SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Ensuring security without compromising privacy

Mon, 18th Mar 2024

In our increasingly connected world, it's not surprising that concerns around privacy, particularly in relation to personal data, are on the rise. Questions about who has access to what information and for what purposes cannot be taken lightly. Today, governments and other regulatory bodies have developed regulations aimed at restricting the collection, processing, and access to personal data, including video footage, to help maintain privacy and mitigate the risks of criminal cyber activities. 
 
At the same time, acquiring digital information is a vital component for protecting people and assets. Governments and private businesses frequently collect sensitive data from individuals using the spaces in and around their facilities. This can include personal identifiable information (PII), such as surveillance footage, photos, and license plate information. Does this mean that we have to sacrifice privacy for the sake of securing physical environments? The answer is, most assuredly, no. Organizations just need to develop their security strategies with intention.  
 
While the concept of privacy can be understood in different ways, from a security perspective, it is essentially about being able to keep personal matters to yourself. For individuals, data privacy means having the right to control how personal information is being collected and used as well as avoiding unauthorized access to information.  
 
When an organization does not make privacy protection a cornerstone of its security policies, it becomes an afterthought, which can lead to the impression that privacy and security are at odds with one another. This does not have to be true.  
 
Organizations can choose to work with vendors who develop tools that include privacy protection by design. They can select and deploy solutions that are hardened against cyber threats by manufacturers out of the box so as to alleviate worries around system vulnerabilities. These solutions should also give them complete control over their data so that they can adjust protection methods and processes to meet evolving regulations and should also help them configure the system to define who has access to sensitive data and footage without slowing down response times or investigations.  
 
A time of digital transformation and big data 
 
There seems to be no limit to the number of devices being connected to our infrastructures. As internet connectivity becomes more widespread and affordable, more of us are able to connect everyday items, including phones, alarm systems, and lighting equipment, to our networks. While this helps improve accessibility and usability, it can also increase system vulnerability by providing more network connections to attack. 
 
Our response to the COVID-19 pandemic has accelerated this digital transformation on a global scale. This is particularly true in relation to the Internet of Things (IoT). When organizations asked employees to work from home, they required even greater connectivity as well as easier access to information from a larger pool of devices and multiple locations. In essence, governments and private businesses were extending their networks far beyond their office buildings.  
 
This has led to increased concerns about data privacy, particularly as cybercriminals have taken advantage of potential system vulnerabilities, human errors (social engineering), and failure to implement best practices (using weak passwords, sharing personal credentials, clicking on suspicious links, etc.). As we connect more devices and applications to our networks, the risk of people's data ending up in the wrong hands becomes even greater. The result has been that our public health needs are raising further concerns about how to properly protect data and people's right to privacy.  
 
The role of legislation  

Governments and other regulatory bodies have an important role to play in mitigating the risks associated with criminal cyber activity and protecting privacy. As we know, cyber threats are not decreasing. From system hacks to DDoS attacks to the increased prevalence of ransomware attacks, criminal cyber activity is on the rise. 
 
To address this, governments have developed legislation that holds businesses more accountable for data privacy or cybersecurity breaches. The European Union's General Data Protection Regulation (GDPR) is the most notable mandate enacted to date. But others, including California's Consumer Privacy Act (CCPA), Canada's Personal Information Protection and Electronic Document Act (PIPEDA), and Brazil's General Protection Data Law (LGPD), are also having a major impact on the way we shape and deploy security systems.  
 
Regulatory bodies are also issuing compliance standards across vertical markets. For example, the United States Department of Health and Human Services issued the Health Insurance Portability and Accountability Act (HIPPA) to protect the privacy and security of health information.  Similarly, the North American Electric Reliability Corporation ("NERC") has issued the Critical Infrastructure Protection ("CIP") standard. These regulations and standards can specify how to secure a facility, protect data, and manage operations. As a result, organizations must sometimes adhere to multiple evolving standards and laws simultaneously.  
 
The cost of compliance 

According to a Privacy Risk Study done in 2020 by IAPP, 43% of organizations are working to comply with anywhere from two to five different privacy laws. What's more, complying with increasingly stringent laws and regulations across geographies and industries has put a strain on many organizations' resources. 
 
