How can businesses protect shared data in a remote workforce? What is the difference between data privacy and data security? How can individuals minimize the risks associated with data sharing? In the latest Episode of our six-part podcast series, Get IT: Cybersecurity insights for the foreseeable future, we explore how the COVID-19 pandemic is helping shape the future of data in Canada.
In Episode five, Julius Azarcon, national leader of cybersecurity services at CDW Canada, and Dave Lewis, global advisory chief information security officer at Cisco, discuss data privacy and security best practices for Canadian businesses in today’s new normal. Here are some key takeaways.
Shifting business priorities
Over the last few months, we’ve seen a massive shift to a remote workforce for many Canadian businesses. While protecting both company and personal data has always been a priority, the pivot to remote and the erosion of organizational perimeters has forced many organizations to question the importance of data protection when compared to other operational necessities.
Canadian businesses have historically taken the protection of personally identifiable information (PII) seriously, implementing sound security measures to ensure PII such as name, age and blood type remained private. However, COVID-19 has introduced a new set of privacy and security challenges that not all businesses consider to be a priority. For many, the harsh reality of the pandemic means that the primary focus is simply keeping the lights on. Unfortunately, data privacy and security have often been afterthoughts, opening the door to error and network vulnerability.
The submarine effect
While prioritizing operations remains critical for Canadian businesses, it’s equally important not to miss a step when it comes to data privacy as it often goes hand-in-hand with business continuity. If overlooked in the short-term, insufficient data privacy protocols can result in increased vulnerability and risk down the road. This is often referred to as the “submarine effect” – when a problem that has been pushed to the wayside eventually resurfaces in the future on a much larger scale. Encrypting data at rest and in flight, controlling access to data and ensuring secure MFA or VPN access are key to preventing inadvertent exposure.
Increased online presence requires education
The remote workforce combined with limited in-person social interactions has, naturally, increased our online presence. Between connecting with friends and family through video, virtual conferencing for work, browsing social media for entertainment and relying on online platforms for education, almost everything we do today involves our digital avatar or online persona. This also means we are more connected to BYOD and IoT devices than ever before.
The average Canadian generates 1.7 MB of data per second – a number which has only increased in today’s remote landscape. Smartphones have a wide range of tracking mechanisms from data analysis to GPS location, and the information being shared isn’t always transparent to users. Introducing more BYOD devices to an organization’s perimeter means it’s never been more critical for businesses to educate employees on company policies and safe data handling practices when working remotely. It’s also imperative to ensure governance around how to discover what data is on each device, in addition to the pacification and reconciliation of this data when required.
Canadian businesses need to ask themselves tough questions on what controls are being used to limit device or cloud data access, how they’re encrypting data at rest and in transit and whether employees are using corporate data appropriately. In order to prevent any aforementioned submarines, businesses need to have answers to these questions and continuously educate their workforce.
Data privacy and data security are symbiotic
Data privacy can only be achieved if the data is secure, meaning privacy and security are not mutually exclusive. While this concept is an IT professional’s bread and butter, it’s not always apparent to the average user. The primary source of this disconnect stems from user experience – while they tend to understand the need for data privacy, an appreciation for data security often only develops as a reactive measure to a cyber incident. This is human nature and is true in many aspects of our lives, including our homes. While we have locks, we may not always lock the door. Following a break-in, however, we make every effort to lock down our threat landscape (doors, screens, windows), perhaps even installing a home alarm system.
Canadian businesses need to re-emphasize the symbiotic relationship between data privacy and security, ensuring that both are top of mind for employees of all levels.
Minimizing the risk of PII oversharing
Interactions with online tools are on the rise, and it’s critical that businesses and individuals examine the value being received in exchange for PII. This can be emphasized in three steps:
- Be aware of how online tools use the data being collected. This information should be in privacy policies or terms and conditions. If this information is not available or easily accessible, this could be an indicator of an untrustworthy source.
- Conduct your own risk assessment. When being prompted to provide personal information, trust your instincts on if the information seems relevant. If you feel the required information is intrusive or unnecessary, it probably is.
- Leverage privacy plugins. There are browser plugins available to help identify the data being collected from any website. Some websites have more than 30 built-in trackers, and privacy plugins can help determine where and how data is being collected and/or shared.
Improving Canada’s legislative framework
CDW Canada’s 2020 Security Study revealed that many Canadian organizations are more familiar with Europe’s General Data Protection Regulation (GDPR) than with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and subsequent Digital Privacy Act. This is largely because GDPR has a strong focus on enforcement and potentially massive fines in the event of a breach, thus garnering more media attention and staying fresh in people’s minds. PIPEDA and the Digital Privacy Act don’t have the same impact because they’re perceived to have less teeth. This is partially a marketing problem, as both advocate for proper stewardship of data and offers valuable information. This demonstrates that there is more work to be done around how legislative framework can be improved in Canada to compel businesses to take data privacy and security measures seriously.
Holding organizations and governments accountable
Organizations and governments are going to rely more and more on technology as the pandemic continues. In addition, as major organizations such as Shopify and Twitter signify that the new remote normal may be here to stay, businesses must implement more resilient data privacy and security protocols.
As a result, there will be a need to balance the digital rights and freedoms of individuals with the security of public health. Pandemic-related or otherwise, data privacy and security need to be part of the ongoing conversations around new or existing solutions.
We must continue to hold organizations and governments accountable for providing transparency on when they collect user data, how that data is used, if and when it is shared and with whom. Consider the Canadian government’s contact tracing response to COVID-19. While an essential tool for limiting the spread of the virus, what will happen with the collected data moving forward? Will it be destroyed or leveraged for another purpose?
Asking these questions at the onset – both at government and corporate levels – is the best way to ensure transparency and much-needed education while keeping privacy and security top of mind for all Canadians.
For more insights on how Canadian businesses are managing data privacy and security, listen to Episode five now.