Monthly Archives: April 2020

Archived Posts

2020-04-20 by: James Bone Categories: Risk Management Managing Cyber Risks in a Post-Covid19 Era

In many respects the General Data Protection Regulation (GDPR) is a bold experiment in the democratization of personal data. On the one hand, GDPR raises the bar for all organizations to protect confidential personal data across all platforms while simultaneously creating new rights for individuals to better control how data is shared, including for one’s own purposes. On the other hand, organizations have invested billions in cybersecurity with marginal improvements in the cyber paradox, a phenomenon that doesn’t fully explain why cybertheft and threats continue to increase unabated.

The current state of information security compliance is also muddled by complex regulatory mandates. In the U.S., privacy has been multi-jurisdictional for many years as each state has mandated different standards for the protection of personal privacy and data. There are over 600 laws among the 50 states and more than a dozen federal laws on personal privacy and limits to electronic surveillance. In the early days of data privacy, the most stringent state laws drove the baseline standard for “best in class” privacy programs. GDPR raises the bar on privacy, but much like a leaky damn, ISOs don’t have enough fingers to plug all the leaks.

Privacy officers have been on the front lines addressing multiple jurisdictional requirements for more than 20 years. Information security officers have recently entered the fray with mandates to address data privacy as firms transition to a digital business environment that extends traditional boundaries of security programs. Information security officers need more than staff and technology to wade through the complexity of regulation, legacy systems and ad hoc security systems. Cybersecurity is a multidimensional problem that will require a community response to turn the tide.

A digital economy also raises interesting questions about regulatory oversight in an age of social-distancing where communications and social interactions will increasingly originate across a range of new platforms. Instead of email, as a prime communications platform, the need for more secure communications, document management and enhanced security will become paramount. One obvious elephant in the room is the growing need for national surveillance to protect the public during national disasters and pandemics. Facial recognition software, cell phone tracking and social media data, already prolific, will no doubt be targeted for use by law enforcement and criminals alike over the internet.

How will differences be resolved between the values, risks and competing agendas of stakeholders and individual rights? These questions and many more will be debated long after the pandemic is mitigated by practicing social distancing but what will the new normal look like and how will risk professionals adjust to new operating models?

Personal privacy in a digital economy

The internet has enabled the capture and storage of customer data across borders which prompted the European Commission to adopt a European Data Protection directive to protect individuals as the global markets opened to international trade online. The growth of and access to personally Identifiable Information (PII) and the protection of that data has increased both the value of customer data and the costs of protecting it from misuse.

It is estimated that 2.5 quintillion bytes of public data is created daily but as large as that number is a great deal more information is produced privately by government agencies and business. The former is the data that can be easily counted but the latter is the majority of data that is stored in the cloud, organizational databases and other private transactions called structured and unstructured data. The Covid-19 pandemic may increase personal data capture by many factors more!

New form factors of data are being created across diverse digital platforms without a clear understanding of the long-term impacts to privacy or data security. Business leaders who are playing catch-up in the transformation to digital business strategies may be unknowingly sowing the seeds of vulnerabilities in data privacy and IT security without a strategic plan to design enhanced security into their digital platforms.

Data anxiety is increasing as the public becomes more aware of the threats to personal data in its many forms. However, public awareness hasn’t resulted in a material change in consumer behavior using social media. The sharing of personally identifiable information in social media and other platforms continues to grow without recognizing what is freely given away. Data brokers have grown exponentially under the radar using online click-through agreements that are seldom read. As a result, the market for data has created tremendous economic wealth but has also exposed us to the ugly side of lost privacy.

The genie is out of the bottle so now is the time to redouble efforts to define what is acceptable as good public policy as well as the new ground rules for business sharing and monetizing data. I agree with Mark Zuckerberg on the need for “good” regulation but regulation alone isn’t enough. It is time to rethink privacy and security.

Striking the right balance

Chief information security officers cannot address these issues alone simply by plugging the leaks. We must begin at the point of origination. Collaboration is needed across a multidisciplinary set of technology disciplines to begin to work together with software designers to network engineers and beyond to agree on a common goal of enhanced security along the critical paths of production. Secondly, an IT security clearinghouse is needed establish more secure communications channel between customers, industry and government.

