Government reforms, such as the recent review of the Privacy Act that proposes significant changes to data is collected, stored, used and disposed of has put all organisations on notice. And while the focus often falls on personal identifiable information (PII), the scope of the current legislation and proposed changes impacts the collection of sensitive data from surveillance footage, photos, and licence plate information.
The overlap between physical and digital security is significant. The data being collected in physical security systems – everything from cameras through to electronic door locks – is of value to criminals. Federal and State governments continue to develop and amend legislation to hold businesses more accountable for data privacy or cybersecurity breaches. As well as the Privacy Act, bills covering critical infrastructure were amended into 2020 to expand the definition of critical infrastructure with further changes proposed to further expand that law’s reach.
This puts data protection into focus for the C-Suite and boardroom. Global research and advisory company Gartner says that by 2025, three quarters of CEOs will be personally liable for both cyber and physical security system attacks. Cybersecurity and privacy compliance are now at the top of the agenda for business leaders.
To streamline compliance, organisations need to focus on three key elements:
1. Take a risk-based approach
Often, security and privacy are seen as a burden that stops people form focussing on their “real” work. But, by embedding security into everything, compliance costs are reduced. Many organisations must comply with different security standards. For example, an organisation may need to comply with ISO 27001 and PCI DSS.
By taking a risk-based approach and putting appropriate controls in place, compliance with both standards can be achieved without needing to address both standards separately. Controls such as an effective identity and access control system, the use of muti-factor authentication and
regular backups can mitigate specific risks and address compliance.
2. Privacy is not a bolt-on
Privacy and security controls must be integrated when new applications and processes are conceived and built. It’s too late to add them once the system or process is in place.
Bolt-on security and privacy often result in a poor user experience and tend to be weaker than properly integrated solutions. Being proactive ensures a privacy-centric focus that anticipates potential cybersecurity breaches and blocks them before they have an opportunity to wreak havoc in systems.
When an organisation does not make privacy protection a cornerstone of their security policies, it becomes an afterthought which can lead to the impression that privacy and security are at odds with one another.
3. The right skills and partners
There is a globally acknowledged shortage of skilled physical and digital security practitioners. Although it may be possible to recruit and retain some security staff, working with partners that listen to your needs and understand your risks enables you to focus on your core business.
Organisations should look for partners that build secure and compliant solutions, keep up with emerging risks and work pro-actively to distribute fixes and new solutions. Partners need to maintain open communications and keep you appraised of emerging threats and newly identified vulnerabilities. Importantly, they should give you complete control over your data so protection methods and processes can evolve to meet changing regulations.
Physical security has well and truly moved into the digital age. Protecting the data collected by cameras, access control systems, license place recognition and other physical security systems is just as important as protecting PII and other corporate data.
Taking a risk-based approach, embedding security into every system and process from the moment design starts, and choosing the right partners ensures you minimise the risk of unauthorised access to your data and minimises the blast radius should an attacker break into your systems. This will not only protect your organisation but also support compliance efforts and ensure changes to legislation do not result in major impact to systems to comply.
Kathryn Van Kuyk
Co-founder, Co-CEO & PR Director
+61 414 726 958