Large tech and social media companies often share user data with other businesses for marketing purposes. In recent history, there have been many publicized breaches and other security incidents involving the personally identifiable information (PII) stored by these companies. This only creates a perfect storm for more breaches.

Enterprises that collect customers’ PII are seemingly not storing our data properly or with enough care. Despite these data privacy woes, most companies have managed to maintain the majority of their user bases — social media is as popular as ever. What is it going to take for users to say enough is enough? And for the enterprise responsible for protecting customers’ PII, should passwords be stored at all — even encrypted?

To gain a more solid understanding of these questions, I spoke with renowned security expert and the man behind “Catch Me If You Can,” Frank Abagnale.

The Dual-Edged Privacy Sword of Social Media

Abagnale said that with so many high-profile breaches over the last few years — and even some significant ones this March — it’s no wonder we’ve become desensitized.

“How many times have we received the post-breach email apologizing for the loss of data, along with a commitment to further enhance security and a free year’s worth of credit monitoring?” he asked.

However, this isn’t to say users don’t care about their privacy.

“They do,” Abagnale said, “but they fundamentally assume that the companies are always striving to stay ahead of the bad guys and that it’s a difficult, if not impossible, problem to solve.”

Because, let’s face it: How many of us fully grasp the challenges and intricacies of information security and data privacy? The lure of social media far exceeds our understanding of the laborious privacy policies we skim over before quickly clicking “Accept.” After all, while social media companies may lose users each time a privacy breach occurs, they manage to maintain the majority of their user bases despite the media uproar.

“In terms of the broader spectrum of social media companies,” Abagnale noted, “I think there’s historically been a general ignorance on the part of users when it comes to data collection and privacy.”

According to Abagnale, forfeiting privacy is a two-way street: “Isn’t it convenient that the ads served up to the user by the platform are contextual and relevant? How could they do that if they weren’t allowed to access individual user data? Many would argue that if the price for sharing details of your life in public is more targeted marketing, that’s a fair deal.”

The privacy trade-offs of using social media could be argued forever, and although it’s an intriguing narrative, we shouldn’t linger too long on the topic. Perhaps more critical is to explore the importance of protecting customers’ PII for the enterprise.

Whichever industry your organization does business in, you’re probably responsible for protecting customers’ PII in one way or another. The most pressing question, given the never-ending reports about breaches, could be this: How should the enterprise go about storing our private data?

Current Problems With Passwords and PII Storage

“There’s no doubt in my mind that the username and password is an outdated technology that has long since served its purpose,” said Abagnale. “User credentials remain the single biggest factor for security breaches, and our approach to deal with this has been to add more layers of complexity (one-time passcodes, knowledge-based questions) that have most users frustrated and resentful.”

For some time now, Abagnale has advised that we move toward a new paradigm that does away with passwords altogether.

“User experience will be enhanced, security will be enhanced and even calls to call centers about password resets will diminish,” he added. “What other technology from the 1960s has stayed the same except for passwords? The technology to go passwordless is already here, but not well-distributed yet.”

Strong Identity and Access Management Is Key

What’s most unfortunate for anyone responsible for security is that no matter how hard we try to enforce policy, most users simply reuse the same weak password across many sites and accounts. In these situations, two-factor or multifactor authentication and the use of a reputable password manager can help secure critical assets.

IBM experts also recommend the following password best practices for enterprises:

  • Ensure all passwords contain at least 12 characters.
  • Randomly generate all passwords (a password manager can be a big help here).
  • Require all passwords to be secret and unique between sites and applications.
  • Update passwords on a regular basis.
  • Consider an external password audit to uncover and strengthen weak passwords.

For Abagnale, the current approach of using cryptographic keys on a user’s personal device to prove they are in possession of the keys for authentication can also be applied to protecting PII. There is a fundamental difference, however.

“Unlike authentication, which is typically used for logins, access to PII can be ongoing — it’s used for sales and marketing purposes throughout the user session — which means there’s going to be a performance and usability impact on the user to access the data,” he explained. “PII eventually will make its way to its rightful owners, the users. But we are still a way away from it.”

A Dynamic Shift Around Data Privacy

We hear about data breaches all the time, yet things don’t seem to change — if anything, it gets worse. There has got to be a catalyst for positive change; ultimately, our whole cybersecurity ecosystem could use a dramatic mindset shift (or kick in the butt) around data privacy and protecting it.

“I think it’s high time we had comprehensive regulation governing privacy and security,” said Abagnale. “We’re starting to see this with Europe’s GDPR and California’s digital privacy law. Michael Chertoff said it best when he claimed that passwords are the weakest link in cybersecurity. If we begin by removing passwords from the user’s experience, we will begin a new era of dynamic keys (versus static keys). That shift has begun, and I am a big proponent to seeing it in our lifetime.”

More from Data Protection

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today