With Cybersecurity Awareness Month in full swing, data leaks and privacy conversations continue to dominate the headlines. In fact, our research has found that organisations have lost an average of nearly $1 million due to cyber-attacks. And what’s more, 44 per cent of IT leaders report that their organisations had suffered a cyberattack in the last 12 months, with an average of 29 attacks per organisation. It’s not a pretty picture.
As hackers become more and more sophisticated and well-funded – and organisations feel the effects of this, are there any lessons we can learn from history to ensure it doesn’t repeat itself over and over again when it comes to cybersecurity? Even though we are talking modern technology, the answer is still “Yes”.
When Spartacus and his army of rebel slaves were defeated by the Romans, they only had to do one thing to earn their pardon. Give up their leader’s identity. In a bold refusal, first one man and then the whole army proclaimed “I am Spartacus!”. Unfortunately, not being able to single out the leader of the rebellion, the Romans executed the slaves for their troubles. But the ancient story might have had a very different ending if Spartacus and his friends had lived in a world with modern data protection regulation.
The right to be forgotten is a crucial part in the movement for greater ‘digital rights’ and personal control over one’s personal data. Much like a digital version of the Roman Empire, today’s businesses collect a huge amount of data on everything they touch. But new data protection rules like the General Data Protection Regulation (GDPR) require significant changes in how customer data is stored to help organisations remain compliant to customer requests. While the law only applies to EU citizens’ data, any company that operates in the EU must comply, regardless of where the data is stored. This yields a truly global impact on data governance for almost every major company in the world.
Tipping the scales
Meanwhile, back in the US, representatives from AT&T, Amazon, Google, Twitter, Apple and Charter Communications recently went before Congress to share what they want out of a similar privacy law, potentially. These companies were vocal about not wanting a carbon copy of GDPR for the US and instead would prefer to have the ability to drive privacy rules on their own terms. Unsurprisingly, consumers want to control our privacy on their own terms, so it will be interesting to see how this unfolds.
While the US debates the potential for privacy laws in the near future, one thing is clear: companies holding personal data will need to act sooner rather than later as consumers get educated and lawmakers take notice. The reality is that personal data is running rampant, whether people are willingly giving it away or not. This is evidenced by a feature on Facebook, which allows advertisers to upload data collected offline to target consumers, and I’m sure many more examples will follow.
With regards to GDPR in Europe, even though the immediate pragmatic requirement is clear — the capability to delete accounts and any associated personal data – this task isn’t as simple as it first appears. The problem lies with organisations’ reluctance to sacrifice data, particularly as it helps to improve their own business models and profitability. For example, it’s much easier to target current and potential customers with marketing when organisations have data on their customers. The more data organisations have on these customers, the more effective they can make their marketing efforts. So now businesses are operating in a world where IT professionals must perform a balancing act of maintaining security and compliance while offering convenience.
As far as data stored in files is concerned, the scales are tipped so far towards business agility and convenience that IT often has a hard time reigning in control without triggering a user revolt. But achieving security that is on par with convenience doesn’t need to alienate users. As long as businesses pick the right tools, keep users involved in the process at every step of the way, and maintain a mindset that identity is everything, the outcome will outweigh the input – reducing friction between business users and IT teams in the process.
If Spartacus was alive today
So, what if Spartacus actually lived in today’s regulated environment? While his request to be forgotten might not have been approved by the Romans (they would presumably have the right to pursue him for breaking the law) there is a question of whether his data should have been kept in the first place without his consent. With GDPR in full effect, consumers now have the right to request access to all of the data held on them – potentially causing challenges and inducing hefty fines for companies that aren’t quite sure how much personal data they have collected, where it is stored, and how long they have had it on file.
Although many online services have built in deletion and removal options, lingering personal data is a different matter. If this personal information is located in an application or structured database, then the process is relatively straightforward—eliminate the associated account and its data is also removed. If the sensitive data is found in files—detached from applications governed by the business—then they behave like abandoned satellites orbiting the earth, forever floating in the void of network-based file shares and cloud-based storage. If the right to be forgotten is to be realised, then a key task is locating that personal data and enabling its deletion no matter where it resides, thus ensuring the privacy of the end user.
As our online identities continue expand and proliferate online, we must work to safeguard what we consider fundamental rights. The right to be forgotten—to choose to withdraw from online services without leaving our personal data behind—is a key stone in our privacy foundation. Organisations that truly value their customers’ privacy will also value the right to be forgotten and will take measures to locate and protect their sensitive data, effectively yelling “I’m Spartacus!” on behalf of the user.
Mike Kiser, Strategist and Evangelist, Office of the CTO, SailPoint
Image Credit: IT Pro Portal