Achieving compliance usually involves labour and time-intensive tasks, including revising and implementing corporate policies, auditing procedures and systems, and re-investing in new technologies. Many organizations are currently struggling to find the staff and resources necessary to support privacy policies.  
 
To make the issue more complicated, new questions about who is ultimately responsible for protecting data and privacy are emerging. Gartner, the global research and advisory company, predicts that, by 2025, 75% of CEOs will be personally liable for both cyber and physical security system attacks. This will surely lead to greater focus from top-level management on implementing physical security solutions that prioritize cybersecurity and privacy compliance. 
 
To mitigate risks and keep costs under control, organizations need a single strategy, built on strong cybersecurity and privacy principles that work for them today and into the future. The good news is that, in 2020, IAPP also found that 565 respondents are working toward a single, global data protection and privacy strategy that can be tailored to jurisdictional requirements as needed. The question now is, how do we get there?  
 
Adopting a unified approach is key 

Adopting a unified approach to cybersecurity and data protection helps simplify processes and keeps compliance costs down. It allows organizations to streamline data protection and privacy policies across their entire network and enables them to adapt to evolving threats and mandates. When various cyber defense and privacy protection measures are accessible in one platform, organizations can respect privacy while remaining compliant. 
 
Privacy-by-design 

While policies and regulations aimed at preventing data breaches and privacy violations are a good idea, they don't provide enough protection against cyber-attacks since they penalize organizations after the fact. Organizations need a more pro-active approach that includes a privacy-centric focus when designing a comprehensive data protection and privacy strategy.  
 
A privacy-by-design approach involves pro-actively embedding privacy into the design and operations of IT systems, networked infrastructure, and business practices from the first line of code to third-party vendors. Adopting this approach can have a positive impact on cyber security and can help organizations meet their strategic goals. 
 
When software and hardware developers also adopt a privacy-by-design approach, it ensures higher levels of data protection without infringing on a technology's evolution. By centering on the principle that respect for individual privacy is the foundation of responsible and innovative design, following this approach enables forward-thinking developers to build this principle into the products they create. 
 
Choosing the right technology 

When it comes to physical security technology, organizations need tools that allow security professionals to gather and manage data, including video, while supporting compliance with privacy laws around the world. They need solutions that are designed to help enhance cyber hygiene and respect privacy regulations by making data and privacy protection features accessible and configurable. They need physical security solutions built with privacy in mind.  
 
Genetec solutions are designed to help organizations ensure that their physical security data complies with industry standards and privacy legislation around the world. KiwiVision Privacy Protector, for example, automatically obscures faces that are captured within a camera's field of view. This add-on to the Genetec Security Center unified platform ensures that operators only have access to the information they need to complete their tasks. And when an event warrants an investigation, accessing the unobscured footage requires an additional layer of permissions.  
 
With the Genetec Clearance digital evidence management system, law enforcement organizations can gather and share reliable evidence that protects everyone's privacy. With built-in video redaction and secure user management, the identity of victims, bystanders, witnesses, and police officers remains protected at all times. When an investigation requires collaboration, Clearance makes it easy to give external access to certain pieces of evidence via secure links with fully encrypted data. The system also helps end-users set access permissions to sensitive data and footage without slowing down investigations and incident response. This way, end users have control over this data so that they can adjust protection methods and processes to comply with privacy legislations based on where they are located in the world. 
 
Trust is essential: Don't compromise 

Technology vendors have a social responsibility to help customers reach the highest levels of data protection and privacy. Customers want partners who build secure and compliant solutions that help them protect sensitive information. They need partners who keep up with emerging risks and work pro-actively to distribute fixes and new solutions. In addition, they also need partners who are forthcoming about potential vulnerabilities and keep communication open to mitigation risks.  
 
At Genetec, we are committed to building secure and compliant solutions that help protect privacy without compromising physical security. We are transparent about emerging threats and provide our customers access to the latest data protection and privacy features. We also work with our technology partners to build a network of trust—an ecosystem of technology vendors that value data protection and confidentiality. We believe that protecting privacy is everyone's responsibility so that together, we can create a safer, more secure world.  
 

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X