Regulations Create a False Sense of Security
We are approaching a very tenuous era with respect to both corporate and individual privacy, and you shouldn’t be surprised to see a lot of dominoes fall over the next few years. I believe there are two key reasons data protection is only going to get worse before it gets better:
1. Apathy
2. False sense of security
Apathy can be defined as “a state of indifference”. I spend a lot of time working with Millennials in the security field and I am sometimes astounded by the lack of concern over online security and data privacy. (Ever see what gets posted on Facebook?) Caution is often thrown to the wind, recalling to mind the old Alfred E. Neumann line: “What, me worry?”
I had a conversation with a very talented security expert at a major Internet company last week and his opinion was that privacy and security are “not that big a deal” to the current generation (his generation – Gen Y/Millennials). They appear to have a spirit of “openness”. Listen, I’m all for transparency in what one does and how one behaves, but we’re talking about major risks to people’s financial well-being and physical safety, as well as an emerging sense of apathy that permeates large commercial and government enterprise workforces.
Suffice it to say that if it weren’t for still-evolving data privacy regulations such as HIPAA, PCI, FERPA and such, things would be very bad indeed! However, within these regulations may lie a false sense of security. Most organizations spend many millions of dollars annually to pass regulatory compliance audits, and my feeling is that workers at these institutions often feel regulatory compliance and good security/privacy hygiene are the same thing. Not so. Passing audits sets the minimum bar, or lowest common denominator for an enterprise’s information protection strategy.
Regulations do nothing to protect sensitive intellectual property or workers’ personal identifiable information from outsiders – or insiders with malevolent intentions. With the rapid turnover of workers, the center of gravity in large corporations is moving from Baby Boomers, to Generation Xers to Millennials. More attention must be paid toward data protection training and awareness. Even with training, however, leopards don’t always change their spots.
Awareness and training must be coupled with increased commitment by organizations to protect themselves from their own workforces’ potentially negligent practices – now more than ever. You may read this as “protecting them from themselves.” Maybe that’s a reasonable analogy, and that’s a good start. We can be a lot smarter about protecting our personal and corporate information from prying eyes, no matter where those eyes are from.
Aside from some large financial institutions and healthcare organizations, I know of hundreds of organizations who rely quite heavily on their employees “doing the right thing”, when much better controls to protect them from themselves is a better approach. Don’t be paranoid, but be smart. Look at your organization with these thoughts in mind and see if you can find an opportunity to bring their security program up to the 21st century and its attendant risks.