Fresh off returning from the recent IAPP (International Association of Privacy Professionals) Privacy, Security, Risk 2016 Conference in San Jose, I saw first-hand how security and privacy professionals are now working hand-in-hand. The need to keep information and data secure and private is an absolute must in today’s digital economy and the Internet of Things (IoT) market explosion will continue to emphasize this need. On top of that, new compliance regulations and corporate policies are making it increasingly more important for security and privacy professionals to be aligned at the hip.
There’s no doubt that highly publicized data breaches continue to put everyone on edge. Consumers are concerned about their private data being exposed, while companies fear the devastating effects on brand reputation and legal repercussions. Just yesterday, Yahoo announced that a hack in 2014 has exposed personal data of 500 million of its users. The breach included personal information, such as names and emails, as well as “unencrypted security questions and answers.” The fact that this event happened in 2014 and details are just coming out now is a topic for another discussion. I’m sure privacy professionals will have plenty to say about that.
Where Security and Privacy Intersect – It's All About the Data
While securing data and access is our primary focus, privacy policies are also addressing how organizations collect, store and use personal information. All along that path, security needs to be addressed – from encrypting private data transmissions to adding multi-factor authentication for usernames and passwords to securing email communications and more.
Now, the Internet of Things is adding exponentially more devices and resulting data, but also potentially many more vulnerabilities as well. Depending upon the industry research firm you follow, there will be 20-50 billion connected devices by 2020 - from wearables to home automation to connected cars to industrial systems and more, all collecting data about us and our businesses.
Are we prepared for this? At this point in time, it’s hard to say. Consumer IoT devices are being released to market on a daily basis. Some vendors are taking security seriously, while others are just trying to get their products to market before the competition. In the industrial space, there are groups now defining security best practices such as the Industrial Internet Consortium (IIC) that just released its security framework this week.
What Can We Do Today?
Every organization faces key security challenges that also impact privacy. Here are five areas that should be addressed and improved now:
- Encryption – how can we keep information secure and private?
- Authentication – how can we ensure only the right people and devices securely access the right services?
- Passwords – we just cannot rely on passwords alone any more. What can we do differently?
- Email Security – how can we protect ourselves and our businesses form targeted attacks and keep our emails secure and private?
- IoT Scalability – can we scale our security capabilities?
Public Key Infrastructure or PKI is a great place to start, with the ability to issue Digital Certificates to users, devices and services. It should be an essential component in your IT Security tool box. Certificates and PKI systems have been around for decades and are built on industry standards. While many people associate PKI with SSL/TLS Certificates (the technology behind the padlock you see on public sites), it’s capable of much more, including email encryption and signing, authenticating users and devices, digitally signing documents and code and more recently, it has seen a major adoption in the IoT sector for device identity.
Additionally, a PKI system should be able to do more than just mitigate the risk of data loss and unauthorized access. Customers and enterprises today expect their PKI systems to be scalable, to be easy to deploy and perhaps even automate some of their business processes. Most companies today use and are very heavily dependent on Active Directory as their user and device provisioning systems and it only makes sense that you leverage these existing investments, databases and policies to give your users a PKI system that’s robust and can meet all their needs.
Are You Prepared?
A 2016 Ponemon Institute study found the average cost of a data breach to be four million dollars. Additionally, the study reported that the cost of each lost or stolen record containing sensitive and confidential information increased from a consolidated average of $154 to $158.
If you are going to take security seriously, you need to ask yourself, can my business overcome the impact, both financial and otherwise, of a security incident? Will we lose our customers and can we get them back? What will happen to the reputation of our brand? What will this all cost in the end? And, ultimately can we recover and stay in business?
We know that threats will only increase and more high-profile breaches will occur. Security and privacy professionals need to continue to address this. Stronger authentication, better access control and encryption everywhere are great places to start, with PKI providing a solid foundation for achieving these goals.