Large tech and social media companies often share user data with other businesses for marketing purposes. In recent history, there have been many publicized breaches and other security incidents involving the personally identifiable information (PII) stored by these companies. This only creates a perfect storm for more breaches.

Enterprises that collect customers’ PII are seemingly not storing our data properly or with enough care. Despite these data privacy woes, most companies have managed to maintain the majority of their user bases — social media is as popular as ever. What is it going to take for users to say enough is enough? And for the enterprise responsible for protecting customers’ PII, should passwords be stored at all — even encrypted?

To gain a more solid understanding of these questions, I spoke with renowned security expert and the man behind “Catch Me If You Can,” Frank Abagnale.

The Dual-Edged Privacy Sword of Social Media

Abagnale said that with so many high-profile breaches over the last few years — and even some significant ones this March — it’s no wonder we’ve become desensitized.

“How many times have we received the post-breach email apologizing for the loss of data, along with a commitment to further enhance security and a free year’s worth of credit monitoring?” he asked.

However, this isn’t to say users don’t care about their privacy.

“They do,” Abagnale said, “but they fundamentally assume that the companies are always striving to stay ahead of the bad guys and that it’s a difficult, if not impossible, problem to solve.”

Because, let’s face it: How many of us fully grasp the challenges and intricacies of information security and data privacy? The lure of social media far exceeds our understanding of the laborious privacy policies we skim over before quickly clicking “Accept.” After all, while social media companies may lose users each time a privacy breach occurs, they manage to maintain the majority of their user bases despite the media uproar.

“In terms of the broader spectrum of social media companies,” Abagnale noted, “I think there’s historically been a general ignorance on the part of users when it comes to data collection and privacy.”

According to Abagnale, forfeiting privacy is a two-way street: “Isn’t it convenient that the ads served up to the user by the platform are contextual and relevant? How could they do that if they weren’t allowed to access individual user data? Many would argue that if the price for sharing details of your life in public is more targeted marketing, that’s a fair deal.”

The privacy trade-offs of using social media could be argued forever, and although it’s an intriguing narrative, we shouldn’t linger too long on the topic. Perhaps more critical is to explore the importance of protecting customers’ PII for the enterprise.

Whichever industry your organization does business in, you’re probably responsible for protecting customers’ PII in one way or another. The most pressing question, given the never-ending reports about breaches, could be this: How should the enterprise go about storing our private data?

Current Problems With Passwords and PII Storage

“There’s no doubt in my mind that the username and password is an outdated technology that has long since served its purpose,” said Abagnale. “User credentials remain the single biggest factor for security breaches, and our approach to deal with this has been to add more layers of complexity (one-time passcodes, knowledge-based questions) that have most users frustrated and resentful.”

For some time now, Abagnale has advised that we move toward a new paradigm that does away with passwords altogether.

“User experience will be enhanced, security will be enhanced and even calls to call centers about password resets will diminish,” he added. “What other technology from the 1960s has stayed the same except for passwords? The technology to go passwordless is already here, but not well-distributed yet.”

Strong Identity and Access Management Is Key

What’s most unfortunate for anyone responsible for security is that no matter how hard we try to enforce policy, most users simply reuse the same weak password across many sites and accounts. In these situations, two-factor or multifactor authentication and the use of a reputable password manager can help secure critical assets.

IBM experts also recommend the following password best practices for enterprises:

  • Ensure all passwords contain at least 12 characters.
  • Randomly generate all passwords (a password manager can be a big help here).
  • Require all passwords to be secret and unique between sites and applications.
  • Update passwords on a regular basis.
  • Consider an external password audit to uncover and strengthen weak passwords.

For Abagnale, the current approach of using cryptographic keys on a user’s personal device to prove they are in possession of the keys for authentication can also be applied to protecting PII. There is a fundamental difference, however.

“Unlike authentication, which is typically used for logins, access to PII can be ongoing — it’s used for sales and marketing purposes throughout the user session — which means there’s going to be a performance and usability impact on the user to access the data,” he explained. “PII eventually will make its way to its rightful owners, the users. But we are still a way away from it.”

A Dynamic Shift Around Data Privacy

We hear about data breaches all the time, yet things don’t seem to change — if anything, it gets worse. There has got to be a catalyst for positive change; ultimately, our whole cybersecurity ecosystem could use a dramatic mindset shift (or kick in the butt) around data privacy and protecting it.

“I think it’s high time we had comprehensive regulation governing privacy and security,” said Abagnale. “We’re starting to see this with Europe’s GDPR and California’s digital privacy law. Michael Chertoff said it best when he claimed that passwords are the weakest link in cybersecurity. If we begin by removing passwords from the user’s experience, we will begin a new era of dynamic keys (versus static keys). That shift has begun, and I am a big proponent to seeing it in our lifetime.”

More from Data Protection

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read

Understanding the Backdoor Debate in Cybersecurity

3 min read - The debate over whether backdoor encryption should be implemented to aid law enforcement has been contentious for years. On one side of the fence, the proponents of backdoors argue that they could provide valuable intelligence and help law enforcement investigate criminals or prevent terrorist attacks. On the other side, opponents contend they would weaken overall security and create opportunities for malicious actors to exploit. So which side of the argument is correct? As with most debates, the answer isn't so…

3 min read