- | 9:00 am
How – and why – your privacy must be protected without compromising security
Data Privacy Day on January 28 is an annual call to action. Here the industry experts share insights on why leaders need to understand the distinction between privacy and security
We’ve seen a stream of data leaks in recent months, and though the stories vary, the takeaway is consistent: Our privacy has never been more vulnerable.
But even as the Middle East sees an unprecedented number of threats, there have been rapid improvements in security and privacy, whether using AI to improve threat detection or creating cryptography that can withstand even a quantum-level computing threat.
Meanwhile, governments in the Middle East are increasingly implementing data privacy and data sovereignty policies. Saudi Arabia’s Personal Data Protection Law expands upon the extraterritoriality approach of GDPR. It applies to any organization processing any data of any individual who has ever been in Saudi Arabia. The UAE’s Personal Data Protection law offers sweeping protections designed in alignment with international standards. It covers everything from the confidentiality of information to individual privacy, with immense weight given to data management and protection, including processing personal data, whether in-country or abroad.
Since 2008, Data Privacy Day on January 28 has served as an annual call to action. The day raises awareness about how organizations can best protect personal information and balance leveraging data to draw insights, personalizing customer experiences, and meeting privacy demands.
We asked the top industry experts to share insights on how organizations can protect privacy without compromising security and why it is important for leaders to understand the distinction between privacy and security.
ROBUST CYBERSECURITY INFRASTRUCTURE
Toni El Inati, RVP Sales, META & CEE, Barracuda Networks
Privacy and security are two sides of the same coin. A robust cybersecurity infrastructure that incorporates protections against attacks such as phishing, ransomware, data leaks, and more will help maintain rather than impact the privacy of customers, partners, employees, and other stakeholders.
Therefore, organizations must carefully consider the balance between leveraging data to draw insights, personalizing customer experiences, and meeting privacy demands. We have seen even the largest companies make missteps here, resulting in losing customer trust and tarnishing the brand’s image and reputation.
Cybersecurity relates to the processes, policies, and technologies organizations use to defend their IT environment and digital data. Privacy, on the other hand, relates to how this data is accessed and utilized. Privacy missteps could be due to shortcomings in the cybersecurity infrastructure that enable unauthorized individuals or attackers to access the data. But they could also be due to intentional actions such as businesses utilizing sensitive data in ways customers didn’t consent to. Thus, robust cybersecurity is an essential part of the equation and does not alone ensure privacy. Organizations need to consider applicable privacy regulations and the expectations of their customers when developing their specific privacy frameworks.
PRIVACY COMPLIANCE AND SECURITY RISK MANAGEMENT
Aaron Turner, SaaS CTO, Vectra AI
There’s been tension between data privacy and security since the early days of GDPR, and there is no easy answer. For example, if a privacy regulation states that a user’s IP address is considered PII and that the correlation of that IP address to the user’s identity cannot be exported outside of the user’s home country, how can a security operations team effectively perform security investigations to assure that international attackers are not focusing on that user? There is no good answer to this conundrum. Some organizations have formed dedicated security operations teams in-country to perform the correlation, but this is an expensive proposition that can be difficult to justify in today’s economic climate.
From an information security perspective, we have not educated business leaders about the distinction between privacy and security. Many companies combine the two functions into one, even making the same person responsible for both in smaller companies. As mentioned previously, the tension between privacy regulations and security operations is that privacy policies implemented by governments can sometimes provide friction in investigating rapidly evolving cyberattacks.
In some cases, privacy regulations have prevented the discovery of data breaches due to the operational restrictions placed on security teams and their ability to correlate data quickly. Making sure that there is a clear distinction between privacy regulation compliance and information security risk management is the first step to avoiding conflicts that can degrade an organization’s cyber security posture.
PAY ATTENTION TO DEPENDENCIES OF DATA PRIVACY
Giuseppe Brizio, CISO EMEA at Qualys
Firstly, let’s clarify the boundaries between data privacy and data security. Data privacy is about protecting the data against unauthorized access, while data security is protecting the data against malicious threats. Relying too much on data privacy, to the detriment of data security, could be an issue.
For instance, data encryption would help the data privacy cause, but without proper data security measures in place (preventing, detecting, and responding to malicious threats), the encrypted data could be deleted, altered, and/or even further encrypted with a different algorithm making it unreadable and/or inaccessible to authorized users. So, organizations need to pay attention to the dependencies of data privacy towards data security to avoid the issue of prioritizing the first at the expense of the latter and consequently exposing the data to risks.
