How Cybersecurity and Privacy Are Converging
In recent years, we have lived through 4 particularly powerful events that have changed the cybersecurity and privacy landscape forever. Here they are:
1. Cambridge Analytica were exposed – The UK-based political consulting firm was accused of harvesting the personal data of over 50 million Facebook users in order to manipulate the US election. We all cared about this breach because we all understood, and felt, its monumental implications on our lives and freedoms. Privacy issues around this scandal were a cautionary reminder that nothing in life is free. Which platforms are taking our data and selling it? The short answer: all of them.
2. GDPR was implemented – Introduced in May 2018, the Global Data Protection Regulation, or GDPR was the first major effort by lawmakers to limit Silicon Valley’s ability to mine and monetize the personal data of unwitting internet users. Specifically, the GDPR gave (and continues to give) consumers the right to see what type of data companies hold on them, the right to have that data deleted, and to request that companies stop tracking them for behavioural targeting purposes. Failures to report allow these very same authorities to be able to impose fines of up to 4% of a company’s annual revenue. Thus far, the most notable fine has been slapped on British Airways, who were fined £183 million in June 2019 over a 2018 security lapse that compromised the personal data of around 500,000 of their customers. Other companies that have had fines imposed on them include Marriott, for a total of £99 million, and Google, for a total of €50 million, for failing to seek valid consent and provide adequate information to customers who were being targeted with highly personalised ads in France.
3. Net neutrality was repealed – In the same year as GDPR was implemented in Europe, in a great twist of irony, the US, or specifically the Federal Communications Commission (FCC), decided to roll back net neutrality. What are the net neutrality rules you ask? The net neutrality rules were approved by the FCC in 2015 amid an outpouring of online support. The purpose of these rules was two-fold:
- To keep the internet open and fair. Under the rules, Internet Service Providers (ISPs) were required to treat all online content the same. They could not deliberately speed up or slow down traffic from specific websites or apps, nor could they put their own content at an advantage over rivals.
- To ensure proper policing of the internet. The net neutrality rules established a so-called “general conduct rule” that gave the FCC the power to step in, where it felt ISPs were hurting competition and/or consumers. ISPs were banned from using private customer information, app usage and browsing history in certain ways – namely, from selling it on to third-parties without express consent.
The repeal of the net neutrality has opened up all sorts of questions around privacy. How do you stay private on an internet where corporations are allowed to throttle data usage and data mining with unrestricted access? You can’t.
4. The coronavirus went viral – The coronavirus has had a devastating effect on the world. The virus has debilitated regions, and decimated sectors with an unparalleled level of speed and ferocity. Its impact on companies and business models has been indiscriminate, hurting particularly those companies with weaker or under-developed digital underpinnings. Stronger players have had to shock themselves into emergency measures designed to prevent discontinuity. Companies have had to learn how to operate digitally. People have had no choice but to adapt to this new, digital world. The rapid move to digital has led to an expectation on today’s digital infrastructure to remain resilient and function at a time when it has been most under stress. One of the biggest stress factors of course have been cyber-attacks. Indeed, cybercrime has actually increased multiple fold since the lockdown began. More so than ever, companies and consumers alike are now fearing for their safety online.
These four events remain fresh in our collective consciousness
They are stark reminders that our safety in the digital world is just as important as our safety in the physical world. That they are inextricably interlinked. As individuals, we have now begun thinking about safety in two forms: security on the one hand, privacy on the other. Where cybercriminals have lifted our private datasets from company servers and sold them for profit, it has been us (the consumers) who have suffered from this unsolicited exposure of our personal information. When companies been fined under GDPR for failing to prevent cyber-attacks, we (the consumers) have not been compensated for the vulnerabilities created by this corporate carelessness.
With every new cyber-attack that has happened, frequent as they now are, relationships between consumers and companies have started to break down. Companies that were once up there with the world’s leading brands (e.g. Facebook) have tumbled from these positions.
