Editor’s note: This is the third in a weeklong ISACA Now blog series looking ahead to top priorities in 2022 for practitioners in digital trust fields. See earlier posts looking ahead to 2022 for audit practitioners and cybersecurity practitioners.
Each year privacy professionals have more and more issues to address. Existing privacy risks never really go away. They simply lurk beneath the new issues that claim the attention of privacy pros until the time is prime to exploit those old vulnerabilities. This trend will continue through 2022 and beyond.
To succeed in managing privacy, privacy pros must remember the lessons learned from the privacy issues past (for they are still haunting us today, and will be forevermore), the privacy challenges of today (which will stay with us as privacy ghosts of the past as time moves on) and the privacy challenges yet to come.
Priority #1: Addressing Continuing Challenges from the Privacy Past
Every year I see privacy pros jumping onto the next new privacy thing bandwagon without looking back, leaving existing privacy threats and vulnerabilities unattended. When new tech appears, old tech-related privacy risks are quickly forgotten. Consider the following privacy risks still haunting organizations from the privacy past:
- Fax breaches. Fax machines are still widely used despite what I often read about them being long abandoned. Millions of organizations still depend upon faxes, for many reasons (often budget-related, but also for other reasons related to the depth to which fax use throughout the decades has become embedded within business systems and processes, especially within small to midsized businesses and throughout the healthcare sector).
- Email breaches. Despite the widespread use of alternative online communications tools, emails are still widely used, and often misused. I had an insurance agent recently send me an email with, “{Sent Securely}” at the end of the subject line. I asked him what that meant. He said that he was told that putting that phrase in the subject line encrypted the message. Of course, it did not. How many others who are not tech-savvy are being told bad information, leading to security incidents and privacy breaches? Adding to this email mistakes, malicious use by insiders and phishing activities, and emails are still significant root causes of privacy breaches.
- Three more quick hits to mention:
- Unsecure tech device and information disposal practices.
- Legacy systems not being maintained or updated.
- Business network access points of yore still allowing for digital access.
These are still concerns even today. If privacy and security pros are not addressing them, the impacts will not only be more severe than exploits of old, but they will also go unnoticed, often for a very long time, with the privacy, security and compliance folks not paying attention to them.
Priority #2: Addressing Present Privacy Challenges
Here are some present privacy challenges that will persist throughout 2022 to put on your to-do list:
- Remote working risks. Work-from-home situations are still in place, even with many workers going back into the office – full-time or part-time. The fact is, most of the home office setups are still used, or active even when not used. But how much attention are they now getting? Work from home. Mobile working while traveling. Shared office spaces. Every organization should be currently mitigating the associated risks.
- IoT risks. The use of IoT devices is ubiquitous throughout the world. They are found within office areas, being worn by workers or carried by those who took it upon themselves to use them to support their business activities. Each IoT device can be collecting and transmitting tons of personal data, as well as creating potential connections throughout business networks.
- Three more quick hits to mention:
- Use of apps that access other data and systems. Unused apps often are still exfiltrating data.
- Cloud systems housing and processing data that are not secured adequately.
- Staying aware of new legal requirements for data protection.
These and more continue to take a lot of privacy pros’ time, resources and attention – and rightfully so, since they are often the squeakiest wheels when it comes to organizational privacy risks. If privacy pros are not addressing them, they are leaving their organizations open to security incidents, privacy breaches, non-compliance penalties, lawsuits and damaging press when the many vulnerabilities are exploited.
Priority #3: Addressing Privacy Challenges Yet to Come
Privacy pros need to be aware of several emerging trends that will impact privacy in 2022. Here are a few quick hits to keep on the radar:
- Cryptocurrency used for business payments. Many security and privacy risks exist.
- Performing business within the metaverse. Yes, it’s being done, perhaps within your organization. There are risks!
- Use of AI and ML for business decisions. Biases within such tools can produce privacy problems.
- Use of IIoT within critical infrastructures, business buildings, factories and schools. These often create stealthy connections leading to privacy breaches.
- Using parts of networks from nearby. Consumer IoT products are now often borrowing from nearby mesh networks, and using 5G, creating new risks to mitigate when the products are incorporated into business settings.
Ultimately, to be effective every security and privacy leader, in all types of organizations, must continue to address past risks, manage current risks and prepare for emerging risks. In 2022 make it a priority to address all your privacy risk ghosts of the past, present and future.
About the author: Rebecca Herold has over 30 years of IT engineering, security, privacy and compliance experience. Rebecca is the CEO of The Privacy Professor consultancy (established 2004) and CEO of Privacy & Security Brainiacs SaaS services (www.privacysecuritybrainiacs.com) that she founded with her son, Noah, in 2020, which recently published a series of free online flipbooks about IoT security and privacy (https://privacysecuritybrainiacs.com/resources/infographics/IoT/). Rebecca has also been a subject matter expert team member of the NIST IoT Cybersecurity development team for over two years and has been a member of other NIST development teams since 2009. Rebecca has authored 22 books and contributed to hundreds of other books and articles.