Privacy vs. security is the new cyber battleground in 2019

Jan. 28, 2019
Data Privacy Day highlights the gap between perception and reality as it relates to ongoing cybersecurity

On Jan. 27, 2014, the 113th United States Congress adopted S. Res. 337, a non-binding resolution expressing support for the designation of Jan. 28 as “National Data Privacy Day” and beginning in January 2008  in the U.S. and Canada the official recognition of the day began as an extension of the Data Protection Day celebration in Europe. Now, Data Privacy Day is an international “holiday” that occurs each year on this date.

It was created to raise awareness and promote privacy and data protection best practices. The National Cyber Security Alliance (NCSA) assumed leadership of Data Privacy Day from the Privacy Projects back in August of 2011. A nonprofit, public-private partnership dedicated to promoting a safer, more secure and more trusted Internet, NCSA is advised by a distinguished advisory committee of privacy professionals.

Data Privacy Day's educational initiative originally focused on raising awareness among businesses as well as users about the importance of protecting the privacy of their personal information online, particularly in the context of social networking. In addition to its educational initiative, Data Privacy Day promotes events and activities that stimulate the development of technology tools that promote individual control over personally identifiable information; encourage compliance with privacy laws and regulations; and create dialogues among stakeholders interested in advancing data protection and privacy.

Protecting America’s Privacy

According to the annual Unisys Security Index, which includes information gleaned from over 1,000 American adults over the age of 18 during the Fall of 2018, there are many situations where American adults don’t want certain organizations/people to have data about themselves:

  • 42 percent don’t want their health insurance providers to track their fitness activity via wearable monitors to determine premiums or reward behavior
  • 38 percent don’t want police accessing data from their wearable fitness monitor at their discretion to determine if they were at a given location at a certain time
  • 34 percent don’t want medical devices such as pacemakers or blood sugar sensors to immediately transmit any significant changes to their doctor
  • 27 percent don’t want sensors in their luggage that communicate with an airport’s baggage management system like sending text messages when your luggage has been loaded/unloaded
  • 24 percent don’t want an emergency button on their smartphone or smartwatch to send their location to police if they need help
  • 21percent don’t want an app on their smartwatch from their bank or credit card company to make payments from their watch

"These results suggest that consumers view the internet as scarier than earthquakes, terrorism and wars, largely because they feel they have little control over how to address bad actors leveraging Internet-enabled technologies,” says Unisys Chief Trust Officer, Tom Patterson.

The fact that data privacy has emerged as a top of mind topic not only for global business concerns but any organization with a potential vulnerability within its network, exemplified by the myriad of regular breaches the last half decade, network security experts like Heather Paunet, who is Vice President of Product Management for Untangle in San Jose, Calif.-based firm that provides comprehensive network security for SMBs, says organizations of all sizes must take data privacy seriously and proactively ensure personally identifiable information (PII) is protected.

“Protecting data in the event of a breach is crucial to maintaining the trust and respect of the public. Businesses can take some simple steps to protect the data they are collecting. Storing the private data on a network or server that is separate from the public, or even separate from the main corporate network, can provide an extra layer of protection. Encrypting the data, especially PII, is another standard practice to comply with a variety of regulations like PCI and HIPAA in the United States and GDPR in Europe. With GDPR in full effect, data privacy and transparency is now more relevant than ever. Businesses must realize that the GDPR rules are not a hindrance, but a chance to show consumers that they can trust them and that they are taking a proactive approach to data privacy,” says Paunet.

Privacy vs. Security

For David Ginsburg, Vice President of Marketing at Cavirin, a Santa Clara, Calif.-based provider of cybersecurity risk posture and compliance for the enterprise hybrid cloud, Data Privacy Day represents a wakeup call for almost every business sector.

“Data Privacy Day is upon us, and there is no need to mention that we just concluded ‘Annus horribilis,’ and I’m not talking about U.S. or EU politics.  Over the last twelve months, we’ve endured a constant barrage of news regarding the latest hacks, vulnerabilities, or organizations paying the price for just plain stupidity. Though IoT and critical infrastructure vulnerabilities, as well as foreign attacks, were top of mind, ongoing thefts of confidential financial, healthcare, and other PII data presented a greater risk to enterprises and individuals.  As related at BlackHat, the hackers are definitely on the offensive, with organizations playing catch-up across an increasingly complex hybrid cloud infrastructure.  However, 2019 doesn’t need to be a repeat of 2018,” says Ginsburg. “The intent of Data Privacy Day is to raise the awareness of data privacy within organizations as well as for individuals.  Focusing on the former, recommendations, in fact, follow the universal five-phase approach outlined in the NISF CSF – Identify, Protect, Detect, Respond, and Recover.  This approach is, in fact, a great baseline for organizations of any size, from the corner dentist to the Fortune 100.”

