Data security and privacy are getting a much-needed spotlight right now, as they probably should. Given the fact that companies gather a lot of sensitive user data to enable their services, it is fair to say that security must be one of the top priorities.
But judging from the list of recent breaches like:
- Equifax customer records due to cyber attack;
- Facebook’s plaintext passwords due to negligence;
- Bethesda’s “accidental” leak of customer support data due to system flaw;
- Uber user data leak due to cyber attack;
Data security in the enterprise sector is more of an afterthought than a top priority for many companies.
Since companies are responsible for the safety and confidentiality of the user’s data and held accountable for everything that happens with it, it's better to be in the know on this topic.
In this article, we will explain why maintaining data security and privacy is more important than ever.
Data Security and Privacy are two foundational elements of building trust between the company and the user. Proper data security can be considered a significant differentiating factor for many consumers, in light of breaches and violations.
What is usually at risk?
- Personally identifiable information (addresses, phone numbers, passport data),
- Personal health information and medical records,
- Payment card and banking information,
- Intellectual property,
- Social Security numbers, insurance information.
These are the types of information that require privacy and high-security standards.
According to an IBM cybersecurity study, 75% of customers won’t even consider buying a product if they have doubts that the company will keep their personal data safe and private.
This is reasonable behavior since the consequences of careless database maintenance (Equifax) go far beyond ominous finger-wagging, into $1,4 billion in losses, coupled with the loss of customer trust. Or let’s remember that time when Facebook stored user passwords in plaintext. That wasn’t very nice. And these are just a few of the many examples.
But these things don’t come out of nowhere. A breach, or any other security or privacy compromise, is simply the boiling point of a situation that was building up for some time.
There are several reasons why data security has become an issue.
It is a well-known fact that for the last couple of years we’ve produced more data than for the previous millennia. It is growing at an exponential rate, and it will keep growing.
One of the reasons for this is due to the never-ending, and often winding quest, for gaining more insights into the market situation or the target audience than the competition. This process includes storing user data, including personal information, and also such things as behavioral data and all sorts of activity logs. This is a lot of data. Facebook alone has around 2,5 billion accounts, and who knows how much data one user produces throughout a single session from an analytical point of view.
Data growth is a big challenge. Keeping up with it, whilst keeping it all together, is extremely hard. Companies need to maintain the entire infrastructure and keep it scalable, while data sources keep expanding, and the scope of the data follows suit exponentially due to various forecasting and predictions. And you need to keep all this data to understand the big picture and identify future opportunities.
This factor slowly but surely turns data infrastructure into an absolute mess. And because of this, data security suffers. Security practices and tools become obsolete, blind spots occur, negligence happens and voila - “you’ve got a breach.”
The other side of constant data growth is the increasing complexity of the data processing operation. There are way too many moving parts to keep an eye on.
Due to the enormous scope of the data processing operation, and multiple moving parts involved, the process oversight often becomes lax, and compliance with security standards often becomes obsolete or even worse - completely non-existent. The standard rule is “if it isn't broken, it doesn't need fixing” And so it goes.
The reason why Facebook kept user passwords in plaintext is an excellent example of this mindset. Little issues pile up here and there and when the part breaks there is no place to go.
The factors for growing operational complexity are as follows:
- Transition to cloud computing and storages;
- Use of big data applications and databases;
- Disparate tools from multiple vendors that process sensitive data.
While the first two factors are under relative control due to being inside the organization, the plot thickens when it comes to applications from outside vendors.
- What if one of those tools is compromised? Like that time when Paypal had a data breach.
- What if a third-party vendor is using your business data for its own purposes? Like Amazon, which uses vendor data in addition to customer data to perfect their service.
However, these serious concerns are often ignored in favor of getting more results, faster. Guess what happens next?
2018 was a landmark year in terms of data security regulations. After years of hesitation and stalling (for example, the last time the EU upgraded their data security legislation was in 1995, which is prehistory), the legislation finally caught up with technological progress, and now companies have to take responsibility to user's personal data, privacy, and security.
- In May of that year, the European Union adopted the General Data Protection Regulation (GDPR) (you can read more about it right here);
- Later in June, the State of California passed the California Consumer Privacy Act (CCPA).
Both GDPR and CCPA provide ground rules regarding what is acceptable and unacceptable with personal data and also clarifies what happens with those who want to play fast and loose with someone else's sensitive data. They also describe a course of action in the event of a data breach or other security compromises.
One of the most significant innovations of this legislation is the Data Protection Officer, a person whose entire purpose is to keep an eye on the security and privacy practices within the company and impose high-security standards throughout the organization.
The other significant innovation of GDPR is fines and penalties for violating the compliance guidelines. For example, non-compliance with GDPR, in some cases, may result in a €20 million or 4% of global turnover, fine, which is no laughing matter.
Whether we want it or not, we live under a constant threat of data breaches. Every week there is a news piece about some big company having a security issue that resulted in a massive amount of user's personal data being exposed and sold on the black market. Reputations are blemished, trust is nil, and money lost.
It is essential to understand the reason why these things are allowed to happen and realize how much is at stake when it comes to personal data and other sensitive information.
This article lays the groundwork for further exploration of the subject.