Consumer data is prized by big tech companies, advertisers and bad actors alike. Unfortunately, a quick online search for the term “consumer data breaches” will fill the results page with articles detailing a recent slew of significant cyber attacks resulting in stolen credit card data, the loss of sensitive personal information and other digital disasters from some of the biggest companies in the world.
As a result, cybersecurity has risen to the public consciousness, and consumers are paying attention to what happens with their data. From home addresses to other personally identifiable information collected by cameras and access control systems, electronic security companies often handle some of the most sensitive data about businesses and homeowners; therefore, it is vital that they have strategies for handling this data to minimize their risks.
To inform and prepare ESX attendees for proper data management in the face of such challenges, Salvatore D’Agostino – Founder and CEO of IDmachines – and Rich Watts – VP of Technology at AvantGuard – spoke in the “Beyond Physical Security” session on the importance of companies evaluating and maintaining the privacy and data security of their systems.
The duo shared an overview of the core concepts of data privacy and security, which include data minimization, purpose limitation and data retention and disposal.
“The idea that clutter is not good is absolutely true in the privacy world. You do not want more information than is necessary to do your job,” said D’Agostino.
“The idea that clutter is not good is absolutely true in the privacy world. You do not want more information than is necessary to do your job.”
“If you don’t need it for a business purpose, don’t collect it,” said Watts.
For any company, communicating the purpose of data collection and maintaining a strict adherence to the stated purpose is important, according to D’Agostino.
“Let’s say you’re delivering a security system, and suddenly you’re going to start using that information for marketing purposes. Now you’ve crossed the line, right?” said D’Agostino. “As a security professional, you have [less] risk, because the purpose and justification is public safety. Facebook has a privacy risk, but as a security professional you really don’t, unless you start messing with the purpose [of your data collection and retention].”
Data storage was another important consideration highlighted. Presenters said there are many regulations protecting consumers in regard to what is done with their data, so companies must remain up-to-date on best practices.
“Don’t keep your data longer than you need it,” said D’Agostino. “You don’t need to keep your data in one big bunch. Keep it for a short period of time and keep it separate.”
According to presenters, companies’ systems had often kept the data secure until it reached the database, where it is referred to as at-rest data. In one example case, this at-rest data had been collected and transferred properly, only to be stolen in the end by an employee who had elevated privileges to unencrypted data.
To prevent this, the presenters said it is important not only to check the installed technology for security, but to have policies and procedures that ensure the human part of the equation does not cause any data security problems. Administrators should only give the necessary credentials to employees who need access to data, and only for as long as they need access to it. If developers need a test data set, D’Agostino suggested taking the time to create test data, rather than taking the shortcut of using or duplicating live data.
“That’s where it gets challenging, when we ask ourselves ‘Where am I deficient?’”
While it’s easy to let these things go unnoticed, the presenters suggested that taking the proper security measures and communicating this to the customer could foster trust that builds on the sense of physical security a business already offers. They said this could in turn allow businesses to offer more services, because the customer trusts that their physical and digital wellbeing are in good hands with one comprehensive provider.
Using an international, national or industry framework makes evaluation simpler and faster, according to D’Agostino, as there are multiple frameworks and supporting best practices readily available online that fit almost any situation.
“These are checklists of things you can easily use to determine if the system has rules, policies and procedures around these different categories,” D’Agostino said.
Example frameworks for data privacy and security highlighted by D’Agostino included the IDEF Baseline Privacy Principles, Cloud Security Alliance Cloud Controls Matrix and NIST Cybersecurity Framework. Each framework is tailored toward specific applications, so companies should select the one that best matches their security needs, based on the products and systems they are installing.
The challenges of collecting, transmitting and storing data described by the presenters all have readily available solutions. Watts emphasized that addressing them will require work and associated costs, but would ultimately be worth it.
“That’s where it gets challenging, when we ask ourselves ‘Where am I deficient?’” Watts said. “It’s an interesting problem that can be difficult to some, but If you have critical customer data, it’s important to do it.”