What’s the Difference Between Data Security & Data Privacy?
Posted on
What’s the Difference Between Data Security & Data Privacy?

“Data Privacy” and “Data Security” are two terms that can sometimes be used interchangeably. Especially by those who aren’t in the field of data protection. However, in this particular sector of the industry, they mean two very different things. Understanding the relationship between them is essential for grasping the complexity of regulatory compliance. This article is a quick primer that illustrates how privacy and security differ and how they work together as building blocks of regular data operation.

Data Security vs Data Privacy

In simple terms, security means securing data against unauthorized access. Privacy is about managing and defining authorized access. Data security is a technical issue that involves building robust defense mechanisms in your digital infrastructure. Data privacy is questioning and tackling legal and legislative spheres.

One of the most important relationships to note is that data privacy pre-supposes security. The GDPR doesn’t contain prescriptive instructions for how organizations should fortify their network because the only way for its privacy provisions to get followed is with data security. If a cybercriminal steals someone’s PII, it’s evident they are violating someone’s privacy rights.

So, data privacy assumes data security. Does the reverse hold? Does data security include data privacy? No, but organizations fall into the trap of making this assumption often. In so doing, they can avoid taking necessary regulatory compliance steps.

Conclusion

It’s not enough to protect data from outside attacks. Managing and enforcing internal permissions – i.e., managing privacy – is a vital piece of the puzzle for any business to be compliant with the latest data regulation. Internal privacy controls can be complicated and time-consuming in a large company. Something as simple as employees copying files onto personal flash drives can sink a carefully constructed operation. However, the effort to keep data processes watertight is an essential cost of doing business in 2019. Moreover, the cost of failing to invest in both security and privacy can prove disastrous.

Data Security: 4 Ways Your Team Can Do Better
Posted on
Data Security: 4 Ways Your Team Can Do Better

In recent years, news coverage of high profile data breaches resulted in the assumption that data heists are always sophisticated efforts by devious hackers in far-off lands. The reality is much more plain. 

According to a recent study by Securis, simple employee error causes 25% of data breaches. If your team spends all its time anticipating black swan events, it’s easy to overlook everyday safeguards. Organizations need to take the necessary steps to keep data secure in a fast-moving business environment. In some jurisdictions (EU), a designated Data Protection Officer oversees the day-to-day management of organizational data security processes. 

If you’re a large organization operating in GDPR territory or an SME preparing for greater data regulation (CCPA), you can take these four steps to get the basics right.

First: Think Physical.

Imagine you’ve spent months testing your infrastructure. You’ve ensured your site has the necessary certificates and building the protocols to store data securely and anonymously. Then, someone from marketing leaves a USB stick on the table of a coffee shop. And just like that, all the hard work gets undone in an instant.

Technical teams can think beyond the way data is stored. They can think through the way their team members, mainly non-technical team members, access and transport company data. Take responsibility by educating those who are ignorant. Teach their non-technical team members the level of caution needed when handling this precious resource. 

In real terms, this means workshopping and hosting seminars to educate the rest of the organization around best practices and warned of the consequences that can occur when casual attitudes prevail.

Second: Keep Access Control Granular.

Despite your best efforts, technical teams must understand that every employee constitutes a security risk and a potential access point for data thieves. Consequently, organizations should work to make data access as granular as possible. 

No one team member should have access to anything more than the data that is necessary to do their job. An “all-or-nothing” access policy avoided at all costs. Also, you can apply this philosophy to development work and third-party services and applications. 

Not only are password management tools and critical vaults essential for your developers, but you should and must limit access for individual services and systems. Limit access to the data necessary to complete the function performed only.

Third: Password Policies Matter.

If your organization has thought proactively about the previous two priority points, you’ll also need to remember the fact that passwords are the first line of defense. Passwords are the most vulnerable access point to security breaches. 

Build password protection into your company’s IT architecture to increase security for every employee and customer. Risk drastically reduces by providing customers and staff with a two-factor authentication login procedure. Furthermore, passwords to company networks and systems become safeguarded with 2FA and encryption at all times.

Fourth: Use Regulations As A Guidepost.

The landscape is ever-evolving. Companies loathe sharing the inner-workings of their data systems with the world. SME’s becomes challenged when gauging whether they have taken the appropriate steps to safeguard customer and business data. 

