IAPP PSR 2017 Attendees Prove Data Must Be Secure to Be Private
Last year, GlobalSign attended the International Association of Privacy Professionals (IAPP) Privacy Security Risk (PSR) conference for the first time. After the event, I wrote this blog post about how security and privacy professionals were forging closer relationships as they both strive to keep data secure and private: Security and Privacy Professionals Joining Forces.
Earlier this month, we were back at IAPP PSR for a second year in a row. What we quickly learned is that the relationships between security and privacy professionals are getting even tighter and stronger. Driving that is a perfect storm of continued “sensational” data breaches and new and existing privacy regulations. Grabbing all the headlines at this year’s event was the Equifax breach and how everyone is trying to figure out the European Union’s (EU) General Data Protection Regulation (GDPR) that goes into effect in May 2018.
In conversations at the event, we quickly understood that organizations wanting to ensure data privacy must also have the proper security in place. Privacy professionals told us they are investigating security solutions for their security teams. And, IT security professionals were looking at more security measures to ensure privacy. Even a conversation with a corporate counsel got very technical around SSL/TLS Certificates and how they can practice better web security.
Why? Nobody wants to be Equifax.
Not only was the Equifax breach one of the highest profile security incidents ever, it exposed almost 150 million customer records including sensitive personal and payment information. This is why privacy and security teams are bonding. Exposure of this kind of data can be a death sentence for a lot of companies – negatively impacting reputations and financials. GDPR in the EU is aimed at stopping this type of activity and also the misuse of private citizen data by putting the proper controls in place, including security technology that ensures access control, authentication and encryption.
Any company that does business in the EU will need to comply with the GDPR directive by the May 2018 deadline. Where companies are struggling with their GDPR readiness is that there are no concrete set of plans to go by. While GDPR outlines why Personally Identifiable Information (PII) must be kept secure and private and the importance of that, it does not dictate how it should be done. Organizations need to figure this out on their own and it is taking a collective effort by privacy, security and legal teams to make sure it happens.
Just recently, UK regulators are looking into the Equifax data breach situation even ahead of the GDPR go live date. The UK Financial Conduct Authority has the power to fine Equifax right now. Under GDPR, the fines and penalties could end up being even worse if companies allow breaches of private data. Other countries will undoubtedly be looking at such penalties and measures now as well. No organization wants to be in the same hot water and as many discussed at IAPP PSR, there is still a lot of work to do to be in GDPR compliance.
IT Security’s Role in Privacy
For data to be private, securing it is essential. Data must be secured at rest and during transmission. There are many organizational layers of securing data throughout the IT infrastructure. Digital Certificates play a vital role in enabling stronger authentication, access control and encryption. An enterprise PKI strategy should be considered that automates certificate provisioning, manages the lifecycle and integrates with existing IT solutions. Here are some of the security concerns you can address with PKI:
- Web and server security – encrypt internal and public servers and websites to secure the transaction of sensitive data.
- Authentication and access control – strengthen passwords with certificate-based authentication to allow only approved people, machines and devices to access corporate networks and resources.
- Secure email – encrypt sensitive internal communications, prove email origin and prevent tampering and phishing threats.
- Document signing – trusted digital signatures enhance document security and prevent tampering.
How to Get Started
If data privacy is top of mind whether you need to be ready for GDPR or not, your IT security strategy should be right at the top of the list too. We all know that there are many technology vendors and different layers of IT security that address many different security applications. PKI is a pillar security technology that every organization can benefit from.
GlobalSign’s cloud-based managed PKI platform provides automation, management and integration capabilities to easily add PKI without the burden of trying to become cryptographic experts. If you’re interested in learning more, contact us today.