The National Cybersecurity Alliance’s fifth annual Data Privacy Week took place at the end of January. This year’s theme was “take control of your data”, as highlighted by this description from the event website:
“You cannot control how each little piece of data about you and your family is collected. However, you still have a right to data privacy.”
Today, almost every organisation – from supermarkets to TV channels – collects data on customer behaviour to enhance services. This push for continuous insight has driven societies, companies, and regulators into an uncomfortable debate over data privacy that has left the cyber security profession between a rock and a hard place.
On the one side is consumer expectations. In this data-driven world, customers – rightly – want organisations to do everything in their power to protect personal data. There are countless examples of highly sensitive data being stolen due to lax data protection protocols, most notoriously Yahoo’s 2013 breach where 3 billion customer accounts were impacted. Regulators have stepped in, enforcing legislations such as the EU’s General Data Protection Regulation (GDPR) to drive higher data privacy standards and impose penalties for lapses, such as Capita’s £14 million fine for its 2023 data breach.
On the other is consumer behaviour. Many people in society don’t value their data highly enough and have been guilty of signing up for unnecessary services, poor password practice, or posting sensitive information on social media. Meanwhile, the pace of data generation increases exponentially. As recently as 2019, it was thought that the amount of data globally amounted to 45 zettabytes (ZBs). Today, that figure is estimated to be between 150-200 ZBs. These are all points of weakness that cybercriminals can and have continuously manipulated, adding fuel to the data privacy fire.
Kim et al (2023) highlights this consumer ‘privacy paradox’, finding that privacy concern has a strong influence on behavioural intentions but much weaker impact on actual behaviour. Essentially, consumers recognise data privacy risks and aim to safeguard their data, yet their actions often fail to reflect this ideology.
Fearful of losing consumer trust and falling foul of compliance, the cyber security profession has prioritised regulatory compliance, deploying cyber security tools – such as multi-factor authentication – and tightening policies as a means of protecting itself and its customers. But this response is fundamentally flawed – treating the symptoms of data privacy failures, rather than the causes.
As a profession, we must change our mindset to help drive a new way of thinking for our colleagues, friends, family and broader society. Of course, achieving compliance is valuable, but will never drive strong data privacy in isolation. Bringing colleagues and consumers on the security journey, raising awareness of risk and showing the value of data will act as a force multiplier for existing tech and process-based privacy measures. This more holistic approach will also help to relieve pressure on the security profession.
Communication is critical here. Cyber security is inherently technical and laden with jargon. Continuing to rely on the language of the profession will only alienate colleagues and the public. By contrast, clear communication about risks and responsibilities in familiar language will increase engagement and strengthen understanding of individuals’ roles in protecting data.
Reframing the language of security to make it more relatable and inclusive should be the first step in advancing this holistic data privacy model. Improved communication and understanding can then act as a launchpad for further actions, such as extensive education programmes and awareness campaigns for colleagues, which will permeate out of the workplace and into the collective psyche of society.
Once understanding increases, behaviours will start to change. People will realise that even small steps to improve resilience can make a huge difference and start to question unusual or unnecessary requests for data. But building these habits starts with knowledge of the threats and insight into what best practice looks like, including the small wins that accumulate to drive stronger data protection.
This will help to raise data privacy standards and spread accountability, ensuring that responsibility isn’t concentrated solely around the security profession, but is only possible if we can change the outward-facing vernacular.
