Brought to you by HID Global
By Alex Tan
The world is expected to produce and consume 94 zettabytes of data in 2022 – an amount that will skyrocket to 463 zettabytes per day by 2025. It’s an almost unfathomable volume of information to which each Internet user contributes about 1.7 megabytes per second or nearly 147,000 megabytes per day.
Yet very little of that data is safe from prying eyes and bad actors. By the end of 2022, cybercrime will carry an expected cost of US$6 trillion rising to US$10.5 trillion by 2025.
It doesn’t have to be this way, however. About 80 per cent of data breaches could be prevented with good cyber hygiene practices and education, particularly considering recent findings that about 97 per cent cannot identify a phishing email, leaving one in 25 to click on them and open themselves and their data up to cyberattack.
Leaving things to chance is simply not an option, as cyberattacks have emerged as the fastest growing crime worldwide, led in the United States by phishing (38 per cent) and network intrusions (32 per cent).
Thus, in the world of data privacy, knowledge is power and regulatory compliance is paramount.
Privacy versus security
While data privacy and data security are related, understanding the differences is the imperative first step toward keeping the personally identifiable information (PII) hackers and other bad actors covet safe from harm.
Data security is the process by which PII is kept safe from breaches, cyberattacks and other unauthorised access. It refers to the actions taken to ensure data is accurate, reliable, available to authorized users, and safe from accidental or intentional disclosure.
Data privacy, on the other hand, refers to governance – the policies and procedures that dictate how data is collected, stored, and shared.
For example, data security is undertaken with such tools as access management, loss prevention, anti-malware, antivirus, and event management software, while data privacy tools include browser extensions and add-ons, password managers, private browsers and search engines, encrypted messaging, file encryption and advertisement trackers and blockers.
An organisation can have top-of-the-line security tools and procedures in place, but still be non-compliance with privacy regulations because it fails to obtain required consents to share PII with a business partner. Conversely, it is not possible to achieve data privacy without security.
Worldwide, data privacy mandates are piecemeal at best. The US, for example, does not have federal regulations governing data protections; rather individual states are passing laws to protect its citizens. This creates a complex compliance web for organisations that operate in multiple jurisdictions.
The European Union (EU), on the other hand, has enacted what many consider to be the toughest and most far-reaching privacy and security laws in the world.
The general data protection regulation (GDPR) applies to any company or organisation that markets goods and/or services to EU residents regardless of their country of origin.
The GDPR is built upon seven key principles – lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability – that guide how PII is handled.
Failure to comply can result in massive financial penalties, as Amazon discovered when it was hit with a €746 million (US$776 million) fine for carrying out advertising targeting without proper consent. Whatsapp was hit with a €225 million (US$234 million) fine for transparency violations.
China recently enacted its Personal Information Protection Law, which bears a resemblance to the GDPR in that it requires user consent when PII is transferred abroad and requires the receiving party to inform the individual of how their data will be used if it is different from the original purpose.
It also authorises the Chinese government to block any foreign organisations, companies, and individuals from accessing its citizens’ data and provide retaliatory measures in cases where a foreign government does the same.
Further, if an entity needs to move PII beyond China’s borders, it must pass a security assessment; be certified for personal information protection; be concluding a contract with a foreign party in accordance with government standards; or meet “other conditions” set by government agencies.
While laws and reputations can force companies and other organisations to protect PII, there remains a level of personal responsibility to not only understand risks but to also practise proper cyber hygiene rather than relying on the data privacy and security policies and procedures of others.
At its most basic, good cyber hygiene is protecting what you share online, for example not advertising your planned vacation on social media and taking care not to post photos or other documents that might inadvertently reveal PII.
Truly effective cyber hygiene goes beyond what you share to ensure your data is safe regardless of where and how you store it.
Understand encryption levels available for personal computers, smartphones, and any other connected device, and devise strong passwords that are changed frequently. Keep software updated, which helps close any security gaps that developers are made aware off.
The organisations that collect, store, and share PII are equally responsible for data privacy. Regulatory compliance – while important – should be considered the PII protection floor in most cases. It is imperative to gain a comprehensive understanding of an organisation’s privacy and security practices before entrusting data to it.
For example, while mobile technologies are popular for their ability to deliver contactless security and frictionless access control, they are only as good as their encryption, credentialling and data protection capabilities.
According to HID Global’s 2021 State of Physical Access Control Report, 36 per cent of respondents reported using less secure credential technologies; specifically, 125-kHz low-frequency proximity cards, legacy products that offer convenience and reliability but extremely limited security and privacy.
Another 40 per cent reported using even older and less secure technology, including 23 per cent that reported using magnetic stripe cards and 17 per cent using barcode technology – continued use of which exposes organisations to the risk of credential spoofing and cloning.
However, it is not only legacy technology like cards and barcodes that heighten risk. Multi-technology readers that remain enabled to read legacy credentials after the completion of the migration increase risk as well.
Thus, it is important to seek out solutions that are based on evolving standards, such as Open Supervised Device Protocol, that are evolving and therefore future proof.
Building data trust
KPMG shares several recommended actions organisations can take to shore up what it has identified as the four anchors of trusted analytics, which are quality, resilience, effectiveness, and integrity. These are:
Assess trust gaps by performing an initial assessment to see where trusted analytics are most needed and can therefore be the primary focus.
Clarify and align goals so the organisation’s purpose for collecting data and running analytics is clear for all involved. An important aspect of this goal setting is to measure performance and impact and sharing that information with users.
Raise awareness of data and analytics to increase internal engagement among users, including creating a team of decision-makers and IT/business leaders for collaboration.
Build organisational expertise in analytics quality assurance.
Improve and encourage transparency by enabling independent assessments by creating cross-functional teams, third-party reviews, peer reviews, and stronger quality assurance processes.
Build ecosystems that eliminate silos and examine the value and risk that data and analytics can bring to the organization and create cross-departmental teams to build data and analytics communities.
Develop a model for innovation and incentivise employees and teams for innovative processes.
By taking a proactive approach to hardening anchors, organisations can build an environment of trust in its data privacy and security.
Function over form
Ultimately, the most important consideration when determining the privacy and security of PII is just how high a priority it is for any organisation that touches data. More user-friendly options are attractive, but they should not outrank system privacy and PII protection.
Data, especially, personal data, is of enormous value to the organisations that control it. Its protection should be paramount. Which is why individuals have the right to understand how well it is safeguarded by those to whom it has been entrusted.
Most importantly, when the organisation “borrowing” their data is not sufficiently transparent about its use and protection protocols, the owners have every right to be forgotten – to have their personal data deleted or “erased” upon request – when information on safeguards is not sufficiently transparent.
The best protection is to ensure PII is shared with only those who place the highest priority on its safety.
Alex Tan is the commercial director of physical access control solutions for Asean for HID Global