Industry leaders should consider developing an IT security “cyber data clearinghouse” between customers, business and government with trusted partners validated and monitored by an industry utility that is funded by a Self-Regulatory Organization (SRO) of participants. The SRO would develop levels of minimal to best in class security protocols to be used in a clearinghouse for all participants to use. Data could then be shared through the clearinghouse based on agreed upon procedures with standards set by the SRO in collaboration with industry standards groups. The goal of the clearinghouse should be to develop security that is intuitive to human behavior, automatically implemented and secured end to end through all communication channels.

To tackle the need for a unifying IT framework information security officers must understand how to position and evolve privacy programs to account for different programs across jurisdictions. I call this concept understanding the Robust yet Fragile nature of disparate systems and networks.

This concept is borrowed from network engineers who had to solve a host of issues when building out the internet infrastructure. The Internet is robust, in that, it has the scale to allow communications to grow organically around the world but is fragile at specific nodes in the network. Given the boundary-less business environment we live in, I draw on lessons from this concept to build a case for reframing risk mitigation in privacy programs across jurisdictions.

Within organizations, the “Robust” represents systems that are reasonably secure, scalable and networked with a high degree of confidence. The “Fragile” within information security represents the distance data travels from Robust systems in decreasing levels of confidence through third-party providers, ISPs, cloud providers and IoTs connected to these robust systems. ISO’s must have in place comprehensive security and monitoring for both aspects of security. ISO’s have a comprehensive map of the fragility inherent in point of contact and build contingencies and alternative strategies alongside its partners to mitigate risks and enhance security.

We are learning the lessons of Robust yet Fragile in the Covid-19 pandemic. Hospitals are robust in giving excellent care during normal conditions however the stress of the pandemic revealed the fragility inherent in healthcare presented in the form of disrupted supply chains, limitations in capacity and staffing. It is truly remarkable the resilience of the one component that was taken for granted in the novel coronavirus crisis – the human element. Technology has enable lives to be saved but the ingenuity of the nurses and doctors on the front is not lost on the victims of this dreaded disease as articulated by Prime Minister Boris Johnson’s gratitude to the nurses who saved his life. This same lesson must not be overlooked in cybersecurity.

Lastly, there are major trends that will require better coordination across industries. What are the major trends in society and business that will make the job of privacy management harder in the near term?

The big three trends are: Societal changeTechnological change, and Analytical change.

According to the Privacy Rights Clearinghouse the cultural conception of privacy is in flux. Individuals are creating personal content at an unprecedented rate on social media and the cost and consequences of self-publishing blurs the lines of privacy. Privacy management must include new training techniques and awareness programs to help users understand how their behaviour on the internet creates a digital profile that can be exploited by criminals.

Secondly, technological change will continue to pose increasingly new threats to business. The human actor is the prime target in cybercrime via mobile devices, casual web surfacing and more sophisticated social engineering and phishing attacks. Trust is being weaponized on the internet through misinformation creating a low-cost attack plan for cybercriminals. In addition, surveillance will undoubtedly increase through the use of user data, mobile devices, and other sources of data that will be shared in anonymized formats.

Finally, the third trend is analytical change. Autonomous bots give cyber criminals the ability to collect data, launch attacks and exploit the very systems deployed to defend the enterprise. The cycle of innovation goes both ways as adversaries co-opt advances in analytics to exploit our defences. We operate in an open environment where open source technology allows our enemies to learn in real-time vulnerabilities that exist in new product launches as well as legacy systems. As long as there is a market for digital assets the role of privacy management will continue to grow in importance.

The parallels in tackling the novel coronavirus and cybersecurity are instructive. Human behaviour will determine whether we are successful addressing both in the long-term. Technology and innovation will help enable solutions to address both but a sustainable solution is more likely upon the realization that we are in this together and we must work together to end these threats as a community.

#cognitiveriskframework #cognitivehack #humanelement