Large tech and social media companies often share user data with other businesses for marketing purposes. In recent history, there have been many publicized breaches and other security incidents involving the personally identifiable information (PII) stored by these companies. This only creates a perfect storm for more breaches.
Enterprises that collect customers’ PII are seemingly not storing our data properly or with enough care. Despite these data privacy woes, most companies have managed to maintain the majority of their user bases — social media is as popular as ever. What is it going to take for users to say enough is enough? And for the enterprise responsible for protecting customers’ PII, should passwords be stored at all — even encrypted?
To gain a more solid understanding of these questions, I spoke with renowned security expert and the man behind “Catch Me If You Can,” Frank Abagnale.
The Dual-Edged Privacy Sword of Social Media
Abagnale said that with so many high-profile breaches over the last few years — and even some significant ones this March — it’s no wonder we’ve become desensitized.
“How many times have we received the post-breach email apologizing for the loss of data, along with a commitment to further enhance security and a free year’s worth of credit monitoring?” he asked.
However, this isn’t to say users don’t care about their privacy.
“They do,” Abagnale said, “but they fundamentally assume that the companies are always striving to stay ahead of the bad guys and that it’s a difficult, if not impossible, problem to solve.”
Because, let’s face it: How many of us fully grasp the challenges and intricacies of information security and data privacy? The lure of social media far exceeds our understanding of the laborious privacy policies we skim over before quickly clicking “Accept.” After all, while social media companies may lose users each time a privacy breach occurs, they manage to maintain the majority of their user bases despite the media uproar.
“In terms of the broader spectrum of social media companies,” Abagnale noted, “I think there’s historically been a general ignorance on the part of users when it comes to data collection and privacy.”
According to Abagnale, forfeiting privacy is a two-way street: “Isn’t it convenient that the ads served up to the user by the platform are contextual and relevant? How could they do that if they weren’t allowed to access individual user data? Many would argue that if the price for sharing details of your life in public is more targeted marketing, that’s a fair deal.”
The privacy trade-offs of using social media could be argued forever, and although it’s an intriguing narrative, we shouldn’t linger too long on the topic. Perhaps more critical is to explore the importance of protecting customers’ PII for the enterprise.
Whichever industry your organization does business in, you’re probably responsible for protecting customers’ PII in one way or another. The most pressing question, given the never-ending reports about breaches, could be this: How should the enterprise go about storing our private data?
Current Problems With Passwords and PII Storage
“There’s no doubt in my mind that the username and password is an outdated technology that has long since served its purpose,” said Abagnale. “User credentials remain the single biggest factor for security breaches, and our approach to deal with this has been to add more layers of complexity (one-time passcodes, knowledge-based questions) that have most users frustrated and resentful.”
For some time now, Abagnale has advised that we move toward a new paradigm that does away with passwords altogether.
“User experience will be enhanced, security will be enhanced and even calls to call centers about password resets will diminish,” he added. “What other technology from the 1960s has stayed the same except for passwords? The technology to go passwordless is already here, but not well-distributed yet.”
Strong Identity and Access Management Is Key
What’s most unfortunate for anyone responsible for security is that no matter how hard we try to enforce policy, most users simply reuse the same weak password across many sites and accounts. In these situations, two-factor or multifactor authentication and the use of a reputable password manager can help secure critical assets.
IBM experts also recommend the following password best practices for enterprises:
- Ensure all passwords contain at least 12 characters.
- Randomly generate all passwords (a password manager can be a big help here).
- Require all passwords to be secret and unique between sites and applications.
- Update passwords on a regular basis.
- Consider an external password audit to uncover and strengthen weak passwords.
For Abagnale, the current approach of using cryptographic keys on a user’s personal device to prove they are in possession of the keys for authentication can also be applied to protecting PII. There is a fundamental difference, however.
“Unlike authentication, which is typically used for logins, access to PII can be ongoing — it’s used for sales and marketing purposes throughout the user session — which means there’s going to be a performance and usability impact on the user to access the data,” he explained. “PII eventually will make its way to its rightful owners, the users. But we are still a way away from it.”
A Dynamic Shift Around Data Privacy
We hear about data breaches all the time, yet things don’t seem to change — if anything, it gets worse. There has got to be a catalyst for positive change; ultimately, our whole cybersecurity ecosystem could use a dramatic mindset shift (or kick in the butt) around data privacy and protecting it.
“I think it’s high time we had comprehensive regulation governing privacy and security,” said Abagnale. “We’re starting to see this with Europe’s GDPR and California’s digital privacy law. Michael Chertoff said it best when he claimed that passwords are the weakest link in cybersecurity. If we begin by removing passwords from the user’s experience, we will begin a new era of dynamic keys (versus static keys). That shift has begun, and I am a big proponent to seeing it in our lifetime.”