Large tech and social media companies often share user data with other businesses for marketing purposes. In recent history, there have been many publicized breaches and other security incidents involving the personally identifiable information (PII) stored by these companies. This only creates a perfect storm for more breaches.

Enterprises that collect customers’ PII are seemingly not storing our data properly or with enough care. Despite these data privacy woes, most companies have managed to maintain the majority of their user bases — social media is as popular as ever. What is it going to take for users to say enough is enough? And for the enterprise responsible for protecting customers’ PII, should passwords be stored at all — even encrypted?

To gain a more solid understanding of these questions, I spoke with renowned security expert and the man behind “Catch Me If You Can,” Frank Abagnale.

The Dual-Edged Privacy Sword of Social Media

Abagnale said that with so many high-profile breaches over the last few years — and even some significant ones this March — it’s no wonder we’ve become desensitized.

“How many times have we received the post-breach email apologizing for the loss of data, along with a commitment to further enhance security and a free year’s worth of credit monitoring?” he asked.

However, this isn’t to say users don’t care about their privacy.

“They do,” Abagnale said, “but they fundamentally assume that the companies are always striving to stay ahead of the bad guys and that it’s a difficult, if not impossible, problem to solve.”

Because, let’s face it: How many of us fully grasp the challenges and intricacies of information security and data privacy? The lure of social media far exceeds our understanding of the laborious privacy policies we skim over before quickly clicking “Accept.” After all, while social media companies may lose users each time a privacy breach occurs, they manage to maintain the majority of their user bases despite the media uproar.

“In terms of the broader spectrum of social media companies,” Abagnale noted, “I think there’s historically been a general ignorance on the part of users when it comes to data collection and privacy.”

According to Abagnale, forfeiting privacy is a two-way street: “Isn’t it convenient that the ads served up to the user by the platform are contextual and relevant? How could they do that if they weren’t allowed to access individual user data? Many would argue that if the price for sharing details of your life in public is more targeted marketing, that’s a fair deal.”

The privacy trade-offs of using social media could be argued forever, and although it’s an intriguing narrative, we shouldn’t linger too long on the topic. Perhaps more critical is to explore the importance of protecting customers’ PII for the enterprise.

Whichever industry your organization does business in, you’re probably responsible for protecting customers’ PII in one way or another. The most pressing question, given the never-ending reports about breaches, could be this: How should the enterprise go about storing our private data?

Current Problems With Passwords and PII Storage

“There’s no doubt in my mind that the username and password is an outdated technology that has long since served its purpose,” said Abagnale. “User credentials remain the single biggest factor for security breaches, and our approach to deal with this has been to add more layers of complexity (one-time passcodes, knowledge-based questions) that have most users frustrated and resentful.”

For some time now, Abagnale has advised that we move toward a new paradigm that does away with passwords altogether.

“User experience will be enhanced, security will be enhanced and even calls to call centers about password resets will diminish,” he added. “What other technology from the 1960s has stayed the same except for passwords? The technology to go passwordless is already here, but not well-distributed yet.”

Strong Identity and Access Management Is Key

What’s most unfortunate for anyone responsible for security is that no matter how hard we try to enforce policy, most users simply reuse the same weak password across many sites and accounts. In these situations, two-factor or multifactor authentication and the use of a reputable password manager can help secure critical assets.

IBM experts also recommend the following password best practices for enterprises:

  • Ensure all passwords contain at least 12 characters.
  • Randomly generate all passwords (a password manager can be a big help here).
  • Require all passwords to be secret and unique between sites and applications.
  • Update passwords on a regular basis.
  • Consider an external password audit to uncover and strengthen weak passwords.

For Abagnale, the current approach of using cryptographic keys on a user’s personal device to prove they are in possession of the keys for authentication can also be applied to protecting PII. There is a fundamental difference, however.

“Unlike authentication, which is typically used for logins, access to PII can be ongoing — it’s used for sales and marketing purposes throughout the user session — which means there’s going to be a performance and usability impact on the user to access the data,” he explained. “PII eventually will make its way to its rightful owners, the users. But we are still a way away from it.”

A Dynamic Shift Around Data Privacy

We hear about data breaches all the time, yet things don’t seem to change — if anything, it gets worse. There has got to be a catalyst for positive change; ultimately, our whole cybersecurity ecosystem could use a dramatic mindset shift (or kick in the butt) around data privacy and protecting it.

“I think it’s high time we had comprehensive regulation governing privacy and security,” said Abagnale. “We’re starting to see this with Europe’s GDPR and California’s digital privacy law. Michael Chertoff said it best when he claimed that passwords are the weakest link in cybersecurity. If we begin by removing passwords from the user’s experience, we will begin a new era of dynamic keys (versus static keys). That shift has begun, and I am a big proponent to seeing it in our lifetime.”

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…