“Security and privacy are two very, very different things. Security is about keeping systems and information safe from unauthorized parties. Privacy is about content control…Messages protected by end-to-end encryption can still be posted on Facebook, shared with unauthorized parties, and accessed by your messaging service provider or even their partners.” – says Dr. Galina Datskovsky, CEO at Vaporstream, in an exclusive interview with ITSecurityWire.
ITSWBureau: What do you see as the single biggest challenge of remote communications?
Galina Datskovsky: Not having sufficient security on home computers or WIFI is one of the biggest challenges, as it may be left to the discretion of the employee. But that is just the tip of the iceberg. People tend to store information on local drives, which may violate the organizational policy and hinder compliance with various regulations. The use of unsanctioned apps may also be out of compliance, violate privacy policies and regulations, and be more prone to hacking or leaking. Companies would do well to provide employees with equipment that is pre-set with appropriate safeguards and to issue strict guidelines for security in work from home environment. Many financial institutions and other large corporations already have such policies in place. Many employers are now trying to catch up.
ITSWBureau: As BYOD becomes the order of the day, how can companies ensure that company data is secure?
Galina Datskovsky: BYOD is a great concept that adds ease and lowers costs for organizations. People do not like to have multiple devices, one for personal and another for work usage. There are, however, various challenges that both employers and employees need to be aware of. First, it is essential not to use unsanctioned applications for work purposes. The enterprise may need records of a conversation or transaction and may have regulatory environments that do not allow such usage. This should be clearly outlined in policy and transmitted to employees. Second, work and personal data should never be co-mingled. If it is, and a discovery motion is made or records need to be produced, the employee may find their phone temporarily impounded. Third, it is unlawful, for example, under GDPR, to ask people for their personal phone numbers, thus making it potentially harder to communicate using apps that require phone number registration. These are just some of the issues that employers and employees need to be aware of. It is possible to create work and personal partitions on such devices using MDM software. It is harder to wipe data when the employee leaves an organization if the upfront planning is not done. Clear policies and procedures are imperative.
ITSWBureau: What are the critical distinctions between privacy and security?
Galina Datskovsky: Security is about keeping systems and information safe from unauthorized parties. Privacy is about content control. While encryption is the baseline for the security of data – this can create a false sense of assurance due to a conflation of the concepts of security and privacy. Messages protected by end-to-end encryption can still be posted on Facebook, shared with unauthorized parties, and accessed by your messaging service provider or even their partners. While secure, such messages are not private. Security and privacy are two very, very different things.
At Vaporstream, we focus on combining four crucial principles, all of which must be present. Users need to expect security and privacy while enabling compliance where appropriate in addition to usability as the recipe for right data protection. Security and privacy are not just about encryption and cyberattack protection. They are about content control, ephemerality, policy enforcement, leak prevention, and content ownership. Compliance implies that organizations with requirements to store messages, such as healthcare or financial services, can do so easily.
ITSWBureau: Many were not ready to deal with compliance issues and complexity when the pandemic hit, but now that it’s here, how can companies quickly change their governance systems to ensure secure operations remotely, while delivering productivity and efficiency?
Galina Datskovsky: Companies need to re-assess the processes they put in place hastily at the beginning of the pandemic. For each method and system, it’s important to address the following issues:
- Is the system we set up secure enough? Defining thresholds for what is secure sufficient for each organization is essential. For example, Zoom can be set up with more or less security features depending on how you expect to use it and the level of security that is critical to your company. Make sure all employees understand what they must do with these systems. Make the default settings secure. Also, evaluate whether you chose the best security application for your needs. If not, do not hesitate to make a quick change.
- Are your employees protecting their home environments sufficiently, or do you have them going through a VPN, and therefore, they are not really relying on their home infrastructure? All employees need clear guidelines for the use of the network and what is expected of them. Do not assume they have the best interests of the company’s security at the forefront of their minds as they are juggling many other priorities as they work from home.
- Are you clear on the applications and storage your employees can use? If not, make certain there are policies and applications to ensure they have the proper access.
- Are you still in compliance with all your corporate obligations, such as privacy, duty to preserve, etc.? Make a list of said obligations and evaluate All your processes in light of each one.
- Have you trained your workforce on any new systems and security obligations they have in this new work environment?
ITSWBureau: Should there be standardization around privacy for the enterprise, and what would that look like?
Galina Datskovsky: There should be standardization but only to an extent. Each enterprise requires more or less privacy, depending on the regulations governing their business. However, an agreed-upon definition of privacy would help and a list of privacy requirements that companies should consider when drafting their policies. I believe that a privacy maturity model would go a long way to assisting organizations in achieving a more standard level of privacy and compliance.
Dr. Galina Datskovsky, CRM, FAI, and serial entrepreneur is an internationally recognized information governance, privacy, compliance, security, and artificial intelligence expert. Galina is currently the CEO of Vaporstream, Inc. She previously held the position of SVP of Information Governance at Autonomy/HP, the GM of the Information Governance Business Unit, and SVP of Architecture while at CA Technologies. She joined CA in 2006 with the acquisition of MDY Group International, where she was the founder and CEO