Consumers have trust issues
Conversations are now taking place at the highest echelons of business to understand just how privacy protection can be integrated as an added value to the organisation, and ultimately, consumers. Not just for regulatory reasons, but because privacy protection – today – has become intrinsic to brand, and reputation. Young & Rubicam estimate that brand value represents nearly one-third of the $12 trillion in market capitalisation of the S&P 500. Just let that sink in.
From consumer goods manufacturers to healthcare service providers, companies now understand that they can benefit from proactively addressing privacy vulnerabilities. They can try to gain a competitive edge by integrating privacy features into their products, much like Apple have done. Or they can offer new privacy-embedding solutions altogether (e.g. Telegram as an alternative to WhatsApp, DuckDuckGo as an alternative to Google Chrome, or the Purism phone as an alternative to the iPhone…).
Cybersecurity and privacy are converging
And while cybersecurity and privacy used to be distinct issues, these conversations are now causing them to converge. We no longer talk about cybersecurity just through the lens of making walls bigger and taller. Rather, we now talk about all of the ways in which risk can manifest itself. Yet, both consumers and companies want better protection, but also what is best for one another. Companies do not want sensitive consumer data in the public domain, but they want sensitive consumer data. Consumers want to know that their sensitive data is being handled with care, not that it is being handled by just anyone.
For companies, stakes have never been higher than with respect to the collection, processing, use, retention, disclosure and disposal of Personally Identifiable Information, or PII for short. According to Andrew Burt, Chief Privacy Officer at Immuta, a technology company specialising in automating data governance, the shift today represents a “larger, [more] profound shift in the world of data privacy and security that [will have] major implications for how organisations think about both.” He cites the rise of big data and machine learning as “the biggest risk to our privacy and our security….Once we generate data, anyone who possesses enough of it can be a threat, posing new dangers…” he says.
Where there is more vulnerability, there is more need for cybersecurity
Data is not going away. In fact, the data science wave which began 15 odd years ago is only getting bigger. Companies are now looking for solutions that will help them think about, and incorporate privacy into their products and services. Companies that were historically pure-play cybersecurity companies have entered this domain too. Established players like NortonLifeLock and IBM now offer data privacy services and software. Newer players like Cloudflare, Okta and Ping Identity have also spotted an opportunity.
With this new, added dimension of privacy weaved into cybersecurity, we see room for growth in the cybersecurity sector. Prior to Covid-19, MarketsandMarkets found that corporate spending on cybersecurity lay at around USD 184 billion, which was predicted to grow to USD 250 billion by 2023. Post-Covid-19 this figure is expected to swell even further.
The Coronavirus pandemic has permanently changed the way in which we work. Remote working was essential during lockdowns but as restrictions are lifted we are now seeing greater flexibility in working conditions and a move towards working from home more frequently. In such a world, robust cybersecurity systems will be paramount. According to Chris Versace, CIO and thematic strategist at Tematica Research, “It is exactly these types of pain points that give rise to innovation and new business models that create thematic opportunities for investors.” And so while the digital revolution has created newfound vulnerabilities to our security and privacy, it may also be the digital revolution that finds the solutions.
 Venture Beat, “5 data privacy startups cashing in on GDPR”, July 2019. Available at: https://venturebeat.com/2019/07/23/5-data-privacy-startups-cashing-in-on-gdpr/.
 Webroot Smarter Security® Report, “Game Changers: AI and Machine Learning in Cybersecurity”, December 2017.
 Harvard Business Review, “Privacy Is a Business Opportunity”, June 2018. Available at: https://hbr.org/2014/04/privacy-is-a-business-opportunity.
 Harvard Business Review, “Privacy and Cybersecurity Are Converging. Here’s Why That Matters for People and for Companies”, January 2019. Available at: https://hbr.org/2019/01/privacy-and-cybersecurity-are-converging-heres-why-that-matters-for-people-and-for-companies
 MarketsandMarkets, “Cybersecurity Markets worth $248.3 billion by 2023”, 2020. Available at: https://www.marketsandmarkets.com/PressReleases/cyber-security.asp