George Moawad from Genetec explains how stakeholders can bolster cyber resilience without compromising privacy protections.
It’s no surprise that concerns around the privacy of personal data are on the rise in our increasingly connected world. While the discussions have often centered around online security, attention is increasingly shifting to the collection of sensitive data from individuals in public and private spaces such as personal identifiable information (PII) including surveillance footage, photos, and licence plate information.
Acquiring this information is a vital component for protecting people and assets but Governments and regulatory bodies around the world have an important role to play in mitigating the risks associated with criminal cyber activity and protecting privacy. As we know, cyber threats are not decreasing. From system hacks to DDoS attacks to the increased prevalence of ransomware attacks, criminal cyber activity is on the rise.
To address this, governments have developed legislation that hold businesses more accountable for data privacy or cyber security breaches – and in Australia there are a number of initiatives under consideration.
First there’s the outcome of the review of the Privacy Act, now expected in 2022 after a delay to the publication of the Discussion Paper. It was initiated after the ACCC inquiry into digital platforms and is looking at a range of amendments, including increasing penalties for breach of the Privacy Act, strengthening existing notice and consent requirements, amending the definition of personal information and introducing a direct right of action for consumers.
There’s also the private members bill by shadow assistant minister for communication and cyber security Tim Watts (Ransomware Payments Bill 2021), which is proposing that if an entity makes a ransomware payment, they must provide the ASC with details or face a penalty.
Most recently the Security Legislation Amendment (Critical Infrastructure) Bill 2020 was released which seeks to expand to eleven, the sectors which are now considered as critical infrastructure.
In addition, there are new questions about who is ultimately responsible for protecting data and privacy. Gartner, the global research and advisory company, predicts that by 2025, 75 per cent of CEOs will be personally liable for both cyber and physical security system attacks.
It’s no wonder cyber risk and privacy concerns are rapidly becoming key considerations in the C-Suite and Board Room, and top-level management placing a greater focus on physical security solutions that prioritise cyber security and privacy compliance.
Getting the balance between security and privacy right
When an organisation does not make privacy protection a cornerstone of their security policies, it becomes an afterthought which can lead to the impression that privacy and security are at odds with one another. But this does not have to be true if a single strategy, built on three strong cyber security and privacy principles is created:
Adopt a unified approach
Adopting a unified approach to cyber security and data protection helps simplify processes and keeps compliance costs down. It allows organisations to streamline data protection and privacy policies across their entire network and enables them to adapt to evolving threats and mandates.
When various cyber defense and privacy protection measures are accessible in one platform, privacy can be respected while remaining compliant.
When it comes to preventing data breaches, a pro-active approach is needed that includes a privacy-centric focus when designing a comprehensive data protection and privacy strategy.
A privacy-by-design approach involves pro-actively embedding privacy into the design and operations of IT systems, networked infrastructure, and business practices from the first line of code to third-party vendors. When software and hardware developers also adopt a privacy-by-design approach, it ensures higher levels of data protection without infringing on a technology’s evolution.
By centering on the principle that respect for individual privacy is the foundation of responsible and innovative design, following this approach enables forward-thinking developers to build this principle into the products they create.
Choose the right technology partner
Organisations should seek partners who build secure and compliant solutions that help them protect sensitive information. They need partners who keep up with emerging risks and work pro-actively to distribute fixes and new solutions.
In addition, they also need partners who are forthcoming about potential vulnerabilities and keep communication open to mitigation risks. Look for solutions that are hardened against cyber threats by manufacturers out of the box, to alleviate worries around system vulnerabilities.
These solutions should also give organisations complete control over their data so that they can adjust protection methods and processes to meet evolving regulations. It should also help them configure the system to define who has access to sensitive data and footage without slowing down response times or investigations.
We know that there are some big changes to come in relation to privacy as we move into 2022 and beyond, so it’s important for organisations to ensure their physical security system is well placed to respond as regulations evolve.
More importantly, protecting privacy is a societal responsibility so that together, we can create a safer, more secure world.
George Moawad is the country manager, ANZ at Genetec.