The Tipping Scale: PrivSec vs. Convenience
By Ross Saunders
We have all heard about the privacy versus convenience dilemma. There is also a trade-off between security and convenience. More security controls add a layer of complexity (and dare we say inconvenience) to opening files, transmitting information, and sharing data with others, which does not always make for a seamless process or gain customer satisfaction. We have been privy to these heated business debates in the boardroom. We have also been a part of the business solution.
The struggle between complexity and convenience plays a role when setting up processes to share information, be it with clients or anyone else. For example, complexity lies in the number of steps you need to take to encrypt a document (or similar), which you intend to send to the recipient. As the recipient, the complexity is added in the converse steps of having to decrypt and access the information.
In the last little while, we have heard complaints from companies concerned about having to sacrifice security to reduce extra steps and help the client relationship. We have also seen individual recipients complain about usability, in that they don’t have time to enter a password each time they wish to view a financial statement. Both are valid, but at what cost?
Let’s look at the individual complaint first. Our client’s customers occasionally complain that they don’t understand why their bank statements need to be encrypted and password protected. They argue that it’s frustrating to open and the file could just as well be sent without a password. Often, this is justified with the phrase we hear regularly in the privacy field; “I’m not that interesting, no one would want to see my statements anyway.”
This is a common misconception. In this instance, the statements were business bank accounts, sent by the bank to the individual. Simply put, your statements can say a lot about you and your business. It can show who your providers are, where you spend money regularly, who contractors may be, and a plethora of other valuable information for performing invoice fraud and a host of other attacks, like going after third-parties they now know offer you services.
In an individual sense, say it was an executive’s personal account, the risk lies in “doxxing”, the process of publishing someone’s private information in order to discredit them with malicious intent. An executive in a high-trust environment only needs one purchase at a socially unacceptable website or establishment to tarnish a reputation. Simply making purchases outside of public expectation, such as a vegan restaurant owner making a purchase at a butchery, could be problematic (and it may be a spouse or child making that purchase, and not the person in question).
The risk for businesses is slightly different, whereby sending information over insecure channels can get you in hot water with regulators for not taking appropriate steps to secure the information (many regulators require appropriate security safeguards in relation to the sensitivity of the information). Aside from the risks of information being accessible by other parties when it’s not secure, there is also the risk of civil and class action lawsuits, as well as fines from these regulatory agencies, depending on your jurisdiction.
Most data protection regulations, whether you’re in Canada, Europe, or otherwise, bring in the concept of technical and organizational safeguards. And while policies and procedures fall under the organizational category, securing the actual information that is sent falls under technical safeguards, something that can be omitted at an organization’s peril, in favor of convenience for the customer.
The trick really is to strike a balance. Ensure that you classify your information so that you are aware of the types of information being sent out. We recently published an article on getting started with classification to help get you on your way!
Once you have developed and operationalized your classifications, it’s time to do an inventory of your data and processes to assign them. A data inventory gives you visibility of what you are doing with the data that you have now classified according to sensitivity and risk, and is a foundational block on which you can build your privacy program going forward.
There are many templates and tools available online to assist in this process, and taking the first steps will certainly up your game as far as privacy and security is concerned. That said, making sense of them can be hard work. Let us take the pain out of researching and developing these for your business. Drop us a line, we’re always happy to help!
