Ulf T. Mattsson
Data are valuable. Businesses increasingly rely on data to make better decisions, to better target their customers and to predict the future. Leveraging data through real-time analysis for business value is driving businesses to collect more data faster and from more sources than ever. This has given rise to the era of big data and the Internet of Things.
These large caches of data also hold a significant direct value in monetization—the sale of part or all of the data to a third party. The percent of businesses monetizing their data is projected to triple by 2016. Much of this data is related to consumers—privacy data.
It is important to note how much more severe the damage due to identity theft can be than a typical payment card industry breach. You cannot simply issue a new identity the same way you can a new payment card. Meanwhile, an individual’s health insurance, credit and legal status are all in jeopardy.
It only makes sense that with all that data (and the direct and indirect value it represents), hackers would be increasingly driven to steal it. The question is how to protect the data from persistent, intelligent threats while preserving its value to the enterprise.
Businesses often collect a lot of privacy data in bits and pieces: names and addresses, separate from phone numbers and email addresses, separate from ages and genders. Then they integrate it in analysis to get a complete view of their customers. While separately these pieces of information may not readily identify an individual, together they can completely expose an individual to financial hijacking or outright identity theft. In effect, these businesses are doing a lot of the work for criminals aiming to steal this information.
To reach the goal of securing the data while preserving its value, the data itself must be protected at as fine-grained a level as possible. Securing individual fields allows for the greatest flexibility in protecting sensitive identifying fields while allowing nonidentifying information to remain in the clear.
Protecting this information within the enterprise is a significant challenge on its own, but monetizing the data means sending it to one or many other organizations, each of which have their own security profiles. Anonymizing privacy data completely may not be feasible in a monetizing scenario, but deidentifying the most sensitive information, e.g., names, social security numbers, birth dates, is vital to protecting the privacy of individuals. Using data protection methods such as tokenization can also allow businesses to preserve the type and length of the data, as well as deidentifying only part of the data fields, while leaving the relevant parts in the clear, such as exposing a birth year rather than the entire date. This will keep the data usable for third parties to analyze, while helping to protect the privacy of the individuals who make up the data.
We may not be able to completely prevent hackers from stealing data, but we can make it far more difficult for them to cause significant damage with it. By protecting data at a very fine-grained level—fields or even part(s) of a field—we can continue to reap the benefits of data monetization while putting forth a significant barrier to identity theft.
Read Ulf Mattsson’s recent Journal article:
“Leveraging Industry Standards to Address Industrial Cybersecurity Risk,” ISACA Journal, volume 6, 2014.