Six Principles for Security and Privacy Management Success in Today's Digital World

Rob Roe, Managing Director of ANZ, OneTrust

Rob Roe, Managing Director of ANZ, OneTrust

There were 262 data breaches reported by Australian companies in Q4 last year to the Office of the Australian Information Commission. The good news is that only 3 percent of these came from system faults. The bad news is that the most vulnerable attack surface, and probably the hardest to control, was people!

Human error accounted for 33 percent of the data breaches, including emailing the wrong person (23 occurrences) and unauthorized disclosures (15 occurrences). The latter impacted an average of 17,746 people each time. A further 64 percent of data breaches came from a malicious or criminal attack. This included 114 cyber incidents—almost half being phishing attacks— again human error.

The bottom line is that whether it is by accident, ignorance, or intent, people are the major cause of data breaches. The question is what can we do about it?

This is where Security and Privacy Management come together and support each other. Security focuses on protecting data. Privacy focuses on personal data; what are we collecting? Should we collect it? Who has access to it and could unknowingly cause a data breach?

Here are six Privacy Management Principles that work hand in hand with Security to minimize the most vulnerable attack surface: People!

1/ Data Minimisation

Buzz words like big data and data analytics lead to collecting as much data as we can because we can. But if we don’t collect the data in the first place, then it can’t be stolen. Therefore, the question should not be “what data can we collect?” but instead “why do we need to collect and store (and for how long) that data?” Every day there are examples of this data collection overreach from web forms to free Wi-Fi sign-ups. Why does a Wi-Fi hotspot need to know our mobile number or date of birth? But they ask! When you change your perspective on data collection, it is astonishing to see what companies ask you to share.

2/ Privacy by Design

A Privacy by Design review identifies security and privacy gaps in our processes and data usage. This goes beyond the standard security actions such as data encryption and access control.

Privacy Management adds in questions about the data itself and offers further safeguards. How sensitive is the data we are collecting – health, financial, etc.? Can we use anonymized or pseudonymized data for data analytics? Are their management controls on the re-use of data and “purpose-creep” where data is later used in additional processes. Can our employees download data from the CRM system into spreadsheets? Do we have contractors with our data on their laptops? How are we ensuring access to sensitive data? For example, Qantas changed their frequent flyer process from telling the agent your PIN number, to securely entering it in yourself.

Keeping the data safe is one thing but managing how we use and control the data avoids process-based gaps.

3/ Data Mapping

Today, it is difficult to know where data is stored and what actual fields are being captured. With SaaS applications, cloud storage, laptops, and USB devices it is difficult to know what and where our data is stored. Privacy management uses data mapping to keep track of what and where data is being stored and who is accountable. Identification of shadow IT, spreadsheets, cloud storage, department database is important to complete the data mapping.

When data mapping is held in multiple spreadsheets management oversight is lost. When a data breach occurs knowing what data has been compromised is near to impossible.

4/ Process Mapping

It is one thing to know what and where our data is, but we also need to know which business processes and users are accessing that data and for what purpose. This goes beyond access controls because a new process may combine data from multiple sources. Applying data analytics can remove the pseudonymization and this new process is contrary to the permissions received for the original purpose. Process mapping takes the lessons learned from Privacy by Design to avoid the gaps created when human mistakes are possible or data is shared inappropriately.

5/ Third-Party Vendor Risk

For all the protections we put in place for our own company, our vendors need to do the same. Today, third-party vendor risk management is grossly underdone. Companies send out spreadsheets (notice the theme here?) for vendors to fill in, and hours are spent chasing these vendors to complete the documentation. But that is usually where it stops. Even for our critical vendors that have multi-year contracts, we rarely go back to check if they are still complying with the security, privacy and management practices we expect and require. We don’t even check if they are viable as a company. Managing vendor risk needs to be an ongoing process just like own internal checks and balances. As the saying goes, a chain is only as strong as its weakest link.

6/ Incident Notifications, Near Misses and Ideas

When Security and Privacy officers are surveyed about their biggest issue for implementing required practices, the answer is “Staff Awareness.” This helps explain why the most vulnerable attack surface is people. To make it easier for staff to notify any potential incidents, companies are adding the ability to submit “near misses” and “ideas.” The strategy here is to broaden what is reported to capture all incidents. The subject matter experts can then determine if it is a “near miss” or in fact a “data breach.” As staff awareness increases people can submit “ideas” on how to improve Security and Privacy by Design. The worst data breach is the one that is not reported.

In today’s digital world we can no longer just think Security. We need to combine this with Privacy Management. The increase and spread of the data we collect and store is driving this need to adopt both Security and Privacy Management practices. Together these practices help us avoid being in the next Office of the Australia Information Commission’s Data Breach Report.