By 2020, Gartner estimates there will be nearly 21 billion connected Internet of Things (IoT) devices[1]. Additionally, today in the United States alone, there are 25 connected devices per 100 inhabitants[2]. Your watch, your phone, your laptop, your car, your TV, your bank and your doctor, can all be collecting and storing your personal information.
We are producing more data than ever, and as a result our data and privacy are increasingly at risk. According to Symantec’s Internet Security Threat Report (ISTR), in 2015 the number of zero-day vulnerabilities discovered more than doubled to 54, a 125-percent increase from the year before. Additionally, the study showed a record-setting total of nine mega-breaches, and the reported number of exposed identities jumped to 429 million.
These numbers, however, hide a larger story. Although a conservative estimate of unreported breaches pushes the number of records lost to more than half a billion in 2015, more companies chose not to reveal the full extent of their data breaches.
The bottom line is no person or business is without risk – and we are often unaware of the magnitude of our exposure.
As customers balance the increasing need to use connected devices with the risks of losing touch with where their personal information is going, they will have a harder and harder time determining where to draw the line between protection and enablement of our technology-driven, day-to-day lives. Customers are putting their faith in companies to protect their information with adequate security and privacy measures. This is prescribed by law, but it’s also a company’s responsibility as an ethical business provider.
So what are the key components of a strong corporate privacy program, and what should customers look for when determining whether they can trust their information with a provider?
You can have security without privacy, but you can’t have privacy without security.
Privacy includes the laws and regulations requiring companies to protect your data, and security is the technical method used to protect that data. Privacy laws are shifting globally in a big way, and this evolution is keeping privacy professionals on their toes. With the increased complexity of compliance with global privacy requirements, adequate security is the one constant and the simplest way to ensure that companies are both complying with law and protecting their customers’ and employees’ most important information.
Security and transparency are privacy’s key driver of success.
Above and beyond the laws governing privacy, companies are obligated to ensure that proper administrative, technical and physical security safeguards are in place to protect personal information. By affirming adequate security measures and providing transparency about security protocols, companies can help customers feel more confident about the decisions they are making regarding the information they choose to share. A recent study by the Office of the Australian Information Commissioner (OAIC) revealed that “71 percent of Internet of Things (IoT) devices and services used by Australians failed to adequately explain how personal information was collected, used and disclosed[3].” Companies that hold and manage critical information must gain and continually earn customers’ trust through transparency – why else would we risk handing over our most personal, high-value details?
There is no “one size fits all” in privacy and security.
Security and privacy must be implemented across all thresholds, and there is no “one size fits all” security and privacy answer. A smart security solution should therefore employ preventative, defensive and reactive solutions – it has to be strategic, innovative and smart. Today’s strongest security leaders will partner with key stakeholders to stay at the forefront of cybersecurity trends and leverage this knowledge to constantly innovate and implement creative solutions.
We are only as secure as the weakest link.
In our connected world, data protection is key to a prosperous future, but we are only as secure as the weakest link in the chain. The most common privacy weaknesses are often human error and technical shortcomings. For example, data from the ISTR shows spear-phishing campaigns targeting employees increased 55 percent in 2015, and fake technical support scams have evolved from cold-calling unsuspecting victims to attackers fooling victims into calling them directly.
As we see time and time again, these data breaches compromise privacy, security and economic well-being, and the financial and reputational risks have both immediate and long-term impacts. That’s why consumer and employee education about security and data protection is paramount and essential for ethical corporate citizenship.
We all have an obligation to ourselves to protect our information. When we entrust our data to a company, it becomes a shared partnership to protect that data.
The Internet of Things is changing the landscape of privacy and security every day. We must remember that convenience comes at a price and we will have to determine our own comfort levels with this evolving digital world. Customers have the ability to see what companies are doing with their data –what is stored, collected and done with their information. And companies have the responsibility to be transparent and demonstrate the corporate practices, processes and steps taken to ensure the highest level of credibility.
Customer choice is what drives our market demand, and this is no different in the world of privacy.
Similar to our ongoing efforts to find a perfect work-life balance, there is sometimes a tradeoff between privacy and technology use. Being informed, knowing the risks and benefits and understanding who you can trust is crucial to balancing these tradeoffs on your own terms.
About the Author
Carolyn Herzog leads the following teams within Symantec’s Legal and Public Affairs (LPA) Department: Office of Ethics and Compliance, Privacy Program Office, Litigation, Employment, Product Legal, Global Enterprise Go-To-Market, License Compliance, and Americas Sales and Services. Ms. Herzog moved to this position from her prior role as vice president and head of LPA for Symantec’s Europe, Middle East and Africa region, based in the United Kingdom. Carolyn joined Symantec in December 2000, with the acquisition of AXENT Technologies, where she was general counsel and based in Washington, D.C. Symantec is a global leader in cybersecurity, operating in more than 50 countries and providing products, managed cloud and technical services and support to consumers, small businesses, the public sector and the largest global organizations.
[1] Information Week, November 2015: Gartner: 21 Billion IoT Devices To Invade By 2020
[2] OECD Digital Economy Outlook 2015
[3] ZDNet, September, 23, 2016: “71 percent of devices and services used by Australians did not provide a privacy policy nor a notice explaining how personal information is collected, used and stored”