Recent industry studies (see sidebar above) reveal that insider threats are still one of the biggest corporate grey areas, and, to pile on, insider threats are rapidly becoming an information security challenge.

Insider attacks are different from external attacks because insiders, such as employees, third-party suppliers or consultants, already have a foothold in the organization by being granted access to data. Privileged users pose a major risk because they are hard to detect and stop with traditional preventative controls.

In addition, the insider-threat landscape broadens and diversifies with new cloud computing and BYOD capabilities, higher employee turnaround and decreasing loyalty and information security awareness. Employee training—though critical for altering employee attitudes and behaviour—is not sufficient enough for strong data protection. Security professionals are on the line to protect their organization’s data and assets. Companies should thus put in place a number of security controls, and to increase visibility into the transfer of information within the company, companies must strengthen monitoring and detective capabilities required to distinguish between legitimate and malicious activities.

Such practices, though essential for achieving greater information security may often be in conflict with the rationale behind the right to data protection. This reality could prevent a company from reaching its full security potential.

The major question, then, becomes, how in such circumstances can privacy and security co- exist?

Certainly, privacy professionals should consider following guidance of the Article 29 Working Party, which expressed in one of its opinions that the processing of personal data in the context of surveillance activities may take place only under adequate safeguards defined by law and in accordance with basic data protection principles governing the processing of personal data of workers—i.e. finality, transparency, legitimacy, proportionality, accuracy and retention of the data security awareness of the staff.

Furthermore, as part of technical safeguards, privacy professionals should consider adoption of privacy-enhancing technologies (PETs).

During the IAPP Europe Data Protection Congress “Intersection of Privacy and Security” track, three presentations will focus on these difficult but essential issues.

Insider Threats: Navigating Security and Privacy

This session will discuss information security risks posed by insider threats and a step-by-step implementation of an insider threat program that organizations should consider as part of their privacy program.

In order to give guidance to privacy and security professionals what PETs they should consider we offer two more interesting sessions:

The Importance of Being Anonymous

This session will discuss the meaning of anonymization and pseudonymization and provide insights into different guidance documents issued to date in the EU and beyond as well as analyse new provisions of the General Data Protection Regulation. Furthermore, panellists will explore different the techniques used for their implementation and give recommendations on how to make them more effective.

The Future of Authentication

This session will give insights into the future of PETs based on Identity Mixer, developed by IBM, which allows the authentication of users without identifying them. What is more, it will present the opportunities and challenges current authentication solutions must overcome and what it means for next generation of PETs.

photo credit: Surveillance camera via photopin (license)