When privacy cybersecurity controls apply to non-private information

The individual’s rights to privacy in the digital world are protected by relevant state and federal privacy legislation. These rights are being sorely tested, however, with the digital privacy debate turning into an unequal three cornered fight over who gets to own the value inherent in the individual’s online lifestyle patterns.

  • In the first corner, we have those looking to monetise the individual’s digital lifestyle patterns, supported by technologies such as Big Data. These include our globally dominant landlords such as Google, Microsoft, Amazon and Facebook, all vying for a slice of the $117 Billion annual spend on digital advertising.
  • In the second corner, we have regulators who are passing laws aimed at protecting the individual’s rights to privacy. The Australian Government’s attempts at revising Privacy legislation and the EU’s privacy legislation revamp being such examples.
  • In the third corner we have the global ecosystem of security and related agencies which remain, for the most part, invisible and seem to act with relative impunity.  The much publicised PRISM debate over the U.S. National Security Agency’s covert surveillance is one such example.

Overshadowing this 3 cornered competition, is the cybercriminal community. Reading the 2013 United Nations Office on Drugs and Crime Comprehensive Study on Cybercrime is sobering reading for those executives in organisations which have not really considered themselves as a potential target.

Your business through the privacy lens

From the legal standpoint, the Corporation is treated as a person, and that is where the analogy between the individual’s rights to privacy and the corporation’s rights to the protection of their proprietary knowledge begins.

Let’s assume you replaced the word ‘Privacy’ with ‘Intellectual Property’ or ‘Competitive Information’. As a business owner or executive, would this change your position on how you approach, and invest in the controls over the retention, security and management of your organisation’s information in all its varied forms?

The illicit and unauthorised use of either the individual’s private information or your organisation’s sensitive information can result in significant damage. For the individual victim, this can extend from a simple banking fraud to a comprehensive theft of the individual’s identity, which can have devastating consequences for the victim. Likewise, for the organisation, the impact of the accidental loss or deliberate theft of proprietary knowledge could vary from the trivial to the ultimate failure of the organisation. The gradual demise of the once substantial Nortel by Chinese hackers is a case in point.

Keep an eye on your data slum

The information that may be potentially worth more to others than may be to you, extends far beyond your transactional databases, trademarks, patents and other artefacts ‘protected’ by law. Large amounts of unstructured data, typically in the form of spreadsheets, Word documents and emails for example, tend to form in messy, unplanned data slums. It is often this unstructured data that contains the rationale for your executive decision making, organisational strategies and investment plans. Given that much of this data’s value degrades with the passage of time, should this information be syphoned off in near real-time, the potential risk to your organisation could be significant.

Your data slums in the Cloud

When it comes to Cloud computing, you are reliant on the security controls of the service provider. When using network and file storage services in the Cloud, the security over this information should be carefully assessed as appropriate for your risk profile. The reported security problems faced by DropBox are one such example of the potential challenges of Cloud for CEOs or CFOs concerned about competitive information retention.

Assess claims made by single minded technology evangelists as to the appropriateness of any particular technology offering, with the degree of rigour and due diligence in proportion to the sensitivity of the information in question.

By ensuring that your organisation’s secret herbs and spices contained in that single spreadsheet  do not end up in the wrong hands may just save your business.