Business leaders must care about data privacy to ensure that only authorized people access the data necessary to perform their job according to their roles and responsibilities. This considers principles like “least privileged access,” to provide access only to the data required to perform the assigned job, and “segregation of duties” by assigning roles, responsibilities, and boundaries to avoid conflicts of interest.
Data privacy, among others, supports preventing insider threat actors from perpetrating their malicious and/or fraudulent activities. Data security is defending data against malicious and accidental threats by focusing on protecting it and including infrastructure security, as data can’t be secured if the related infrastructure is not secured.
As an example of data security, multi-factor authentication (MFA) drastically reduces the likelihood of unauthorized access to data by ensuring that at least two mechanisms are used to verify user identity before granting access to data.
UNDERSTAND 3D
Christopher Hills, Chief Security Strategist, BeyondTrust
Organizations need to understand “3D” – data privacy, data security, and data protection. Data privacy comes by implementing data security to protect against unauthorized use, such as threat actors for example. Once data security is in place, it’s time for data protection, such as availability, preservation, deletion, or destruction. All of these pieces must be considered when you deal with data. How each company accomplishes this effort requires a balance. Too much focus on any of the three or too little could have ill effects.
There is more than just understanding privacy and security. They also have to be protected. Ensuring the proper use of data or how it is accessed falls under privacy. Data Security aims to protect the data from unauthorized access by implementing proper controls and mechanisms. Data Protection then covers the availability of the data and preservation along with proper deletion and/or destruction. Understanding the differences across all three of these, their importance, and how each is applied across data is critical for a business leader to ensure they are handling the data correctly.
DESIGN SECURITY SOLUTIONS WITH PRIVACY AT ITS CORE
Ephrem Tesfai, Sales Engineering Manager META, Genetec
In a world where personal information is frequently collected and commoditized, it is essential to have laws protecting data rights. More and more government agencies recognize the need to hold businesses more accountable and take the initiative.
While all data protection and privacy laws have unique mandates, every organization must evaluate its internal data usage and policies. This can include asking questions such as: what types of data are we collecting? How are we collecting it? Where is data stored? Who is accessing data? With whom and how are we sharing our data?
In today’s world, protecting people requires security teams to collate personal data from essential systems, including video surveillance, check-in kiosks, security checkpoints with biometric technology, automatic license plate recognition, intrusion detection, and tracking systems. However, every organization must thoroughly assess and ensure this data’s security.
Cybercrimes are at an all-time high, and threat actors are becoming far savvier with their attack methods. Therefore, privacy and cybersecurity should be all organizations’ default modes of operation. When security solutions are designed from the ground up with privacy at their core, organizations don’t have to choose between protecting the privacy of individuals, whether employees, customers, or the general public, and their organization’s security.
DIGITAL TRUST IS ESSENTIAL
Saeed Ahmad, Managing Director, MENA, Callsign
The terms data privacy and data security are often used interchangeably, and although they are related, it is crucial to recognize the distinction between them. Simply put, security involves protecting data and ensuring only those permitted access to it, while data privacy consists of limiting the amount collected and how it is used.
As the world transitions towards a more digital future and individuals place more importance on both of these tenets, new challenges are raised — not least the need to balance security, privacy, and user experience. Consumers expect the highest data security and governance standards, but they also want more control over the personal data they share with organizations.
Businesses must understand not just what personal data they hold but also the value of that data to their customers since their data is also their identity. A data breach is not just a data security issue; it is a data privacy issue because it gives away consumers’ identities. The cost of getting data privacy or security wrong is high for businesses, and money is only one facet of the problem.
Digital trust is essential for every company wanting to acquire and retain customers. It is difficult to obtain and easily lost. Few things can harm an organization’s brand and credibility more than a data breach or a well-publicized data privacy violation.
AGILE DATA PROTECTION
Steve Foster, Head of Solutions Engineering, MEA, Netskope
Across the Middle East, particularly in the UAE, Bahrain, Qatar, Oman, and Saudi Arabia, we can see ambitious plans for economic growth. These countries are all investing heavily in new technologies, urban development, smart cities, and scientific innovation, and as a result, are generating exponentially more personal data and intellectual property than ever before. This growth in data makes regulation and legislation for data protection a high priority.
Across the region, we see a mixture of approaches; introducing new data protection laws, maturing existing rules, or expanding the scope of technology regulation to protect individual rights, build trust in new technologies and increase international and regional data flows.
However, it is important to note that the overall regional picture is not uniform. There are different approaches, differing levels of data protection maturity, variable enforcement, and multiple timelines. This complexity in the region will make the need for agile data protection technology more important. The right technology will help ensure that data is protected in a way that complies with a range of regional laws and regulations and will help mitigate the risk of data breaches and other security incidents.