Here, it can be useful to compare your policies against the regulations laid out in frameworks like the GDPR, the CCPA, and HIPAA. These regulations are laws of their lands. They are also a good summary of the minimum level of performance and security that organizations need to be building into their data infrastructure. What’s more, they’re not all that complex, particularly if you have experience with the subject matter. 

We encourage developers to go straight to the source and familiarize themselves with the articles of the GDPR as a handy starting point for thinking about data security.

Published from our Privacy Magazine – To read more, visit Privacy.dev

Security & Privacy: Minimizing Data Breach Risk at the Source
Posted on
Security & Privacy: Minimizing Data Breach Risk at the Source

Thus far, we’ve spent much time examining the core principles of the GDPR and other pieces of data regulation. We’ve worked through some of the implications these documents carry for the UX and back-end functionality of consumer-facing applications. However, there are many other components to your business’s robust, secure data operation. Let’s look at the core principles of ensuring your hardware, software, and applications are securely spec’d to withstand attack. It’s no secret, threats to digital security are on the rise. The consequences of a data breaches are a PR nightmare of epic proportions (Hello Equifax). Start with the steps to get smart about your company’s infrastructure.

Encrypt On-Premise Storage Devices

Many businesses continue to use SSD’s and HDD’s as a backup storage solution. Data on these devices should get encrypted and password-protected in the first place. Doing so significantly reduces the risk that bad actors will access if a storage device is compromised.

Assess Network Security

The infrastructure hosting company communications are vital to your ability to do business. Each device is a potential security breach point to malicious outsiders. Your wireless router, your company phones, and your web servers. It’s easy to overlook these when you’re just starting your company. We strongly recommend that even small startups get serious about protecting their data. You can do this by conducting a network security assessment, identifying potential risks to your systems while working with partners on mitigation. It may seem like overkill. So remember, what you do now will save you in the future, especially where you’re a success and proliferate. You start becoming a higher target and risk increases. Getting your house in order now will safeguard you in the future.

Employ Due Diligence with Hosting Platforms, Third-Party Libraries, and Code

Online resources are a great way to develop solutions quickly. Hence, SaaS platforms have grown increasingly popular. Third-party libraries have also been an essential tool for letting development teams work efficiently. One should never assume any one of these resources is impervious to attack. Your organization must perform its due diligence on any modular solution it uses as part of its solution. Do your users, customers, and/or org report vulnerabilities? What are the ways to mitigate them?

Compliance Criteria

At a minimum, cloud service providers should be complying with criteria such as:

  • SOC 2 (SSAE16/ISAE 3402) – a report based on AICPA’s existing Trust Services principles and standards that evaluates an organization’s InfoSec, availability, processing, and confidentiality capabilities.
  • ISO 27001 – This is one of the most widely recognized, internationally accepted independent security standards A framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.
  • ISO 27018 – An international standard of practice for the protection of personally identifiable information (PII) in public cloud services.
  • PCI-DSS – If your company intends to accept card payment, and store, process and transmit cardholder data, you need to host your data securely with a PCI compliant provider.
  • Privacy Shield – Privacy Shield Frameworks are designed to provide a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States.
  • FedRAMP – The Federal Risk and Authorization Management Program is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

In some cases, it can be the right business decision to forsake the security features included with a given hosting platform to build your own. If your company is handling financial data, we recommend building your code from scratch. Additionally, using a five-level encryption process to ensure no one can read the data even if stolen during transfer.

SSL Your Site

Lastly, on the point of data transfer, it is increasingly a non-negotiable for business conducting any online commerce to invest in an SSL certificate. An SSL Cert, in the words of the makers themselves, “is used to keep sensitive information sent across the Internet encrypted so that only the intended recipient can access it.” If you’re in development, you understand the many waypoints a piece of data travels through in its transmission; encryption is vital. Furthermore, SSL Certs provide authentication that lets users know they “are sending information to the correct server and not an imposter.” Do they know the technical implications of what this means? Unlikely. However, do they get nervous when their browser bar flashes red and warns them that the site may not be trustworthy? The bounce rate from this alone is enough to justify SSL investment for almost any business.

Published from our Privacy Magazine – To learn more, visit Privacy.dev