Solving data privacy challenges starts with people-centric security

April 28, 2022
Organizations should focus on the people layer with the same meticulousness as they approach the network, endpoints and applications

The pandemic drove organizations worldwide to undertake digital transformation quickly and at scale. This change has underscored both the value of data and the need for data privacy. While data has long been the currency in our digital, interconnected world, businesses face mounting pressure to protect this asset.

Governmental regulations are one example of the response to that pressure. Last year, China became the latest nation to enact sweeping privacy regulation, called Personal Information Protection Law (PIPL), to protect and regulate personal data. The law was implemented in record time (only two months), so businesses are still scrambling to figure out what compliance will look like. But the bottom line is that governments are taking a closer look at privacy—and the mandates will continue to pile up.

One challenge for security leaders in this evolving regulatory environment is how to minimize risk and protect data as threat actors constantly innovate. Your data is everywhere, and your people can access it from anywhere. To minimize your data risks, you need to view your people as the conduit to data.

Far too often, we focus on the technical part of our environment and the physical perimeter. In today’s environment, that approach is outdated. People create the biggest vulnerabilities (for example, falling for phishing or email account compromise and clicking on a malicious link or attachment they think comes from someone they trust). We need a people-centric security framework so we can defend our users with the same rigor we defend the network and endpoints.

The Importance of the Human Element

Your organization uses your data as currency, but so do threat actors looking to break into your environment. The attackers rely on your people’s risky behavior or human error, such as careless employees who click on the wrong links or negligent employees who take shortcuts.

In 2020, for example, social engineering was by far the most-used attack technique according to our annual report, “The Human Factor 2021.” This reflects the findings in Verizon’s “Data Breach Investigations Report” that 85% of data breaches involved a human element. Employees and other users are doing much of the work needed for the threat actors to succeed.

Threats and threat actors have evolved to use people as the conduit to your data. You need to recalibrate for this new threat landscape.

How to Make People Your Data Privacy Defense Layer

Any solid security strategy starts with gaining comprehensive visibility. People-centric security is no different. This includes visibility both of your data and your people. Visibility enables you to determine your highest risks and prioritize mitigation.

For the people part, you must understand your human attack surface and your user behavior. Who poses the greatest risk within your organization? Who is being attacked, and why? How are they being attacked? What is the likelihood that specific individuals may be compromised? What is the impact of that compromise on your organization? These are essential questions for surfacing people vulnerabilities that threat actors could exploit.

From the data visibility perspective, data discovery, classification, and mapping are the first steps for identifying your digital footprint. You can’t govern and protect the data if you don’t know what kind you possess and where it resides. This process of discovering and classifying sensitive and regulated data is essential for your data governance, privacy, and security.

Once people and data visibility are in hand, you can begin correlating these two elements (to understand how users are interacting with the data), gain a more comprehensive understanding of your risk, and direct your resources to what matters the most. We all have finite resources as security leaders. The only way to mature our data privacy and security defenses is by implementing the capabilities that will mitigate the risk that your people pose.

Meeting Data Privacy Mandates Today — and Tomorrow

It won’t be long before another country follows China and others to roll out new data privacy regulations. Whether these mandates mimic the gold standard—GDPR—or create unique requirements like China’s PIPL, having the right building blocks in place will give organizations a solid foundation and push them farther ahead in meeting governmental requirements.

Consider how our world has changed with the adoption of hybrid and remote work. People have become an even bigger threat vector in this environment. But for many security leaders, the tools and the strategy haven’t changed in tandem.

The old, technology-centric approach to security simply doesn’t work when trying to track a growing number of the applications, devices, and locations that employees use outside the corporate network. We need to focus on the people layer with the same meticulousness as we approach the network, endpoints, and applications.

Incorporating people-centric threats into our broader risk-management strategies better positions us to defend the human perimeter. By marrying data protection with the understanding of the people risk, we can start implementing data privacy processes and procedures holistically across our organizations.

About the author: Lucia Milică serves as VP, Global Resident Chief Information Security Officer at Proofpoint, a leading cybersecurity and compliance company. She is a senior technology leader with over 20 years of extensive technical and business experience. In her previous role, Lucia was the VP, Chief Information Security Officer and Chief Privacy Officer for Polycom, where she managed all aspects of data privacy and information security. She has also held leadership and technical roles in IT governance and strategy, security risk and compliance, corporate and product security, data privacy, and IT infrastructure at other companies, including HP, Palm, Wells Fargo, and Franklin Templeton.

Many organizations in the cybersecurity industry and broader business community have asked her to speak at their conferences, symposiums, and other events. She has extended her contributions to her profession by serving as an advisory board member and active participant with the cybersecurity industry and relevant industry groups, including board membership on the National Technology Security Coalition, and service with the Department of Health and Human Services (HHS) 405(d) Cybersecurity Task Group, SC Media Advisory Board, and Forbes Technology Council. She has a Master of Science in Information and Cybersecurity degree from the University of California, Berkeley. She also holds master’s in business administration and Juris Doctorate degrees.