7 Privacy Tips for Security Pros
How best to integrate privacy into your organization's security program.
![Image of a lock signifying data privacy Image of a lock signifying data privacy](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt645ca662315ef3dc/64f172b76f55090d7d2bcf08/Slide1_CoverArt_copy.jpg?width=700&auto=webp&quality=80&disable=upscale)
Source: arrow via Adobe Stock
Privacy and security, while often viewed through separate management lenses, go hand-in-hand. And privacy is increasingly becoming a key element of many security strategies.
According to a recent survey from Cisco, some 90% of security pros now consider privacy a mission-critical business imperative. In fact, 90% of responding security pros say their customers would not buy from them if they did not adequately protect their data. Detecting and responding to threats and assessing and managing risk has become a core area of responsibility for security pros.
"We need our security team to operationalize privacy," says Harvey Jang, Cisco’s chief privacy officer, of the trend. "It's not just an ethical 'nice-to-have' anymore" for organizations."
Spurred on by the European Union’s GDPR regulations and California’s CCPA, many more organizations are looking at privacy as a core security mission. Here are tips for security teams on how to weave privacy into their security programs.
In many instances, businesses develop customer and supplier lists and never stop to think about the privacy implications of all that information. Real-estate companies, for example, have extensive customer lists that contain information on how much potential customers earn, where they bank, and how well they’ve paid their bills over many years.
Whether it’s a large real estate company or a medical practice, companies can simply start by deciding that they care about privacy and will set up a system to make sure their data doesn’t get into the wrong hands, says Dan Petro, lead researcher at Bishop Fox.
"A lot of people don’t get past step zero," Petro says. "They are just trying to make a widget and get it out. The extent to which a company might care about it will depend on financial considerations or the goodness of their hearts, which you don't always want to depend on."
Cisco has led the way for large companies by reorganizing some six years ago so the chief privacy officer role was equal to the chief information security officer and reported to the company’s chief security and trust officer.
“Privacy is a fundamental human right that we care about,” says Robert Waitman, director of data privacy at Cisco. “A few years ago, privacy was a legal function, but now it’s a boardroom issue and something the rank-and-file staff needs to know about.”
Cisco CPO Jang says all privacy decisions at Cisco are decided in concert with the security team. The security team focuses on protecting the data, and Jang’s privacy team considers the human element. Each product developed has to go through the Cisco Security Development Lifecycle (CSDL) and won't be launched unless it meets the requirements of the company’s privacy impact assessment.
Least privilege revolves around the basic notion that everyone in the organization gets assigned access only to the data and applications they need to do their jobs. From a privacy perspective, this means that somebody in sales, for example, should never have access to employee salaries or medical information.
Bishop Fox's Petro says by adding the zero-trust concept to the equation, in theory, the only person who accesses any company data is the specific person who was authenticated to access the data, period.
“Companies need to define who’s authorized to access the data and enforce it with controls,” Petro says.
Enforcing least-privilege access has become a well-known best practice, adds Corey O’Connor, director of products at DoControl.
“For organizations adopting the zero-trust security model, extending least privilege to the identity, device, and network levels has become a great way to mitigate the risk of data leakage and noncompliance,” he says. “Having the right solutions, and the right processes in place will help ensure PII is never exposed to the wrong person.”
Data retention policies can play an important role in maintaining data privacy. Bishop Fox’s Petro says companies should not keep data around unless they are going to need it for some business purpose.
Especially with mobile apps, Petro says many companies store every piece of location data or every metric on how a person uses the application.
“Companies keep databases and never let them go because they think the data will have some value at some later point,” he says. “The reality is if you are not going to use it, just get rid of it."
Data retention periods vary by organization and industry, but generally range from three to 10 years. Once the data’s objective has been fulfilled, companies should either archive, anonymize, or destroy the record, tax experts advise.
All Cisco employees who manage data as part of their jobs have to go through privacy training, at least for the first two economic quarters they are on the job, Cisco’s Jang says.
Heather Paunet, senior vice president at Untangle, says security teams should enforce data privacy protection with these best practices:
Make multifactor authentication mandatory for all cloud-based tools.
Make sure employees use strong passwords.
Have the staff lock their computers when away from their desks, even at home.
