AspenCore Media has taken a deep dive into the question of Where Security Meets Privacy in the 21st Century. Included in this Special Project are: Sitting at the Crossroads of Cybersecurity and Privacy, Designing Hardware for Data Privacy, and Facial Recognition: The Ugly Truth.
The rise of new data privacy regulations with strict mandates for the handling of personal data – along with a continued string of high-profile breaches and data misappropriation – are putting data protection and privacy at the top of corporate agendas.
These breaches and the resulting regulatory fines and exposure are having significant impact on the reputations and bottom-lines of the organizations involved. Meanwhile, all companies are building larger and larger troves of data which requires an even greater focus on security to better protect data as it is used across an organization and shared with external parties. This requires a privacy-focused approach to the data itself, and also taking a range of steps to ensure that breaches do not occur.
How should a company think about these issues? Following are several considerations to keep in mind.
Factor-in privacy as Part of big data & AI initiatives
Any company or organization storing and mining ‘big data’ will increasingly need to consider both security and privacy as part of the overall strategy.
While one organization may have strong controls on its access to data, when that data is shared across organizations, the privacy policies may not be enforced along the way – leading to use of the data in ways that users did not originally intend. The Cambridge Analytica case illustrates how data can be harvested for controversial means. And now there are lawsuits in progress against four of the country’s major telecommunications companies for their role in selling access to the real-time location of their customers’ phones to a network of middlemen companies - with reports of data ending up in the hands of bounty hunters.
Artificial Intelligence (AI) also complicates the landscape – with machine learning seeing patterns and drawing inferences, which could identify characteristics that may expose individuals or groups in ways that impact privacy – such as identifying patterns suggesting a health issue such as Alzheimer’s. Information exposed in data breaches can cause issues in the short-term – with passwords, Social Security numbers, passport numbers and other sensitive information released – but also some longer term implications due to inferences drawn from machine learning.
Build a cross-functional team
As data privacy and security continues to converge, it is all the more important to put together a cross functional team that involves legal, information technology, data protection and privacy practitioners, compliance and those in broader enterprise risk management. This approach helps to ensure thoughtful consideration of how data is identified, protected, shared and the types of access controls that are in place.
Consider guidance from NIST
The National Institute of Standards and Technology (NIST) recently released a draft version of a Privacy Framework that's modeled on its well-regarded Cybersecurity Framework, a voluntary Framework consisting of standards, guidelines, and best practices to manage cybersecurity-related risk.
The draft Privacy Framework explains the concept of privacy risk management and provides advice for how businesses can protect sensitive data. Although the Framework deals with issues beyond security, it incorporates security considerations and explains how privacy and security overlap. NIST is currently asking for public comments on the initial Privacy Framework.
Image courtesy: NIST
Up your cybersecurity & data protection
The Equifax breach – which exposed the Social Security Numbers, birth dates and addresses of 148 million people – was deemed ‘entirely preventable’ had the company taken basic security measures, including software updates and data encryption.
The majority of breaches occur by human error or negligence. Addressing four key areas of vulnerability can go a long way toward boosting cybersecurity across an organization. These include: weak passwords and lack of two-factor authentication; lapses in software patching; phishing or email-borne attacks that prompt people into clicking on a link that downloads malware into a system, and USB and removable media devices containing malware. These issues are being addressed in a new, free program being offered by the Cyber Readiness Institute and used by small and medium-sized companies to improve the processes necessary to help mitigate these risks.
Considering guidance from the NIST Cybersecurity Framework is also advised. The risk-based approach offers a range of ‘people, process and technology’ controls that can be scaled to an organization’s size and priorities.
The intersection between data privacy and cybersecurity will continue to evolve and pose challenges for organizations. In this shifting landscape, it’s more important than ever to identify sensitive data, consider privacy policies and take steps to ensure data protection.
Check out all the stories inside this Privacy and Security Special Project
Where Security Meets Privacy in the 21st Century
Since time immemorial, humans have been concerned with the subjects of security and privacy, but the convergence of many of today's technologies -- especially in the form of the internet the Internet of things (IoT) -- mean that the stakes have never been higher.
Designing hardware for data privacy
Ensuring privacy of electronic data requires data security, but a secure design does not necessarily assure data privacy. Developers must consider the two together.
Facial Recognition: The Ugly Truth
AI is making automated facial recognition for mass surveillance a reality -- but at what cost?
High-Tech Distributors Grapple with Security and Privacy in the Digital Age
In the midst of the digital revolution, the stakes for electronics distributors trying to safeguard the privacy and security of customers is constantly on the rise.
Why engineers need to understand data privacy laws
Industry initiatives are underway in the U.S. to explore data privacy and how deep in the design process it should start, but in the meantime, U.S. engineers need to understand and be compliant with the EU's GDPR in a global economy.
Enhancing privacy and security in the smart meter lifecycle
Concerns about security and privacy of connected devices coalesce in the lifecycle of smart meters. Here's how IoT platforms help protect smart meters and their data despite an ever-growing number of threats.
Chip Security Emerges a Hot Topic in the Supply Chain
As more electronics devices are connected and hence hackable, OEMs are having to bring good security practices, designs, and devices into their products as soon as possible.
Also check out these related columns
Privacy Versus Security:
These two notions have never been mutually exclusive, but today's technological developments have been increasing the tension between them.
The Illusion of Security
This mini-series of articles explains how today's cyber security is like a bucket with hundreds of holes, and each software solution is a patch to a single hole. We don't need more patches; we need a new bucket!
Privacy Issues with Voice Interfaces
Voice interfaces are only going to get more common, and there is a great market opportunity for those vendors that get their product and its approach to privacy correct.
Security in Semiconductor Manufacturing
Today's manufacturing lines are increasingly prone to IP theft and reverse engineering attacks. Savvy chipmakers know to institute secure systems to guard against them.
Will the Real Root of Trust Stand Up?
Not all roots of trust are created equal, nor are they all implemented in the same fashion on silicon.
How Many Layers of Security Do You Have?
Depth of defense and principle of least privilege are two concepts system and SoC designers must embrace as they seek security answers for their designs.
Multiply and Isolate Your Roots of Trust for Greater Security (Part 1)
Security designs can have multiple entities, as well as isolation, among separate applications on a chip.
Multiply and Isolate Your Roots of Trust for Greater Security (Part 2)
In order to give you confidence, you want assurances that all applications in your secure silicon IP are isolated from each other.