Endpoint // Privacy
5/23/2016
08:15 AM
Alan M Usas
Alan M Usas
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

What Europe Tells Us About The Future Of Data Privacy

Recent initiatives offer new strategies for balancing technology, security, and organizational policy goals. Here are three approaches worth considering.

Recent headlines underscore the complex, symbiotic relationship between security and policy. Apple vs. FBI, Europe’s pending new data protection rules, Facebook’s antitrust lawsuit in Germany – these are examples from recent news that are having a ripple effect across businesses and governments worldwide.

So what exactly is the relationship between security and policy?

Security policy establishes how an organization will meet their obligation for information confidentiality, integrity, and availability in ways that are consistent with their mission, culture, risk tolerance, and legal and regulatory requirements. The policy describes how the organization will achieve its security objectives in the context of its business practices and environment.

As business becomes increasingly digitized, it’s essential to take a strategic approach that embeds security in the network, architecture, endpoint, and convergence of applications as well as in the culture and practice of the organization. This approach requires leadership from the board, the C-suite, the information security group, and other business functions.   

Security is no longer just about protecting information

Today, it is crucial to safeguard data, IP, and critical infrastructure while building and maintaining reputation and the trust of customers and the public. According to the Center for Strategic and International Studies, cybercrime and espionage cost the world economy an estimated $445 billion annually and pose a significant threat to corporate and national infrastructure -- and we are just finding our way. For example, Apple’s skirmish with the FBI may be over but the struggle with enforcement agencies over data privacy is just beginning. Soon emerging technology will make it impossible for device manufacturers to comply with government requests for access to private information.

How can we expect to protect networks, comply with laws, insure against risk, and respond to crises without locking companies in a straightjacket of onerous and costly cybersecurity regulations? Several initiatives in Europe provide interesting ways of thinking about how policy and technology converge.

The European model

Europe's new data protection rules and framework for transferring customers' personal data across geographies could be an improvement with global ramifications for both corporations and governments. As the single data protection authority in the European Union, the General Data Protection Regulation (GDPR) offers companies a harmonized and consistent approach to data protection across Europe. With the provision to impose financial penalties for security incidents, the GDPR will have a powerful incentive for compliance. This regulation, due to be implemented in 2018, is untested and its potential pitfalls have not been fully examined. No doubt this approach will be closely followed.

In addition, European authorities are concerned about the collection of personal data by companies like Facebook and Google. These authorities have focused on the use and accessibility of data collected by companies large and small but the monetization of data by Facebook has drawn added scrutiny and antitrust investigations in Germany. This case will spur discussion and careful thought about the balance between data privacy and use.

How does an organization walk the line and balance data privacy and security with business objectives?  An effective approach requires the following key components:

 1. A strategic, integrated, and collaborative approach to cybersecurity. Technology and security experts and the business leaders must work together to understand and assess the benefits, risks, and implications of technology, legal, and policy developments.

2. Leaders across the organization must commit to building a smart, secure, and resilient organization. Leaders from the board and C-suite to the cybersecurity, technology, and business domains must understand the risks inherent in the business, and what trade-offs are appropriate.

3. A secure, resilient organization must address the risks posed by human behavior. Powerful technology, strong policies, and regulations are essential but they cannot guarantee security. To prepare for the inevitable, a robust approach to data privacy and security must consider how humans engage at work, how they use tools and data, and how they can be enlisted to help prevent and respond to a breach. 

Simply put, there is no perfect cybersecurity. A cyber incident should be considered inevitable. To build a secure, resilient organization, business and government leaders need a strategic approach that incorporates technology, law, and policy, and addresses economic, human, legal, organizational, and socio-political factors. It’s a tall order but one that leaders in cybersecurity are pursuing.

Related Content:

 

Alan M. Usas is adjunct professor in the Department of Computer Science and program director of the Executive Master in Cybersecurity at Brown University. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
5/23/2016 | 8:40:48 AM
A secure, resilient organization must address the risks posed by human behavior.
From my perspective this risk is paramount. You can promote user awareness and employ RBAC based strategies but users will always be one of the greatest sources of risk across an enterprise.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.