The need for safe space is essential, whether we’re fabricating stone fortresses or designing virtual privacy perimeters. The Internet of Things (IoT) offers consumers convenience, efficiency, collaboration, and expanded products and services. However, concerns about privacy and data security pose major challenges to the industry.
Data breaches can involve any unauthorized access to consumer or company information by someone inside or outside the company. The main causes of a data breach are: malicious or criminal attack, system glitch, or human error. High profile data breaches that put consumers most at risk involve events in which hackers access an individual’s name, plus a medical record, a financial record, debit card, or some combination. A number of risky practices leave a company vulnerable to a breach.
- Data retention – Data cannot be stolen if it’s not retained. Certain personal and financial information is vital to business processes. However, companies must critically consider their approach to information retention in order to minimize and manage risk. Considerations include: how much information is retained, how long a company retains it, whether data is encrypted, which data is depersonalized or anonymized, and who has access.
- Employee practices – While hackers make the headlines, the Online Trust Alliance suggests that 90% of data breaches in the first half of 2014 were caused by employee errors and transgressions. Forensics traced the Target breach to a phishing scheme that lured a Target HVAC contractor onto a fake company website where network access credentials were stolen. Ongoing training of employees and third-party vendors on security procedures and their importance is vital to minimizing risk.
- Security budgeting – For data security, as with any business function, the pragmatic question is “how much spending is enough but not excessive?” Security professionals and senior management do not always see eye-to-eye. Management values productivity and fiscal prudence. Security, on the other hand, is tasked with establishing its value by “proving a negative,” that is, what didn’t happen because money was spent.
- Third-party relationships – Given the interdependence between businesses and third-party services, the security practices of everyone in the supply chain need careful scrutiny. Critical issues in managing these third-party relationships include deciding at what point information is depersonalized, how long data is retained, and ongoing compliance assessments to ensure consistent vigilance.
- Low-bar of compliance – An undercurrent for many of the risks that companies take is a philosophy of minimal compliance: spending as little expense and effort necessary to comply with regulations and avoid regulatory fines. What seems cost effective can leave a company’s assets vulnerable, especially when regulations fail to keep up with advances in technology. Compliance typically redresses a discovered breach; more advanced practices are predictive.
If data is valuable to a company, it’s certainly valuable to someone else. In a world of hackers, errors, and vulnerability hunters, the gathering and retention of data carries the inherent risk of being compromised. With the escalating volume of data attacks and the expanding number of threat surfaces, the industry must safeguard consumers and the data that’s an extension of them in the virtual world.
For more information on data privacy and protection in the age of the Internet of Things, see my report Privacy and Big Data: Safeguarding Consumers.
I will also be moderating a panel on this topic during Parks Associates' CONNECTIONS Summit at CES, called "Personalization and Big Data: Securing Consumer Privacy." Confirmed speakers include Cisco, Facebook, Intel Security, NXP Semiconductors, Verimatrix, and Zubie. If you are planning to attend CES in January, I would love to see you there!
Further Reading: