Championing Privacy-First Security: Harmonising Privacy And Security Compliance
Emily Hancock, Data Privacy Officer at Cloudflare explains that while creating any data security plan organisations must focus on data privacy to safeguard the personal data of their customers and employees
The conventional perception often pits security against privacy. Establishing robust security measures involves identifying potential threats, yet this process may involve scrutinising sensitive or personal data, posing a risk to privacy. In truth, the key to ensuring data privacy lies in the implementation of effective data security. A meticulously crafted, privacy-centric security programme not only provides substantial advantages to any organisation but also mitigates potential privacy concerns.
Security vs. privacy misconception
The notion that security and privacy are in conflict arises when these two concepts are taken to their extremes. Within this perspective, any potential access to sensitive data is perceived as a breach of privacy, something to be avoided at any cost. Embracing this viewpoint significantly hinders the effectiveness of security programmes in identifying and addressing potential threats.
Take, for instance, the realm of network traffic analysis. Packet inspection, a crucial tool in corporate cybersecurity, is commonly implemented through firewalls, seen as a fundamental security measure in various jurisdictions globally. By scrutinising the content of network packets, it becomes possible to detect potential malware infections, data exfiltration, account takeover, and other threats. However, from a privacy standpoint, concerns arise when packet inspection involves personally identifiable information (PII) or other sensitive data. From a privacy absolutist perspective, a preference is often given to end-to-end encryption with no packet inspection. On the surface, these two viewpoints—ensuring necessary security and safeguarding personal data—may appear incompatible. Nevertheless, regulators emphasize that providing reasonable security is crucial for protecting data privacy, as evident in numerous privacy regulatory enforcement actions against companies experiencing security breaches. We believe that data privacy and security leaders can reconcile the apparent conflict between security and privacy absolutism, but it necessitates adopting a different perspective on data privacy and security altogether.
What are the potential threats?
Both data security and data privacy programmes are founded on the core principle of risk management. Aligning the objectives of these programmes entails examining the conceivable threats to an organisation’s data. For any entity handling personal data, ensuring the security and privacy of such information is paramount. A primary concern within a data security programme is the possibility that security solutions might inadvertently access personally identifiable information (PII) and other sensitive data while carrying out their functions. These tools, which could include email scanners, network packet analysers, or file inspection systems, may inadvertently come across such confidential content.
Another significant risk to both corporate and customer data is the potential exposure to cybercriminals. For instance, contemporary ransomware tactics involve stealing and disclosing sensitive data if the targeted company refuses to pay the ransom. Even compliance with the ransom demand offers no assurance that the data will be erased and won’t be disclosed. Avoiding these risks entirely is impractical. An effective security programme necessitates access to data, and inadequate security measures virtually guarantee the occurrence of data breaches.
Discovering a Path Toward Privacy-First Security
When security solutions are crafted with privacy as a central consideration, organisations can deploy robust security measures while safeguarding the personal data of their customers and employees. A comprehensive cost-benefit analysis reveals significant advantages in adopting a privacy-first approach to security.
For instance, proactively blocking malware before it infiltrates an organisation’s systems can avert a potential data breach. Given the average cost of $4.45 million in 2023, coupled with the consequential impact on brand reputation and legal ramifications, preventing even a single data breach becomes paramount for any company. Hence, the importance of industry-leading security measures is indisputable. Any reputable security company should provide solutions that limit its access to sensitive data and ensure the protection of the personal data entrusted to its care.
Creating a Security Programme with Privacy at the Forefront
Privacy and security can coexist harmoniously. A privacy-first security programme assesses the risks associated with both implementing and not implementing security measures. If the advantages of deploying a security solution, such as email scanning, outweigh the drawbacks — which is highly probable — the organisation should proceed with the careful implementation of this capability. When determining the suitability of a security tool for enhancing both data security and privacy, consider asking the following key questions:
- Does it provide clear benefits? The potential privacy risks of a security solution are only acceptable if it also reduces the risk of a data breach.
- Does it minimise access to personal data? A security solution should minimise the amount of potentially sensitive data it accesses and processes.
- Does the company prioritise security? Check how the company has handled past security incidents and prioritised security investment.
- Does it meet regulatory requirements? Verify that the company has privacy-focused certifications such as ISO 27701 and ISO 27018, is certified to the prevailing local and international data privacy frameworks. If a company has these certifications in addition to standard security certifications such as PCI DSS, ISO 27001 and SOC 2 Type II, it’s a great sign that a vendor goes above and beyond on privacy and security.
Assessing all these criteria for the 60+ security tools typically employed by an average organisation can be a substantial undertaking. This underscores the compelling case for security consolidation. Conducting thorough due diligence on a single vendor offering a comprehensive suite of capabilities is more manageable than conducting a superficial assessment of multiple individual point security products.
Privacy-led security
An essential factor supporting security driven by privacy is the extent of the Cloudflare network. Covering 20% of all Internet sites, Cloudflare shields a significant portion of Internet traffic, contributing to Cloudflare’s threat intelligence without jeopardising the privacy of end users for its customers.