| certifications | security - Erik Mikac
Cybersecurity vs. Data Privacy: What is the Difference?
As the world becomes more and more connected, the need to secure data has become paramount. According to IBM, the average cost of a data breach is a whopping $4.24 millions dollars. That's not even to mention the irreparable damage caused to the organization's reputation — thus lowering its valuation and customer interaction.
The risk of data breaches and other hacks can be mitigated significantly by a robust cybersecurity approach and data privacy standards. Both of these platforms are necessary for a smoothly running organization, however, they are often conflated. It is not entirely clear where cybersecurity and data privacy fit in an organization, and how to effectively prioritize each. Let's discuss cybersecurity and data privacy, and then highlight the difference between each concept. We'll start with an overview of cybersecurity.
What is Cybersecurity?
Cybersecurity is a broad term that describes hardware, software, and best practices that are used to secure an IT environment. This is a general definition — and translates to many different roles and responsibilities across an organization. From software developer to cybersecurity analyst to salesman, everyone has a role to play in regard to protecting their organization from threats. Let's start with how a software developer implements secure practices.
Security by Design
Recent trends in cybersecurity advocate for compliance to begin at the very beginning of an application's life when it is actually being coded. This is called Security By Design. Let's walk through a quick scenario that explains this concept.
Let's say an insurance company wants to design an app for their customers that will enable users to receive home insurance quotes based on information they entered. Often software engineers are given deadlines to ensure certain functionalities are completed on time. Security By Design recommends that app security is baked into that deadline — it is not an afterthought as happens so often. The time and resources required to maintain proper cybersecurity posture are incorporated into the deadline.
Security By Design entails more than socializing security requirements. It requires attention to detail at the coding level. For example, a software developer
Needs to log every instance of data transmission. That way any transfer of user data can be tracked, whether it is legitimate or otherwise.
However, it is important to note that any sensitive user data must be obfuscated in the logs. This is a convergence of both cybersecurity and data privacy. Data privacy insists on the protection of user data, while cybersecurity requires thorough audit trails.
The third piece of Design by Security to discuss is the idea of failing securely. When we are building that insurance app we do not want to give a detailed response back to the user as to why a transaction failed. Information should be intentionally vague. A hacker may use detailed error information to pose as a software developer over the phone or use it for other malicious activity.
Cybersecurity is a Team Effort
Most organizations have entire teams dedicated to cybersecurity. These teams analyze logs, inspect code for weaknesses, and advocate for new security software. These teams often will consist of networking professionals who have vast experience with configuring routers, firewalls, and other IT infrastructure. Cybersecurity teams will also verify that data privacy standards are kept up to snuff as well.
Cybersecurity is not just the responsibility of a dedicated IT team and developers. Cybersecurity is everyone's responsibility. It is important to inspect emails for potential phishing attempts and to verify who you are speaking to over a phone; those two are some of the most common vectors of attack. So, everyone from the CEO to the front desk receptionist needs to have cybersecurity awareness training.
What is Data Privacy?
Data privacy and cybersecurity are significantly intertwined, however, there are distinct differences between the two. The core difference is that data privacy focuses on ensuring a user's information is properly handled, while cybersecurity focuses on preventing security breaches.
Data privacy can be defined as the proper handling of sensitive user data. Data privacy consists of whether the data is encrypted at rest and in transit. The decision of when and how data will be shared with a third party is the realm of data privacy. Lastly it ensures the user’s data collection, storage, and usage adheres to all regulatory standards such as GDPR, CCPA, or HIPAA. Let's take a look at a couple ways an organization can ensure the privacy of their users' data.
1. Use Multi-factor Authentication
Multi-factor Authentication (MFA) is a technique of securing data by requiring users to provide at least two forms of identification. Typically, the information is something that the user knows and something that the user is or has. For example, MFA can be a password and an authentication string on a device the user has. Or even a password and a biometric trait such as a face scan or palm scan.
MFA is critical to ensuring data privacy. It prevents hackers from accessing your user's data. A hacker's success can cause an irreparable breach in trust between you and your clients.
2. Data Masking
Data masking is encrypting data so unauthorized viewers cannot determine the value. Data masking is a critical component of data privacy. Oftentimes, data will be masked in the database itself.
When running an organization, it is inevitable that certain pieces of sensitive information will have to be stored on your database. The software developers, database administrators, and other employees have no right to that data, so it must be kept hidden even when in the database. However, they still need access to all the other data and its structure. This conundrum is solved through data masking. When the data is masked, developers will just see a jumble of characters instead of social security numbers, credit scores, or medical diagnoses.
Data masking isn't just for databases. Let's say we had a hospital that displayed medical information to doctors and nurses. We may want to mask the patient's social security number from everyone else but the doctor. So the doctor will see a real number, but the nurses will just see an encrypted string. Or nothing at all.
Now that we have mapped out descriptions of both cybersecurity and data privacy, let's look at a couple of scenarios and decide whether they can be best defined as cybersecurity issues or data privacy.
Let's say a user logs onto their hospital's medical portal. They then fill out a form that requires their social security number and medical information. When they hit the "submit" button, an error is returned because the database is down.
The error returned to the user is brief and vague, but identifies their social security number and date of birth. This message is then logged to the database for troubleshooting purposes. Because the message does not go into detail per se, it is not considered a cybersecurity threat.
However it is a serious breach of data privacy because sensitive information is displayed for anyone behind the user's shoulder to see, and any developer who is troubleshooting the logs. This breaches the Data Masking aspect of Data privacy.
Similar to the above example, let's pretend the user was able to successfully post their information to the website. But the user is very computer savvy, and takes note of the URL that the data is getting passed into. This is called a REST call. The user then opens up an application that allows them to send data to any URL, such as PostMan. They then begin sending junk data to the database.
The hacker isn’t able to see any sensitive data, but they can put whatever they like into the database. This is a clear breach of cybersecurity, however, not necessarily data privacy. This hack breaks the Principle of Least Privileged Access, because only specific users from specific points in the application should be able to hit that endpoint.
Let's say a nurse receives an urgent email from a well-known patient. The "patient" asks for her grandpa's social security number and medical chart. They claim their grandpa suffered a heart attack while on a vacation in Mexico, and the Mexican hospital requires this information before giving treatment.
We covered a lot of ground on cybersecurity and data privacy. Cybersecurity starts with Security By Design. Then, it's maintained and analyzed by cybersecurity experts. Lastly, it is up to everyone in the organization to be cognizant of security threats. The cybersecurity team can't do it alone!
Data privacy is ensuring that all regulatory compliance is met when handling user data. Multi-factor authentication is an effective tool to ensure data is not being viewed and collected by an unauthorized participant.
Data privacy is also masking data from those who are not authorized to see it. Lastly, consent is required when an organization tries to give user data to a third party. Like cybersecurity, it is everyone’s responsibility to call out breaches in data privacy.
Hopefully, you now have a clear understanding of how these two concepts are different, and understand the steps that can be taken to insure your organization is up to standards in both data privacy and cybersecurity.