Despite growing awareness of the severity of cybersecurity risk, organizations are less confident they are ready to meet this ever-growing challenge. But by approaching cyber risk with vigilance and implementing a robust data privacy program, it can be managed confidently.
Results from a recent Marsh/Microsoft survey – Global Cyber Risk Perception Survey Report 2019 – paint an interesting picture of the current perceptions and attitudes of organizations concerning cybersecurity risks.
Although cyber risk ranks among the top five business concerns for the majority of organizations surveyed in the study, their confidence in their ability to assess, prevent, and responding to or recovering from those is decreasing. The study noted a substantial decrease in confidence concerning three main areas of cyber resilience:
- 18 percent have “no confidence” in their ability to understand and evaluate cyber risks.
- 19 percent doubt their abilities and have “no confidence” that they can prevent cyber incidents and attacks.
- 22 percent report having “no confidence” in their ability to manage, respond to, or recover from cyber events.
Respondents’ answers to many of the survey questions demonstrate “a striking dissonance between the high concern about cyber risk and the overall approach to managing it.” The Marsh/Microsoft research indicates that, across the board, organizations around the world could benefit from strategically implementing a sustainable data privacy program.
By doing so a company can move beyond avoiding regulatory penalties and give an organization a competitive advantage by improving its trustworthiness among customers. In the age of increasing consumer awareness and digital interconnectivity, transparency is key to achieving and maintaining the trust of consumers. And a properly executed data privacy program can achieve just that.
Privacy Program Preparedness
Sustainable data privacy programs are not reactive in nature. They are built on frameworks that can be applied to emerging privacy regulations with minimal change. The General Data Protection Regulation (GDPR) forced many global organizations to implement privacy programs for the first-time. Now, as new regulations like the California Consumer Privacy Act (CCPA) are adopted, existing privacy frameworks are expected to scale.
To find gaps in your existing privacy preparedness, the first step is to begin with the appropriate privacy framework. It is important to agree to a framework to document obligations and review their relative importance. The regions an organization operates in and the standards bodies they choose to follow play a part in making that determination.
There is rarely the need to reinvent the wheel when it comes to data-privacy controls, as there are internationally recognized standards to assist in building and organizing.
The International Organization for Standardization publishes a standard, ISO19600, offers general support for compliance programs. The idea behind ISO19600 is that it provides broad guidance, based on internationally agreed best practice, rather than a requirement standard for which is possible to be certified. Its use can differ depending on the size and level of maturity of an organization and on the context, nature and complexity of the activities carried out.
Once a framework is chosen and in place, it’s important to do a control audit to determine which required controls are already in place, which ones are in place but are not effective, and which ones need to be implemented. The work must be performed in order to determine process and control gaps.
Managing Individual Rights
Subject rights represent the rights of an individual, e.g., consumer, web visitor and employee, to make decisions and take actions on the data about themselves. These include portability and access rights, the right to correction and the right to erasure.
An effective subject rights management system should be flexible to capture, catalog and respond to requests from individuals. Workflows must be in place to ensure these requests are handled in the appropriate amount of time as mandated by the regulations.
The perception of effectiveness of a data privacy program is driven primarily by the responsiveness of an organization to these requests. A single instance of a slow response can be amplified via social media to diminish the perception of a brand. The system has to be in place in order to respond and act quickly.
Managing Privacy With Technology
In some cases, technology has been deployed to help with the organizational and human elements of breach management – the tasks that must be performed once a breach has occurred.
Effective software can provide value to expedite and choreograph the workflow that must take place when a breach occurs. This allows organizations to understand if a breach has occurred, they can take action and respond, and also investigate gaps in their process to mitigate further penetration or future breaches.
Regulations in many jurisdictions require that response take place within a short amount of time; GDPR, for instance, has a 72-hour window. Within that timeframe, an organization must take action on the breach to determine the impact, notify regulatory bodies, begin remediation actions internally, craft a message to those affected, and deliver it.
This requires a number of people acting quickly and in parallel; if there isn’t a tool already in place that can enforce the exact steps, sequences and dependencies; it will be very unlikely for an organization to respond in time.
Improving Employee Behavior
While technology is a vital part of managing privacy, it is only one component towards achieving data privacy compliance. The other component is the culture and knowledge of your employees.
Employees are one of the biggest assets and risks to an organization. They are also one of the hardest risks to manage because most of the risks that employees face are ones that companies cannot see. With the change in technology and the way people consume content and use social media, the engagement of employees is even more critical than ever. In fact, it’s an absolute necessity given the volatility and increasing sophistication of the threat landscape.
Awareness training is a critical part of creating a cyber-aware culture, but it is only one piece of the fiber that defines an organization. Having a corporate culture of cyber awareness within an organization will drive the risk its employees will take. After all, employees making the right decisions is one of the most important risk mitigation strategies.
The relationship between culture and risk has strengthened over the past few years. Employees are more engaged, productive and likely to follow the company’s security guidelines if they feel like they are driven by leadership and are applied consistently.
Companies must train employees to understand what the risks are, they must know what to do when faced with this risk and they must understand what the right decision is. Building affecting training programs will help employees make the right decisions when it comes to protecting your infrastructure, identifying a breach, and following the right process when something happens.
Managing the risks of data privacy is a significant undertaking for any organization, and it is only going to get more complex given the diversity and scope of enforcement actions. Many organizations are conducting business globally, regulations and laws like the GDPR, CCPA, DPA 2018, Argentina Data Protection Laws, Brazilian Data Protection Laws, Convention 108 must be considered, when monitoring the flow of international data.
Added to this complexity is the intersection of data privacy regulation with technology, which is likely to pose increasing challenges for regulators and organizations alike.
It’s tough to comprehend what these laws and regulations will mean; making specific technology and process changes simply to comply with them will not be enough. Organizations need to take a step back and assess what it will take to develop the flexibility and agility to meet whatever emerges from the evolving privacy landscape.
Buy-in from the entire organization is therefore necessary. Those organizations that lack strong executive-level involvement to effect enterprise-wide change will fail. If an organization doesn’t have a sustainable data privacy program in place, it’s a very important and logical place to get started.