Privacy by Design: What it is and where to build it
People tend to think about privacy in terms of the individual, but it is also critically important for the proper functioning of any business organization. This is being made increasingly relevant by the recent rise of personalization initiatives that rely on user data to recommend the right products or services to customers. The failure to build privacy into these initiatives presents a major new data breach risk and thus an added risk to the company. Organizations who wish to control this risk and take privacy seriously are adopting Privacy by Design principles, which were first developed in 2009 on the notion that privacy cannot be assured solely by compliance with regulatory standards.
IT security is, of course, the critical element here, and the great challenge is building security into different areas across the entire business. The three main areas to look at are:
Security’s role within the development process has to become more prominent. Agile development – delivering software to the business faster and fixing problems as they arise – cannot be the inspiration for an organization’s approach to security. Instead, an ethos of “measure twice, cut once” should guide security practices, with the added benefit that prioritizing app security quality will reduce the number of fixes that will be required later. This will improve the quality of the software and keep customer data private and secure.
Third party IT providers
When it comes to cloud services, the most important thing is ensuring that third parties are measuring up to their promises around security and data privacy. This should be outlined in any vendor contract, and it should be audited on a regular basis. Cloud security services can, of course, also be used to the organization’s benefit, to help track devices and software updates to ensure that the organization’s vulnerability management strategy is enforced.
IT asset management
Visibility into all IT assets has to be improved in order to help ensure security and build in more privacy controls. Monitoring mobile and other devices that are used for corporate tasks is generally an area in need of serious improvement, as is the need to make sure that security updates on these devices are routinely applied.
The number of patches for operating systems like Windows continues to grow. While OS X had the highest number of CVE incidents published in 2015, Adobe Flash, a popular attack target, frequently gets patches for zero-day vulnerabilities. When devices are outside the corporate network, keeping track of how patches have been applied becomes more difficult. Visibility is imperative. If IT admins are able to continuously scan these assets – whether the devices are inside the corporate network or not – they can be sure that updates have been applied and that systems are as secure as possible. Mobile, PC and tablet devices can also have their security status checked to ensure that all the right steps have been taken. In the event of a lost device, data can be wiped.
There are well-known challenges affecting each of these areas. One is the sheer pace of change in the world of tech. The proliferation of cloud services, mobile computing and flexible working schedules means that companies have spread their IT assets much more widely. Where data was once physically located on a desktop in a locked building and connected to servers sitting behind one big firewall, now it can be held on laptops that never see the inside of a company office. It may also never even be seen by IT teams to ensure that updates are implemented. This makes it much more difficult to enforce data security and data privacy across all the moving parts involved. Many companies are reliant on individuals “doing the right thing” as far as the business is concerned, which is never an adequate approach.
Meanwhile, the internal IT network is shrinking as more IT services get moved to the cloud. When this causes IT to lose some of the control over how data is managed and stored over time, it can make it more difficult to enforce the principles of Privacy by Design. If a third party service provider makes a mistake or changes its approach to handling data without making this clear to the organization, then data privacy is jeopardized. Think of how many times Facebook, for example, has changed its privacy settings. Imagine this happening across multiple IT services for thousands of users and you can see the potential magnitude of the problem of losing control over the policies affecting sensitive information.
But the newest and perhaps greatest challenge is that all of these changes have coincided with an increasing public awareness of threats to customer privacy, driven in part by the rise of the personalization efforts mentioned earlier. Consumers are aware their information is being tracked and they want know that it’s being protected and used responsibly. CIOs would be wise to listen to customer concerns and respond by employing Privacy by Design. All companies can do this by building security directly into their business processes, thereby showing that they genuinely respect data privacy.