People used to stash their cash in shoe boxes and jam jars and keep their passport in a kitchen drawer and private journals beneath their pillows. Jump to the present, and we keep our electronic money in the bank, our data in various databases, and our journal on social media. Simply locking the front and back doors before leaving the house is no longer enough to secure all this data.
Article from Objective 19, 2013
The reality is that we live in an information society: we need electronic access cards virtually wherever we go and we maintain any number of online accounts for shopping and participating in forums and social media. This means our personal data is stored in many different places, but unfortunately not all organisations treat this data conscientiously. And it’s not just consumers who are naïve by leaving a trail of personal data behind on Facebook, Google and other media; the government and private sector are sometimes also not sufficiently aware of the data security risks to which they are exposed. This may involve innocent incidents, such as when the 2011 Dutch government budget was leaked by hackers or when a government computer error caused Queen Beatrix’ traditional Christmas speech to be circulated a day earlier than planned in 2012 (a visitor to the Royal Family’s website changed the date in the URL). In public procurement processes for bridges and locks, that same government also posts the complete system architecture online, including IP addresses, for operational purposes. This data is publicly available for download, without users needing to meet any specific requirements. Companies that possess a large amount of personal data are often targeted by hackers. In 2012, for example, all LinkedIn users were forced to change their passwords after hackers had posted the passwords online (they presumably had access to the corresponding usernames as well).
Although we are gradually becoming more aware of security issues, technology continues to advance at a rapid rate, and (wireless) network technologies facilitate links between systems and data that would not have been possible in the past. At home, we connect our mobile devices to the network and companies and other organisations link their systems together to facilitate fast and easy data exchange. Each of these connections presents new opportunities to establish links and draw conclusions about issues such as health and safety.
In other words, sound data management is becoming increasingly important. But even before we answer the security question, we must wonder whether we really need all that data. From a security perspective, it is more prudent to generate as little data as possible, as you may have read in the vision article featured in issue 13 of Objective. The idea is that what isn’t there doesn’t need to be secured either. We therefore recommend that you only store data that is essential to business operations or to the system’s functionality.
Information is business
It’s not nearly as easy anymore as it once was to leave a minimal data footprint, since we live in an information age, in which nobody thinks twice about sharing data. Information and data also play a key role in the economy: for one, companies such as Google, Facebook and Twitter owe their existence and sources of revenue to data. Since their interests vary significantly from those of the public, they have a completely different interpretation of the phenomenon of data security as well. To them, data security is tantamount to ‘securing income’. Data is money, and money needs to be securely protected – so securely, in fact, that they believe they own the private pictures and revelations we post on our personal profiles. It’s all there in the small print when we first sign up for the account, and all social media users have consented to these terms.
Consumers should become more aware of the risks associated with social media. We share our innermost thoughts and feelings on Twitter and Facebook, but many users forget to set their profile to private so that everything they post is visible to all, as ‘public’ (not surprisingly) is the default privacy setting on social media such as Facebook. You should be aware that anyone can see what you post: your colleagues, your boss, and your family, but also the crime gang that’s noted that you’re holidaying in the South of France right now, and the insurance company employee who sees you wearing those expensive sunglasses you recently claimed as lost. You need to realise that everything on the internet will remain available in search engines for centuries to come. While this is not a bad thing in itself, it is important that people become aware of it. Still, who would want to be confronted 10 years from now with tweets about the government that seem so innocuous today but that might be sensitive a decade hence?
Obligation versus choice
As consumers, we choose to entrust our private lives to corporations, and yet we’re all up in arms when the government introduces a mileage charge, public transport card or electronic patient file. Whereas the government imposes its decisions on us, we are free to choose whether we sign up for supermarket loyalty programmes or download certain apps to our phones. We don’t seem to realise that those loyalty cards and apps reveal a great deal of information about our personal lives. We care less about the long-term privacy risks we face than we do about the short-term benefits of a discount or a fun free game. That’s the nature of the human psyche: we make most decisions based on emotions, and companies are only too keen to exploit that.
Sound data management
While not all companies that collect data do so for the purpose of making a profit, they do use sensitive personal data in their business operations. These companies are exposed to data security risks and/or violations of the privacy laws. They create an amazing app or interactive system that allows them to gather (indirect) data from users, without realising that they’re in violation of privacy laws.
Those who, in processing data, are not sufficiently aware of their vulnerability could end up making a wrong move and potentially suffer reputational damage in the process. In order to prevent such damage, they set extremely strict security requirements for any new design, sometimes even stricter than is required for the application in question. ‘We don’t want to make the news because some university professor and a couple of his students manage to hack our product in just one hour. Even though profits from such a hack are marginal, the reputational damage is huge.’
As a result, relatively simple products can nevertheless become quite expensive due to the detailed data security specifications. Remember that what’s at stake here is merely ‘image protection’, the costs of which might even outweigh the benefits. If we make the right technical decisions during the product design process, we can achieve the best possible price/security ratio.
Anything can be hacked
If you think that, after all these warnings, we’re going to come up with a neat solution, we’ll unfortunately have to disappoint you. The truth is that there is no universal solution, although there is a universal rule: ultimately, anything can be hacked (that is, with a great deal of patient and skill). A similar rule of thumb is: ‘Do it right or don’t do it at all.’ Being ‘somewhat secured’ is like being ‘a little bit pregnant’ – there’s no such thing.
Data security is an eternal scramble between hackers and cryptography experts. The latter always give recommendations based on the latest technologies, but no matter what systems or applications you choose, you know you’ll fall victim to a hacker attack again at some stage in the future. This is a real risk in the constantly changing world of connected electronics, in which products become obsolete in just a few years. That’s why it’s important to keep evaluating: is my security still adequate? Unfortunately, there are myriad examples of products that we would be well advised to get rid of for security reasons. The GSM, GPRS and DECT technologies, for example, present real security hazards.
Security is about changing your attitude
Developing a security strategy requires that you take an different approach to the ways in which systems may be abused. Our intuition tells us that people are inherently good, and while in a normal society that’s a good thing, making security decisions requires that you assume the opposite. Keep in mind that all it takes is one person with malicious intent. Identify risks by analysing weaknesses and deliberately choose to implement the measures that you’re forced to take in this day and age. Also, remember to review the risks and decisions again a few years down the line: technology changes constantly and today’s decisions will be outdated tomorrow. This requires an awareness of the risks facing us today, tomorrow and next year, both among consumers and in organisations.