Don’t use public Wi-Fi for any financial transactions or to move company data around.
Install antivirus and anti-spyware software on all machines and enable the firewall.
One way to start with adopting a privacy strategy is to consult the regulations put forth by the European Union’s GDPR and California’s CCPA. For example, the GDPR defines personal data as information such as a name, email address, and credit card number that can lead to the identification of a person.
The GDPR and CCPA, as well as the Colorado Privacy Act, also requires companies to conduct a data protection assessment, Untangle’s Paunet adds.
“This is an important first step that any business collecting consumer data should take,” she says. “Businesses need to understand what is being collected and how to protect customer data. They also need an effective strategy to communicate how customer information is collected, used, and when it may be sold or disclosed for business-related purposes. Transparency in data collection is a foundational pillar for businesses looking to maintain a trusting relationship with their customers.”
Tom Garrubba, a vice president at Shared Assessments, says privacy is specifically focused on what an organization is permitted to do with the data it collects from a data subject. With that in mind, it’s important for companies to “follow the data, ” he says.
“What I mean here is that companies should document all data transfers both within the organization and outside to third parties and other downstream vendors,” Garrubba explains. “Companies should build this into all projects that involve personal data [privacy by design] as it’s incredibly important to document [the] data chain of custody in the event of a breach or mishandling of such personal data.”
As part of data privacy, companies need to safeguard the data, adds Archie Agarwal, founder and CEO at ThreatModeler. By this, he means for companies to identify all the threats and then mitigate them.
Companies have had major privacy challenges during the pandemic, which sent the vast majority of their employees home to work – very often on home laptops and devices.
For years, companies used VPNs to segment a user’s company work from their personal activities. But more often than not, VPN access was given to only a certain select group of employees who were using company-issued computers. The situation became much more dicey during the pandemic as companies had to get people up and running quickly, and workers tended to use their home laptops. Workers became concerned that the company was monitoring their personal computing activities.
Hank Schless, senior manager of security solutions at Lookout, says many companies have opted for what he calls an “agentless” approach versus the old system where an actual piece of client software, like antivirus or the VPN software, would get installed on the user’s device.
“With agentless technology, when a person logs on for work, the company can understand the state of the device, but when they log off from work for the day, the company can’t see what’s going on,” Schless says. “Instead of something sitting on a client, the company sees what’s happening with the user at the point where the user connects to an application.”
By taking the agentless approach, he adds, companies can put those privacy policies in place so users don’t feel the company is monitoring them when they are not doing company work.
Companies have had major privacy challenges during the pandemic, which sent the vast majority of their employees home to work – very often on home laptops and devices.
For years, companies used VPNs to segment a user’s company work from their personal activities. But more often than not, VPN access was given to only a certain select group of employees who were using company-issued computers. The situation became much more dicey during the pandemic as companies had to get people up and running quickly, and workers tended to use their home laptops. Workers became concerned that the company was monitoring their personal computing activities.
Hank Schless, senior manager of security solutions at Lookout, says many companies have opted for what he calls an “agentless” approach versus the old system where an actual piece of client software, like antivirus or the VPN software, would get installed on the user’s device.
“With agentless technology, when a person logs on for work, the company can understand the state of the device, but when they log off from work for the day, the company can’t see what’s going on,” Schless says. “Instead of something sitting on a client, the company sees what’s happening with the user at the point where the user connects to an application.”
By taking the agentless approach, he adds, companies can put those privacy policies in place so users don’t feel the company is monitoring them when they are not doing company work.
Privacy and security, while often viewed through separate management lenses, go hand-in-hand. And privacy is increasingly becoming a key element of many security strategies.
According to a recent survey from Cisco, some 90% of security pros now consider privacy a mission-critical business imperative. In fact, 90% of responding security pros say their customers would not buy from them if they did not adequately protect their data. Detecting and responding to threats and assessing and managing risk has become a core area of responsibility for security pros.
"We need our security team to operationalize privacy," says Harvey Jang, Cisco’s chief privacy officer, of the trend. "It's not just an ethical 'nice-to-have' anymore" for organizations."
Spurred on by the European Union’s GDPR regulations and California’s CCPA, many more organizations are looking at privacy as a core security mission. Here are tips for security teams on how to weave privacy into their security programs.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024