the information systems. One of the most-cited reasons for successful hacks remains the phishing attempt. Fool the legitimate user to hand over their keys, and walk through the front door. However, risk is reduced with privacy controls that limit access to sensitive data: suddenly every key won't work in every door.
User awareness and practice buy-in
You know how you're protecting your system, what what are your customers doing? How can your organization prevent an attack on the user's account with their own password? In some cases, it seems like there's very little we can do. Software can mandate password practices. Location logging can confirm the user is entering from their usual country. We can set up two-factor authentication, but how to get our customers to use it.
By promoting privacy, that's how.
Privacy is the answer to the age-old sales question: what's in it for me? Users concerned about privacy are more likely to pay attention to practices. Active opt-ins encourage engagement, and more awareness of the information they are providing. Privacy notices are clear communications to the user on how their data is important. Why not also include more details on how else they can protect it?
Framing security with privacy also assists during staff technology training. Which would you, as a learner, be more apt to pay attention to: company best practices, or advice on avoiding fraud with your own bank account? All hands on deck is critical, and security is an even bigger deal when people make personal connections.
Asking why the risks are worth it
One of the critical differences between privacy and security is the scope of concerns. Security asks "how is this information protected?". In his ebook "Five Lessons I Learned Transitioning from Security to Privacy", James Park asserts "why do we need this information to begin with?". It's not enough to set up safeguards: if going through the trouble of protecting the information, a good business case demands knowing 'why'. Could an organization achieve its objectives if it limits information collection? Privacy means cutting back on the data we don’t need, and smaller information holdings reduce the target on your back.
Good privacy practices also advocate holding on to information for less time. Retention schedules determine the criteria for when to dispose of information. A smart policy also stipulates how to destroy the information, such as shredding documents or zeroing the disks. By destroying information no longer of value, security can free up resources better served elsewhere. This can include less space storage and fewer spots to monitor.
Not every organization is compliant with the GDPR, but many are trying. Going forward, it will be interesting to see the security statistics one year from now. We know that data breach notification laws can reduce identity theft; will the GDPR raise the bar? Could the trend encourage other countries looking to adopt similar laws? Hopefully yes; while the GDPR is far from perfect, it is making more organizations take privacy seriously, which then supports stronger information security.