Most cybersecurity experts agree that the level of prioritization with regards to protecting our information sometimes comes in conflict with Americans desire for more privacy.

“The public may be familiar with section 215 of the Patriot Act, as well as other surveillance programs, designed to protect the U.S., provide access to the content citizens read on the web or send via text message and email. This raises the question, are cybersecurity and privacy mutually exclusive? Or is it possible to have both? A quick analysis of the commercial solutions available from cybersecurity suppliers provides valuable insight,” explains Mike Banic, Vice President of Marketing at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers.

“Next-generation firewalls require access to the unencrypted contents of network messages going to and from the Internet to find exploits and malware used by cyber attackers. Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) devices need to inspect the unencrypted contents of network messages to match bytes of data with signatures of exploits and malware, as well as match Internet addresses and web URLs with reputation lists to detect cyber-attacks. Antivirus software performs in much the same manner as IDS/IPS, but on an endpoint computer rather than on a network device at the Internet boundary. Malware sandboxes must be able to open unencrypted files (e.g., PDF, MS Office) and run unencrypted executable files to find active threats and malware.”  

Joseph Carson, Chief Security Scientist at Thycotic, a Washington D.C.-based provider of privileged access management (PAM) solutions wonders if the concept of privacy in our ever-increasingly plugged in and monitored world is already a lost cause.

“Is Data Privacy Day turning into Data Privacy Remembrance Day? Is it even reversible? The answer is yes. The end of privacy as we know it is closer than you may think.  Privacy definitions are very different between nation states and cultures, however, one thing that is common is that privacy is becoming less and less of an option for most citizens.” Carson laments. “In public, almost everyone is being watched and monitored 24/7 with thousands of cameras using your expressions, fashion, walk, directions, interactions and speech to determine what you need, what you might be thinking, who you are going to meet, who is nearby and even algorithms that determine what your next action might be.  All of this is used to help provide a custom experience unique to everyone as well as predict and prevent security threats.  The term ‘if you have nothing to hide you have nothing to fear’ is quickly becoming reality and privacy and could certainly disappear in the near future.  Can we ever regain back our privacy?”

Regulations in the Digital Age

Michael Magrath, Director of Global Regulations and Standards for OneSpan, a company that provides security and e-signature solutions to protect people, devices, and transactions from fraud, submits that the digital age has changed virtually all aspects of our lives from social interaction, commerce, education, etc. He expects that when 5G begins to roll out globally, Internet 3.0 will commence, which will change the entire landscape of social media platforms that haven’t typically charged a subscription. But now many realize that they can secure billions of dollars through monetizing the data they collect from their users.

"Concerns regarding the privacy of citizens and consumers have escalated over the past several years and have led to wide-sweeping regulations with the European Union’s General Data Protection Regulation paving the way. Organizations violating GDPR face severe financial penalties of up to 4 percent of annual global turnover (revenue).   

"In the U.S. all eyes will be on California next year when the California Consumer Privacy Act, the nation’s toughest privacy law which gives consumers control over their personal data.  The California law will likely lead other states to enact their own consumer privacy acts.  It is highly unlikely that every state’s law will be identical so complying with potentially 50 consumer privacy laws would be problematic for most companies,” warns Magrath.  It’s also worth noting is that in the U.S., NIST is currently developing a Privacy Framework. Like the Cybersecurity Framework, the Privacy Framework will be a voluntary tool and will be available for ‘organizations to better identify, assess, manage, and communicate about privacy risks’ so that individuals can enjoy the benefits of innovative technologies with greater confidence and trust.”

Words of Warning

Perhaps the most somber assessment comes from Acceptto CEO Shahrokh Shahidzadeh, whose Oregon-based company is a provider of Cognitive Continuous Authentication. His warning is that everyone should assume that their credentials have already been stolen, even those credentials that haven’t been yet created.

“Due to the frequency of data breaches, we all must operate under the assumption that it’s only a matter of time that we become aware of the fact that our credentials and personal information are compromised. Protecting our citizens' identity and privacy requires new regulatory measures and the collaboration of private and public sectors including all (large or small) companies that today are taking overt advantage of harvested consumer data that is readily available for corporate welfare but not well protected,” Shahidzadeh says. “2019 is the year of new solutions that employ a combination of multi-modal and contextual controls that continuously and accurately protect user identity and privacy with the assumption that all your online credentials are already compromised.”

 About the Author:

Steve Lasky is a 32-year veteran of the security industry. He is the editorial director of SecurityInfoWatch.com Media Group. He can be reached at [email protected].

About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is Editorial Director of Security Technology Executive, Security Dealer & Integrator magazines and SecurityInfoWatch.com.