Large tech and social media companies often share user data with other businesses for marketing purposes. In recent history, there have been many publicized breaches and other security incidents involving the personally identifiable information (PII) stored by these companies. This only creates a perfect storm for more breaches.

Enterprises that collect customers’ PII are seemingly not storing our data properly or with enough care. Despite these data privacy woes, most companies have managed to maintain the majority of their user bases — social media is as popular as ever. What is it going to take for users to say enough is enough? And for the enterprise responsible for protecting customers’ PII, should passwords be stored at all — even encrypted?

To gain a more solid understanding of these questions, I spoke with renowned security expert and the man behind “Catch Me If You Can,” Frank Abagnale.

The Dual-Edged Privacy Sword of Social Media

Abagnale said that with so many high-profile breaches over the last few years — and even some significant ones this March — it’s no wonder we’ve become desensitized.

“How many times have we received the post-breach email apologizing for the loss of data, along with a commitment to further enhance security and a free year’s worth of credit monitoring?” he asked.

However, this isn’t to say users don’t care about their privacy.

“They do,” Abagnale said, “but they fundamentally assume that the companies are always striving to stay ahead of the bad guys and that it’s a difficult, if not impossible, problem to solve.”

Because, let’s face it: How many of us fully grasp the challenges and intricacies of information security and data privacy? The lure of social media far exceeds our understanding of the laborious privacy policies we skim over before quickly clicking “Accept.” After all, while social media companies may lose users each time a privacy breach occurs, they manage to maintain the majority of their user bases despite the media uproar.

“In terms of the broader spectrum of social media companies,” Abagnale noted, “I think there’s historically been a general ignorance on the part of users when it comes to data collection and privacy.”

According to Abagnale, forfeiting privacy is a two-way street: “Isn’t it convenient that the ads served up to the user by the platform are contextual and relevant? How could they do that if they weren’t allowed to access individual user data? Many would argue that if the price for sharing details of your life in public is more targeted marketing, that’s a fair deal.”

The privacy trade-offs of using social media could be argued forever, and although it’s an intriguing narrative, we shouldn’t linger too long on the topic. Perhaps more critical is to explore the importance of protecting customers’ PII for the enterprise.

Whichever industry your organization does business in, you’re probably responsible for protecting customers’ PII in one way or another. The most pressing question, given the never-ending reports about breaches, could be this: How should the enterprise go about storing our private data?

Current Problems With Passwords and PII Storage

“There’s no doubt in my mind that the username and password is an outdated technology that has long since served its purpose,” said Abagnale. “User credentials remain the single biggest factor for security breaches, and our approach to deal with this has been to add more layers of complexity (one-time passcodes, knowledge-based questions) that have most users frustrated and resentful.”

For some time now, Abagnale has advised that we move toward a new paradigm that does away with passwords altogether.

“User experience will be enhanced, security will be enhanced and even calls to call centers about password resets will diminish,” he added. “What other technology from the 1960s has stayed the same except for passwords? The technology to go passwordless is already here, but not well-distributed yet.”

Strong Identity and Access Management Is Key

What’s most unfortunate for anyone responsible for security is that no matter how hard we try to enforce policy, most users simply reuse the same weak password across many sites and accounts. In these situations, two-factor or multifactor authentication and the use of a reputable password manager can help secure critical assets.

IBM experts also recommend the following password best practices for enterprises:

  • Ensure all passwords contain at least 12 characters.
  • Randomly generate all passwords (a password manager can be a big help here).
  • Require all passwords to be secret and unique between sites and applications.
  • Update passwords on a regular basis.
  • Consider an external password audit to uncover and strengthen weak passwords.

For Abagnale, the current approach of using cryptographic keys on a user’s personal device to prove they are in possession of the keys for authentication can also be applied to protecting PII. There is a fundamental difference, however.

“Unlike authentication, which is typically used for logins, access to PII can be ongoing — it’s used for sales and marketing purposes throughout the user session — which means there’s going to be a performance and usability impact on the user to access the data,” he explained. “PII eventually will make its way to its rightful owners, the users. But we are still a way away from it.”

A Dynamic Shift Around Data Privacy

We hear about data breaches all the time, yet things don’t seem to change — if anything, it gets worse. There has got to be a catalyst for positive change; ultimately, our whole cybersecurity ecosystem could use a dramatic mindset shift (or kick in the butt) around data privacy and protecting it.

“I think it’s high time we had comprehensive regulation governing privacy and security,” said Abagnale. “We’re starting to see this with Europe’s GDPR and California’s digital privacy law. Michael Chertoff said it best when he claimed that passwords are the weakest link in cybersecurity. If we begin by removing passwords from the user’s experience, we will begin a new era of dynamic keys (versus static keys). That shift has begun, and I am a big proponent to seeing it in our lifetime.”

More from Data Protection

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today