Data Privacy in the Enterprise

It’s never fun to take your medicine. And to suggest any type of corporate audit might be the surest way to stop readers from taking part in your article — but here goes anyway….

In late February Apple CEO Tim Cook went on a bit of a rampage. Being aware of a vast amount of customer information being "trafficked" by corporations, governments and other organizations, he said consumers, "don't fully understand what is going on" at present, but "one day they will, and will be very offended.” He continued, “None of us should accept that a government or company or anybody should have access to all of our private information. This is a basic human right. We all have a right to privacy. We shouldn't give it up.”

Creating a tangible framework for privacy has never been more relevant. We’re constantly confronted with organizations succumbing to epic data breaches. Target, Staples, Anthem and Home Depot are all victims of complex attacks losing control of huge amounts of customer health and financial data. But to run a successful business we must certainly collect personal data — private information about our employees, customers and vendors. We are forced to capture dates of birth, social security numbers, credit card and health information. But the sanctity of this data must be of paramount priority to the organization who is in control of it. Treating private information with anything less than the utmost care isn't just morally irresponsible, it’s a major legal liability and potential PR suicide.

So where do we store this most private information? How many staff members have access? How and where do we back it up? Do we protect the backup as much as the data itself? These are just a few of the topics that would arise during an examination of an organization’s data practices.

In most cases IT is put at the helm of these data practices. While information will circulate through many departments, in the end it’s placed at the feet of IT to safeguard the company against data loss and leakage. Highly-sophisticated network attacks, rather than physical breaches, require IT to act as the first line of defense in our modern, data-driven landscape.

The chosen security platforms and the IT team managing these platforms are essential. Your team is likely working overtime to ensure a secure environment: enforcing strong password policy for all users, managing up-to-the-minute anti-malware subscriptions, requiring encrypted VPN connectivity for all remote workers. And while this is an excellent start, each one of these systems has break-points that must be fully understood. Security is a fast-moving target with each day bringing entirely new exploits that cybercriminals are thrilled to leverage. We all know it’s possible to lose the forest through the trees — or vice-versa.

A compelling solution is to hire an outside firm specializing in security auditing. Nobody likes the idea of an audit — strangers rooting around in your systems to expose weaknesses — but if you’re in charge of data security for your organization, an annual review by a reputable firm could provide more shuteye than popping two Ambien. Investing resources into real solutions for security will not only protect the organization, it’s just the right thing to do.

In the end, what’s most worrisome is Cook’s reference to something even more sinister at play. The idea that an organization could take part in the purposeful sale of our private information is truly menacing — and an altogether more difficult pill to swallow.