We’re halfway through 2019. And already we’ve seen several major developments highlighting the cybersecurity and privacy complexities of our connected world.
Letting down our guard
Let’s start at the beginning.
The New Year is typically associated with champagne, party hats and resolutions. And there was plenty of that. But ringing in 2019 wasn’t a party for everyone – including 800,000 federal employees impacted by the government shutdown.
The shutdown created other problems, too. It intensified the country’s cybersecurity risk.
Just weeks after it was launched, the Cybersecurity and Infrastructure Security Agency and other Homeland Security organizations were operating with skeleton crews. That created concern that sophisticated hackers might strike when our defenses weren’t at full force.
We were lucky that didn’t happen. We might not be so lucky if we let down our guard again.
Addressing personal data privacy
Around the same time, the California Attorney General’s Office was holding forums and gathering public comments on the CCPA.
The CCPA will require businesses to be transparent in how they’re using personal data. It will not allow them to continue to sell data to third parties when people make that request. It also requires the deletion of personal data when requested to do so.
This means more organizations will need to improve their overall security strategies. That will involve the widespread use of encryption. These businesses also need to get better at communicating how they are safeguarding consumers’ data.
Even before Silicon Valley’s home state enacted the CCPA, the European Union passed GDPR.
The General Data Protection Regulation requires organizations to limit their data collection to the specific task at hand. And it makes them delete personal data when it’s no longer needed.
Businesses must inform people of what they do with their personal data and for what purpose. People can demand that a company provide all the information it has on them. Individuals also can request that a business correct or delete their personal data.
Organizations failing to comply with GDPR face hefty fines.
This isn’t a hollow threat, as French regulators’ $57 million Google fine helped illustrate. Officials say Google didn’t properly disclose its data collection practices to users.
Facebook is the subject of numerous GDPR investigations, too. That includes 10 in Ireland alone.
These high-profile policy developments signal that companies need to become more vigilant about building consumer trust. That will help them meet new regulations and avoid fines. And it will assist businesses in appealing to and keeping customers.
It’s just good business strategy.
Inviting cybersecurity, privacy invasion
While the CCPA and GDPR help protect personal data, other laws invite privacy invasion.
Australia’s new encryption laws and new legislation in Japan are examples of the latter.
The Assistance and Access Bill in Australia is a lengthy, complex and controversial piece of legislation. But it may allow law enforcement agencies to ask communications companies to remove authentication systems or encryption. And it could require service providers to silently add law enforcement to group chats or calls.
That has raised the hackles of privacy experts and leading tech companies. They say requirements to add law enforcement “ghost users” on encrypted chats could create new risks.
As for the new Japanese law, that allows the government to hack into citizens’ IoT devices. The stated goal of this effort is to compile a list of vulnerable devices. Internet service providers will then get the list so they can alert consumers about endpoint insecurities.
The five-year effort has prompted legal and ethical hand-wringing. But Japan’s government took this extreme step to prepare for the 2020 Summer Olympics and Paralympics.
Encouraging hacks certainly sounds odd. But there is some logic to it.
International sports events have triggered cybersecurity alerts in the recent past. World Cup attendees last year received warnings that they were at risk of hacks by state-sponsored actors.
Plus, many IoT device manufacturers tend to overlook privacy and cybersecurity. And users are often their own worst enemies when it comes to data and device security.
Some IoT device manufacturers are working to address security, however. They’re using digital certificates, embedding security into their devices and encrypting sensitive data collected by their connected devices and more.
That’s a good start. But IoT device manufacturers can’t address security alone.
Consumers need to get involved by taking common-sense steps to protect themselves. That includes personalizing their devices, rather than keeping them on default settings. That way they can decide what level of security and privacy works best for them.
Business users also need to take an active role in cybersecurity and data privacy. That’s important considering that 54% of respondents to nCipher’s global survey ranked employee mistakes as the top threat to sensitive data.
Meanwhile, IT leaders should evaluate their businesses’ cybersecurity and data privacy processes, technologies and strategies. And they should be sure encryption is part of them.
Our research indicates that nearly half of the businesses in the world apply encryption consistently across their enterprise. Nearly half of the companies across the globe use hardware security modules. And half the businesses in Saudi Arabia and the United Arab Emirates use HSMs.
These numbers are encouraging. But there’s plenty of room for improvement.
We’re about halfway there.