In our modern world its difficult to comprehend how many systems hold various bits of information on you, it ranges from banks, credit score agencies, dentists, all the way to SaaS providers and your telco. Social networks also have mountains of information on you that they mine to work out your personal preferences, so they can present to you the perfectly matched article (or more likely an ad).
So information about you is literally everywhere and is certainly increasing, possibly even as you read this article… (No, we don’t collect personal information, but what are your browser plugins doing?).
The trouble is such a large and diverse pool of information that is just ‘out there’ creates various problems:
- The potential for identity theft is enormous – simply put the more information that is out there to be discovered on you, the easier it becomes to assemble that information together to then ‘steal’ your identity from you. This is usually done for some form of financial gain, which can be as simple as taking money from your accounts too literally trying to sell your house out from under you!
- Some of that data you want to be kept secret at all costs – some of the data may be so personal in nature (thinking medical and financial in particular) that you only want those who should have access to be able to see it and their use of the data to be closely monitored.
- Is the data correct? – it could be that data on you is not correct and it would be very hard to establish what is wrong and who has the wrong data on you. This could lead to problems with you getting a loan or proving you are trustworthy for a job.
- Do they need to keep all the data on you? – once a business is done with providing services to you, do they really need to be keeping all the personal data they have you? This is just a problem waiting to manifest as such data is often archived away in an environment that is not as secure as the production environment.
So what can be done about this? Well quite a few governments have woken up to the evident problems created by such a large pool of personal data not being strictly managed and have (or are about to) put in place legislation that puts in place policies and procedures around how such data should be collected, accessed, used and finally destroyed by businesses no matter their size. This is often ‘on top’ of other regulations or requirements that might apply for certain business activities (e.g. financial, medical, PCI & Credit Cards, etc) – although they are usually different aspects of the same underlying security requirements.
This is really required – as the number and scale of hacks involving personal data being lifted right out of the databases of businesses who should have known better is quite mind-blowing. It seems not a day goes by without one business or another suffering a loss of personal data to motivated hackers. This needs to stop.
So how is this going to work? This is where proper systems security comes in with a little ‘privacy’ twist to it, to ensure your personal data remains private. This is then combined with legislation that forces businesses to disclose when they got hacked and what was taken. This is then backed up by fines and charges for evident failures to protect personal data, and those fines can be very large indeed.
Systems security tackles the data privacy problem by ensuring:
- Sensitive personal data is stored in such a way that resists attack and guards against process failures etc – for instance, always insisting that sensitive data is encrypted at rest, so some hacker running off with the hard drives will reveal nothing.
- Sensitive Data is appropriately segmented and under access control. In this way, access to an ordering processing system won’t automatically give you the ability to extract a mailing list.
- Personal Data is only seen on a purely ‘need to know’ basis – you cannot just login and gain access to all the sensitive data – your job function will restrict what you need to see.
- Personal Data once deleted, remains deleted – if you no longer have a need for such data, it should be deleted in such a way as not to be recoverable.
- Physical Access Controls – like the system level access controls, only those who need to have physical access to the computer systems are given it.
- Access is logged – who saw what, why and when is recorded – so it is always possible to check that data is being used correctly and prove privacy is enforced.
So why have businesses found this so hard to do to date? It comes down to a trade-off between costs, risks and returns. Investment in security to date is often approached with it being considered a cost first to the business – the risks of being hacked and the consequences are not well understood by senior management, or it is considered something that can be ‘traded off’ as required. The new regulations around privacy essentially require senior management to take security and hence privacy very seriously indeed. Trading off is no longer an option that can be entertained when the trading viability of a business and its brand is at risk.
There is also the fact that most businesses have IT systems that have ‘grown’ over time. Making it that bit harder to be confident that security is being done consistently. Interfaces are layered on top of older systems and new systems added to support the ongoing business; you often end up with a spiders web of interconnected systems, both inside and outside the business, that work together (or not..) to service the business in question. Securing such a distributed web of services is hard but there is no longer a choice in the matter as the penalties for suffering a privacy breach are extreme.
There is also the problem that most businesses do not really know what a hacker is after. They have an idealised model of what motivates the hacker, but this is not precise. This means security controls are out of alignment with the real threat.
How to Improve Data Privacy Security in a Business
The way I approach this is as follows:
- Perform a system assessment – work out what systems have what data and how they exchange data. Then look at how access to such data is controlled and how it is stored. This will often create an immediate ‘risk heat map’ of what needs addressing first.
- Fix the low hanging fruit first – the risk heat map will give usually 2 or 3 quick wins of evident data privacy risk which can be quickly knocked on the head. I’ll typically work with the IT team to get this in place pretty quickly.
- Identify the deeper changes required – often how systems hold data and interact will need tweaking to improve data security. Quite often lots of systems hold data they don’t really need or is better held somewhere else. At this stage, I will also look at the Auth models and how logging and monitoring are being performed and bring those up to spec.
- Training – all these system changes are good on their own but without the staff being onboard and aware of the risks, you can still suffer data breaches via social engineering. Also, job functions might require a slight tweak to ensure they are only using data they need access to.
- Ongoing support and advice – remaining data secure is an ongoing commitment – so typically I will be engaged over a longer time period to ensure the security standards are maintained.
All this and more is covered in our book on Personal Information Security and Systems Architecture.
The days of just collecting peoples personal data in your business and assuming everything will be all right, security and risk wise, are long gone. The new regulations and fines make it an operational business requirement that such sensitive data is treated with the respect it deserves; this then requires an appropriate investment in IT security and system design. System Architects and Security Experts such as myself are ideally placed to provide you with effective solutions in a timely manner – if you would like to know more please get in touch , or consider signing up to our mailing list on the RHS to keep up to date with developments.