Are companies compromising your security and privacy?
Okay, admit it, companies just can't keep people's data secure. Every day there is a new breach hitting the headlines now. CapitalOne, British Airways, Equifax, Marriot Hotel, Mongo, Twitter, the list goes on. Some breaches should really not happen and are preventable mistakes others are as a result of more elaborate, targeted attacks against which it is very difficult to defend.
However hard they try, it is challenging for businesses to secure data in this highly complex and fast-moving digital world of innovation, threats, and weaknesses. Millions are spent on the latest and greatest protective technology and millions of security people are employed just to protect our data but the hard truth is they can’t. The technology has become so complex and evolving that even more technology is required to manage the current state. For example, Artificial Intelligence (AI) based security is being employed to secure data whilst AI itself introduces an even more complex set of risks to manage.
So, what as organisations that use our personal data and we as data subjects do about it?
Firstly, as companies processing data, they really need to ask why are we collecting this data? Do we really need that data or are we collecting for the sake of collection or is it just a fishing exercise to scoop up as much data as we can? Secondly, are we collecting the right data for the purpose, and thirdly, is the data we collect and the way we use it putting the individual/consumer/customers at risk?
The way and what data companies collect needs to change. Despite regulations like the GDPR, intended to safeguard the individuals, companies have not really thought through how their data collection and processing is putting their consumers at risk. Companies must really ask themselves if the data we are collecting is absolutely necessary. The idea behind GDPR's data minimisation was exactly that but companies must go beyond that for sure and design processes and systems to work with absolutely minimal data as possible and once collected, how they protect this data and the consumer. Some processes have existed forever and have not been revaluated even in the face of the GDPR.
Here is an example of how companies compromise consumer security. When companies ask you to set account secrets and use questions like "what is your mother's maiden name? Then expect you to enter an answer only known to you. Duh! They are actually compromising your security. Now, this is such a bs question. Apart from you, a lot of people know your mother’s maiden name. It is definitely not a secret. To start with, your mother, her parents, your father, his parents, your siblings, your extended family, her extended family… it is not really a secret, is it? Companies think they are clever by combining the question with another question, like what was the name of your secondary school? Another really good secret. Apart from all your school mates, the teachers in the school also know this. These are supposed to be so secret that they are good enough to allow you to reset your forgotten password.
Of course, these secrets do not have to have real-world factual answers but how many target users are security-savvy to know this? The companies never tell them this. It does not have to be the mother's actual maiden name unless you as the organisation are trying to harvest this personal data too. Why not tell the account creator that it does not have to be real answers, or ask them to set their own question and answer? Why do we even ask these personal data based questions? Is that not counter to the spirit of the GDPR? Have you ever seen a system where they tell you that the secret answers don't actually have to be real answers, i.e. it does not have to be your mother's actual name or your actual first school or the actual colour of your first car? Just don’t get it, if it is a secret question then why ask questions whose answers are anything but?
These questions and answers are used across the internet on many websites and once one gets hacked these the secrets are no longer that secret. These questions can be reused/replayed for other attacks, It does not really provide additional security but may even actually weak the security for the consumer. This is a pure security theatre.
Why do they do it?
Companies do this because it used to be a best practice at some point in time. The thing with security best practice is that they change, they become good practice and then shi££y practice. If you are still asking for such secrets, using the same format, process and relying upon these to provide access to accounts, then it is rubbish.
Here is another example where companies are failing consumers. They want you to use secure, strong complex passwords. Some clever ones even show you a real-time strength meter. Very good, however, a strong, reused or compromised password compromises user’s security. How many ask the consumer if this password has been used elsewhere and if so advise them to not reuse it? It doesn’t take much right? This no-cost advice could help and educate users to protect themselves.
Companies must step up to the plate and not only think about protecting themselves but their customers too. Unlike corporate users, the average consumers do not have access to corporate security and privacy awareness training and the only interaction they may have with security is when they logon to a corporate website as a customer or a consumer. Companies are missing a trick here. This interaction can be used to educate, empower and also build trust for the businesses. My bank sends me security alerts to read, when I logon but how often does the average user logon to internet banking and reads every security notice? If they do, do they even understand it? Why not take every opportunity to educate the consumer?
Many companies put callers on hold and play boring music that is not remotely interesting to the listener. Would it not be more productive to use that time to educate the caller in security and privacy? Short messages on how users can protect themselves online or how to avoid the latest fraud or scam perhaps.
There are a lot of companies can do to protect consumer’s security and privacy. After all, it is truly a connected world. Fall out from hacks are not limited to the attacked or breached organisations anymore. As consumers tend to reuse credentials, the same compromised credentials can be used to compromise your systems too. With the advent of IoT and predicted the proliferation of IoT devices to every household the protection of the average consumer will become even more critical to protecting corporate systems.
-----------------------------------------------------------------------------------------------------------
#Security and #Privacy by Design, #business #cybersecurity #Board #CxO, leadership
Global Head of Cybersecurity Operations - A Highly Experienced Cyber Security, Data Protection, (GDPR, UKDPA), and Privacy Professional Helping Organisations Become Resilient & Compliant
5 年Refreshing.
Global Head of Cybersecurity Operations - A Highly Experienced Cyber Security, Data Protection, (GDPR, UKDPA), and Privacy Professional Helping Organisations Become Resilient & Compliant
5 年More proof what I was saying about businesses are unable to protect your out data. Mozo had built a good reputation as security savvy Bank but even they have succumbed to a breach and a quite significant one too. https://www.theguardian.com/business/2019/aug/05/monzo-urges-480000-customers-to-change-their-pin-numbers
The Data Diva | Data Privacy & Emerging Technologies Advisor | Technologist | Keynote Speaker | Helping Companies Make Data Privacy and Business Advantage | Advisor | Futurist | #1 Data Privacy Podcast Host | Polymath
5 年Moyn Uddin CIPP-E CIPM CISSP CISM CISA CRISC ISO TOGAF?Consumers have to be their own best advocates and educate themselves on data privacy and security. Paying the costs for a data breach may be much less than companies earn to sale personal data.