Well, to be fair, this is not entirely true. Privacy is only one aspect of cybersecurity. I promise that wasn’t a clickbait tactic.
As we all know, privacy is a large concern for most people, especially on the internet. How we protect that privacy is key to keeping client trust, and part of the larger security picture on the whole.
Privacy concerns are certainly security concerns, but the inverse is not necessarily true. Take for instance the European Union’s General Data Protection Regulation. While this is definitely a privacy play (and in many cases, a win for privacy), there is actually very little cybersecurity requirement in the regulations. Or is there? At the very fundamentals of Cyber/ Information security (which one could argue are very much one in the same) are the holy trinity of security concepts: Confidentiality, Integrity, and Availability.
Traditionally, information systems have been all about uptime and effective sharing and propagation of information. Indeed, the dawn of the internet was what truly pushed mankind into the information age. This is all about availability. The clincher to availability, is that information be only available to those who should have access to it. But of course, the other side of the coin here is Confidentiality. Confidentiality can be stated as “not disclosing information to those who do not have a need to know it.”
With the advent of the mega-breaches of personal information, we end up with some very poignant points on if privacy is part of cybersecurity. Take the Facebook breach for instance: over 50 million users were suspected to have had their information sold or disclosed to and from third-parties for a variety of reasons. If folks had known that they would be psychologically profiled based upon their information, they likely would have never agreed to it.
So this is clearly a violation of confidentiality, and because personal data (data that associates a user with a myriad of real-life data about them which could be used to create a fake identity or compromise their real identity) this makes it all the worse. Now, it becomes a privacy issue. Arguably, this even becomes a Personal Health Information violation, as much of the data was used in the form of a psychological profile.
Ultimately, data was leaked or made available to those who the data was 1) not intended for and 2) not authorized to view the personal information of individuals. While Facebook strictly denies this as a security leak, by its very definition it is.
Thus the European Union’s General Data Protection Regulation (GDPR) is definitely a privacy play, and in our view, certainly an information security play, which also makes it a cybersecurity concern.
If you have concerns about whether or not your organization has sufficiently addressed the myriad rules and aspects of the GDPR, we have the solutions that you are looking for. Beryllium Information Security Collaborative can definitively assist those who need guidance with GDPR prep through our accolade winning User Awareness Training, Executive Education, and by-the-numbers GDPR readiness assessment.
If your organization works with the DoD and handles CUI, we can also help you evaluate your DFARS compliance needs.