We are increasingly aware that some information should be considered to be confidential, and should only be accessed by people and systems that are authorised to do so, and should only be used for the authorised purpose.
GDPR has made confidentiality one of the most commonly used words in the English language, and it has certainly increased public awareness of the concepts of privacy & confidentiality, even though it has caused us to become bombarded with so many requests for permission to store and use our personal data that many people grant permissions without thinking.
In business, we often need a broader definition of confidentiality, which doesn’t just consider personal data, but also includes all information whose unauthorised disclosure might be detrimental to the business, customers, suppliers and partners.
Ransomware has brought this wider concept of confidentiality into public awareness, as a result of business data being copied by the attackers before it is encrypted, to create another lever in their extortion schemes to force affected businesses to pay the ransom.
There are huge technical challenges involved is ensuring confidentiality, but the biggest challenges for businesses is the widespread lack of understanding amongst employees and the public at large of what confidentiality actually means, and how it is actually achieved in practice.
Widespread adoption of End-to-End Encryption to protect private chats, voice and video calls has increased understanding of confidentiality is this specific context, but doesn’t really help people to understand confidentiality in the wider business context.
Most users are aware that some areas of the corporate network are restricted and can only be accessed by authorised users, and users in government or large corporate organisations will be aware of data classification and being read into specific projects, but many users are more familiar with the unlimited ability to share information through email, and have little concept of how to manage business data in a manner that respects confidentiality.
This might not have been an issue for many small and medium enterprises in the past, but the combination of Ransomware and GDPR means there are now multiple risks that could potentially destroy the business and the careers of key personnel.
This is a critical business problem that affect all users, and the business needs their cooperation in order to address the risk, but it isn’t realistic to solve the problem with user awareness alone, because users need to new technical tools to help them to manage data in a new way, where everyone in the business is part of the solution.