What comes first – protecting people or protecting data?

In today’s digitally connected world, the question that’s often being asked is: what is data privacy? How do organisations know that they have all the necessary privacy and security strategies in place? How does it relate to security?

“Understanding that data protection and data innovation are two sides of the same coin, Singapore advocates for the use of data in a trusted manner as a bedrock for the digital economy. This guides our approach to data protection, going beyond a compliance-based approach to a heavier emphasis on the principle of accountability,” said Yeong Zee Kin, Deputy Commissioner of Personal Data Protection Commission (PDPC). The PDPC establishment shows that Singapore government is on the leading edge, enforcing accountability and having an agency directly managing personal privacy that has an even focus on business and people. 

In the Singapore budget 2020, S$1 billion has been allocated over the next three years to build up the government’s cyber and data security capabilities. Without a doubt, data security has been a vital prerequisite and key enabler of Singapore’s digital economy. As Singapore embarks on initiatives to realise the Smart Nation ambitions, the country must be prepared to deal with cyber threats. As digitalisation becomes more pervasive, always remember that security has to start with privacy.

Data Protection Regulations

Privacy is about the individual; data doesn’t need privacy. People and what matters to them need privacy: their identity, lives and information. In the past, laws only focused on data, while modern laws are becoming more and more focused on people. Global Data Protection Regulation (GDPR) started the way, but some regulations are moving beyond a single person to recognise that even families have the right to privacy. Privacy is evolving, and the tough part for all industries is the speed of this change and the regulatory requirement that they are legally bound to keep pace with this evolution.

GDPR is the culmination of many preceding regulations that have spread over the decades. It is often comprehensive, covering many parts of life and business. With that said, Singapore’s Personal Data Protection Act (PDPA) is very interesting in a sense that it is a constantly evolving law, the GDPR is potentially evolving as well. It is doing so based of the term “reasonable”, whereas Singapore regulation is evolving through direct government intervention, however, the focus is very different even though they do overlap in use and reality. GDPR is based on regulations, which Singapore’s PDPA thinks of as checkboxes, pushing its laws and efforts on accountability for misdeeds first.

In the APJ region, each country’s privacy regulation is each of its own too. Australia’s collection of regulations is an intriguing and ever-changing situation. The country seems to be wanting greater inter-agency data sharing and expanding their privacy foundations. Currently, they are falling behind on privacy and the government is well aware of the matter. This could be the first step towards moving from being a follower in the privacy world, forward towards becoming a privacy leader. 

Identity as the first line of defence

Interestingly, most people have their identity and their lives, split into two parts. The first part is their personal life identity. The second part is that a corporate or business life identity. The prior is heavily managed by the services they use, so in the end is very much about self-management. The latter is something that gets managed, more often than not, by their employer. Of course, there is some self-management there, but it takes an ethical employer to go far to support their employees in protecting their privacy.

Security Starts Here with Identity

Since security starts with privacy and privacy starts with identity, sometimes I think it should be “privacy starts here”. The only way a business can manage the privacy of their employees is to manage their corporate identities. This includes making sure the right people have access to the right data and validating the data you have is correct – as incorrect data on a person can lead to mistakes that can cost them dearly, professionally or personally. That’s why data privacy laws almost always deal with the correctness of the data.

Storing data in an insecure manner has become so common place that each person who reads this article can connect where their data, or data of their loved ones has been compromised.

Something to remember is that events like this occur every year all around the world. Breaches of these kinds happen, but they shouldn’t. Privacy should not be an added layer put into processes later, but a fundamental component of the whole.  Privacy starts here. Employers need to remember they are protecting people, not an obscure bit of data, although in the end they protect both.

Protect the Identity now

According to the latest Data Breach Investigation Report, more than half of the data breaches (58%) involve compromised personal data and 81% of the breaches were contained in a day or less. With the rise of social engineering, breaches became more sophisticated, and more difficult to be protected against.  Damages are growing year upon year. An One Identity Global Survey conducted at the end of last year, confirmed that 100% of IT security professionals in Singapore, reported that Pass the Hash attacks (PtH), an attack method that uses stolen administrator credentials, had a direct business impact on their organisation.

Privileged account management, and other tools could be used in strategic approach to protect privileged accounts and their access, slowing or stopping cybercriminal leveraging a PtH technique. Otherwise, they can gain access to an entire network, rendering all other security safeguards ineffective.

Breach notification improvements were another noted areas where adjustments were required by many privacy professionals. It has caused them to step back and review their privacy and risk management plans in addition to their notification standards. While organisations in Singapore have taken steps to mitigate the risk of PtH data attacks, there is still a startling number who have not implemented any sort of plan to address the risks that these breaches may bring. 

Identity management is where privacy begins. The concept is simple. The right people get the right access, to the right resources at the right time in the right way – and you can prove it.

As organisations in Singapore are becoming hyper-connected and reliant on technologies, security and privacy should not solely focus on firewalls and deterrence. Since most data breaches involve compromised credentials, identity-centric strategies will continue to be a key component of Singapore businesses’ defence in today’s digital era.