Another month, another data breach. In June alone we’ve seen both Dixons Carphone and Ticketmaster hit by catastrophic cyber attacks, collectively exposing the personal and private data of millions of customers. Given the ever-increasing risks to cybersecurity, as well as the sheer quantity of the data that has been lost in known breaches, it’s no wonder that people are beginning to lose faith in the ability of businesses to protect their data.
Traditionally, consumers have been left in the dark regarding how data and security breaches affect them, but since the introduction of GDPR earlier this year, people are beginning to pay closer attention to their data, and how it can be used, abused and turned against them. Building and maintaining trust with customers is of paramount importance to any business that handles their data, so more than ever it is vital that businesses reevaluate their relationship with customer data, and focus on adopting ethical data practices.
It all starts with education. Companies must adopt an effective cybersecurity strategy by first identifying the ever-evolving cybersecurity threats businesses now face. This varies according to the industry and sector companies operate in, but a clear threat is linkage attacks - where attackers try to re-identify individuals in anonymised data by cross-comparing it with publicly available data (e.g. a voter registration list) or alternative sources.
Previous anonymisation techniques - called partial anonymisation - attempted to avoid such attacks by simply removing some personal information from data sets, e.g. name, address, date of birth. Unfortunately, so much data has been leaked in recent years that we believe this technique just won’t cut the mustard anymore. Anonymisation has to be much more rigorous - and this is one of the reasons we apply AI and machine learning to our own techniques, reducing the resolution of data and optimising privacy without losing its utility.
Another way that companies can look to avoid linkage attacks is differential privacy, a technique that allows companies to learn more about their users by maximizing the accuracy of search queries while minimizing the chances of identifying personal records. Differential privacy requires filtering data, adaptive sampling, adding noise by fuzzing certain features, analysing or blocking intrusive queries.
In terms of managing cybersecurity, there are some simple ways to do it on a budget for companies just starting on their journey. Delivering strong authentication and network security to enterprise mobility management, a basic necessity in today’s world that should be adopted by any service able to support it.
At Hazy, we use the following services:
- 1password - A password management system that enables you to keep all of your multiple passwords safe and secure. It also alerts you whenever you use a compromised password.
- Encrypt.me - A cross-platform VPN service that automatically detects and secures your connection even when you join an untrusted Wi-Fi network.
For the big players storing large volumes of personal data, especially those dealing with sensitive data, a more robust information risk regime is absolutely essential. This regime should include at least constant monitoring and threat analysis, secure configuration and malware prevention, pseudonymisation and encryption of data, penetration testing and staff training.
And then, of course, there is GDPR. Ensuring you are up to speed with the latest data regulations is a vital step forward in ensuring you are meeting the bare minimum of data privacy expectations. Our advice regarding GDPR is simple enough.
To start with, read the full policy document in its entirety and scope out your own compliance roadmap. If required, complete a certified GDPR training course with your data team. It is advisable to use the ICO’s toolkit for data protection self-assessment. If your gut feeling says it isn’t good enough, perhaps consider consulting with our partners from WeAreAdapt.io who can help you better understand your digital ecosystem, audit current data practices and make bespoke policy and assessment recommendations.
Cybersecurity should never be taken lightly and the above steps are simply a way to get any company started. With consumer awareness at an all-time high - and trust at an all-time low - it’s important that companies embrace data ethics and data privacy, not just because they have to but because it’s the right thing to do.