There’s been much talk about online privacy, and clearly many companies go out of their way to protect the privacy of customers and employees. In some industries, such as healthcare, organizations are mandated by government regulations to protect the privacy of data (for example, patient records).
But in today’s Internet-crazed society, where we spend so much time online and so much time sharing information online—whether it’s social media, chat rooms or other online communities—how much privacy can we really expect to have? For that matter, have we come to view invasions of online privacy as “something that’s just going to happen” no matter what precautions we take?
And more to the point, from an information security standpoint, how much of an impact can the availability of personal information on the Web have on organizations’ ability to protect networks, applications and data?
Before we explore that aspect, let’s take a look at some recent industry research on the topic of privacy.
A survey by Pew Research released in May finds that while Americans in general feel that privacy is important in their daily lives in a number of ways, they “have a pervasive sense that they are under surveillance when in public and very few feel they have a great deal of control over the data that is collected about them and how it is used.”
The findings show that Americans have exceedingly low levels of confidence in the privacy and security of the records that are maintained by a variety of institutions in the digital age, Pew says. And while some people have taken modest steps to stem the tide of data collection, the report says, few have adopted advanced privacy-enhancing measures.
According to the Pew survey of 461 adults conducted in early 2015, a huge majority of respondents (93%) say that being in control of who can get information about them is important. Many (90%) say that controlling what information is collected about them is important.
But at the same time, Pew says, people also value having the ability to share confidential matters with another trusted person, with 93% of respondents saying this ability is important to them.
Online service providers are among the least trusted entities when it comes to keeping information private and secure, according to the Pew research. When asked about search engine providers, online video sites, social media sites and online advertisers, most respondents were “not too confident” or “not at all confident” that these entities could protect their data.
Only a small minority of Americans say they have “a lot” of control over their personal data collection and its use. Earlier research from Pew shows that across six different methods of communication, there’s not one mode through which a majority of the American public feels “very secure” when sharing private information with another trusted person or organization. Those surveyed view social media sites as the least secure channel to communicate private information to another trusted person or organization.
So how can a loss of privacy tie into corporate security? Sometimes, it has nothing to do with any organization taking away privacy, but with users giving up their own privacy for the sake of convenience or to be more involved online. When we share information about ourselves, we expose that information to anyone who takes the time to find it online.
For example, if you sign up for an Internet classmates site, there’s a good chance the name of your elementary school will show up in a Google search of your name along with “elementary school.” In itself this poses no problem. But what if one of the “security questions” for access to an account is “What was the name of your first school?” A hacker could easily track down this and other information that might provide an easy way to get around security checks.
A recent study by Google states that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism. “That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both,” the report says.
Aside from security questions, there are other ways the lack of privacy can hinder security, such as the sharing of too much information on social media sites that could provide fodder for an attacker.
Obviously, corporate security executives cannot control everything that employees put out on the Internet, or everything that other organizations post. There will probably always be a level of friction of sorts between usability (which often sacrifices privacy) and security.
From a security perspective, every detail of anything and anyone should be closely held. But that creates friction when put up against usability.
The importance of security managers educating end users about being more cautious about information sharing—and using common sense— should be obvious. The question is how do they get the message across without taking away users’ rights to be active online?
It’s something to think about, as the Internet continues to change the way information is made available to virtually anyone who wants it.