In the last couple of years, COVID-driven remote working (opens in new tab) has brought the importance of data privacy (opens in new tab) and security (opens in new tab) home, literally.
Around the world, enterprising hackers have seized on the opportunity to exploit the wave of new remote employees (opens in new tab), increasingly the weakest link in an organization's IT security defense. Without the many safeguards afforded by working from within a traditional office network, the challenge of securing digital assets has never been more challenging for today’s highly distributed workforces. The previous challenge of ‘bring your own device’ is now ‘bring your own network’ as employees and organizations look to manage the new risk environment
Nathan Turajski is Senior Director of Data Privacy and Protection at Informatica (opens in new tab).
In today’s hybrid work (opens in new tab) environment, it is not practical to put everything under lock and key. It requires trust to balance appropriate access and use to ensure utility and productivity. A productive remote workforce requires staff to have trusted, appropriate access to the data and applications they need to work effectively.
As a result, IT leaders need to rebalance their priorities, emphasizing data privacy as well as data security. But what’s the difference, and how can the IT department get the balance right?
Security vs privacy
“Data security” is typically defined as an access control problem to manage. Meanwhile, “data privacy” is more of an issue of governance over appropriate data use that conforms to confidentially standards, setting and enforcing policy to moderate potential data exposure issues that could result in unintended, often negative, consequences.
As such, data security functions as a more definitive control for determining access and can be considered binary. Either you can access data on the company server, or you cannot. Either data is encrypted so only authorized and authenticated users can unlock it, or unencrypted so that anyone can access it without restrictions on its use.
Data privacy, on the other hand, is more nuanced. Designed to limit data exposure to abuse and misuse, it is built on policies seeking to define the specific context or circumstance in which appropriate use can occur. For example, a user may be entitled to access specific data, but that does not necessarily mean they have the approval to share it with others or use it to inform an upcoming marketing program, against the data owner’s intent.
The grey area
In enterprise IT, this distinction between security and privacy is essential. This is because the security status of most enterprise data is rarely black or white, i.e. totally secured (and largely inaccessible) or unsecured (available to all). This leaves a significant ‘grey area’ where effective data privacy control becomes critical to wider security posture and even business performance.
Today, the disruptive power of data is a key driver of both innovation and opportunity, generating the data intelligence and insights businesses need to evolve and grow. But as data use increases, simultaneously becoming more complex and distributed, so does data risk. And it’s that risk exposure which makes the grey area of governing appropriate use most critical to organizations as new threats continue to emerge.
COVID has been a significant catalyst, accelerating trends like the shift to remote working and cloud migration. While its critical importance to operational resilience prompted the use of data in this way during the early stages of the pandemic, it is now increasingly central to the creation of competitive advantage.
With attacks on remote workers on the rise, businesses are challenged with balancing the need to provide both trusted access to data with the necessity of keeping it private when appropriate. Doing so is dependent on having data privacy policies, measures and controls in place that allow them to navigate the grey areas with greater precision, ensuring they can leverage the benefits of data while minimizing associated risk exposure.
Understanding the data estate
Data privacy best practice is all about understanding and managing your privacy exposure at any given time or circumstance, such as locations, applications and similar context of use. This, in turn, depends on a comprehensive knowledge of your data estate and the ability to answer questions like the following:
- What data are you holding, and whom does it belong to?
- How, when, where and for what purpose is it used?
- Does this align with the data owner’s expectations for safe and proper use?
- What are the critical data attributes and applications within your organization and its ecosystem?
- Are all data stakeholders willing to risk anticipated data value creation opportunities against possible abuses with higher-risk conditions?
Asking these questions is central to improving your approach so data can be used effectively and appropriately while minimizing data risk exposure. Without answers, it is impossible to categorize and track data flow according to sensitivity and purpose to better refine access rights and use conditions across an organization. And it also makes it more difficult to conduct reliable audits.
This last point is essential. Data privacy isn’t just about safeguarding business performance and reputation. In recent years, a range of new and emerging data protection mandates spanning data privacy, ethical use and social responsibility means organizations are obligated to handle specific data differently depending on certain contexts and circumstances.
From GDPR and CCPA to LGPD and PDPA, these regulations do not just demand stringent data security controls. They also demand transparency and accountability to data owners, both of which require data privacy governance capabilities. Without adequate data privacy controls, organizations open themselves up to a range of reputational and financial penalties, while diminishing customer trust and loyalty which impacts long-term revenue.
A more nuanced solution
Data security tools like encryption (opens in new tab) can, of course, help to protect data privacy. But in many instances, enterprises require a more nuanced solution that allows for intelligent decision-making around risk exposure and benefit trade-offs, helping to determine if exposure is appropriate, and takes mitigative action in cases where it is not.
From enabling hybrid workers to ensuring regulatory compliance to the value creation that businesses hope to achieve during their digital transformation efforts, it is essential to resist the urge to lock down data from any exposure and instead implement more intelligent, automated and contextual privacy controls. Doing so unlocks greater intelligence from data to realize increased business value across organizations.
At TechRadar Pro, we've featured the best online cybersecurity courses (opens in new tab).