Personal data protection today: We should demand more

The growing number of cybersecurity incidents reported each year – and the fact that many attacks remain unreported for security and PR reasons – can leave even the most experienced security professionals worrying about threats to user data and privacy. And while the abundance of security solutions offered today can be somewhat reassuring, it also makes online security more confusing for IT personnel and end-users alike.

Ask any experienced CISO and they will admit: a massive corporate data breach is their worst nightmare.

From Marriott to (on more than one occasion) Facebook, the biggest data breaches in 2019 were the result of careless handling of customer data. Unlike the types of stealthy and sophisticated attacks that allow hackers to break through security systems and run off with valuable data, most of last year’s attacks were due to misconfigured cloud servers and other improperly configured systems.

The silver lining is not enough

IBM’s 2019 Cost of a Data Breach Report found that data breaches on average cost organizations $3.92 million per incident. Additionally, breaches typically cause immeasurable damage to brand reputation and customer confidence.

We can take some comfort in the fines levied by regulators and the tremendous costs incurred by the offenders. For example: British Airways was fined $230 million by the UK’s Information Commissioner’s Office (ICO) after hackers stole customer data last year, and credit agency Equifax will pay up to $700 million in fines as part of a settlement with US federal authorities over its infamous 2017 data breach.

But all the hurt inflicted on those responsible for these breaches still doesn’t help those who must deal with the long-term ramifications of cyber criminals auctioning off personal data to the highest bidder.

Breaches can haunt victims for years to come, as cyber criminals continuously try to exploit the compromised data. Just two months ago, the hackers behind the 2015 Ashley Madison data breach returned with a new bout of cyber extortion threatening to expose the accounts of compromised users unless they paid a ransom in Bitcoin.

Isn’t it time that organizations handling customer data start doing the right thing?

Encryption is one method for thwarting breaches, though it’s not yet fully embraced by those who handle our data. Customer data should have to be encrypted – everywhere and always. With effective encryption, even if you leave the front door open – or throw the data in Times Square – no one would be able to read it. Breaking encryption is extremely difficult, if not impossible, and too expensive for most to even attempt (except for governments, perhaps).

Encrypting data is not hard these days. Most systems support encryption natively, which means that all you need is a little extra effort for configuration. But the process does not end with encryption because you still need to give someone the key to read the data.

Access to encrypted data must be tightly controlled. If you encrypt data but don’t scrutinize who has access to the decryption keys, it will all be for naught. Providing encryption keys solely to authorized users, with limited access to only what is necessary for their job and nothing more, negates many of the possible threats. Such a setup provides a high-level of protection while ensuring the data is still usable by those who need it.

However, access control is only as good as the identity verification process that discerns the true identity of those requesting access. The best solution for this is a user authentication method that requires a credential that cannot be easily phished, hacked or cracked.

Encryption and access controls are useless if hackers can easily impersonate legitimate users or steal their credentials. And no, even a strong password policy does not create good-enough credentials these days. You need something that will really challenge an attacker and ensure that only authorized users can successfully authenticate and gain access to data. This is best done with a credential that only the authorized user can produce: for example, a biometric print or a physical credential that can’t be stolen electronically. Even better is a credential that uses both – a biometric print combined with a physical authentication device.

Demanding more for personal data protection

Looking ahead at 2020 and beyond, these measures will only become more of a necessity due to the technological and legal developments relating to cybersecurity.

Shifting from centralized, fully owned, on-premises servers to a multiple-cloud setup each with its own database and authentication system is not without its risks. Organizations must deal with higher chances of data mishandling and wider exposure to cyber security threats.

Moreover, not all systems are up to par with the ever-changing standards that regulators and clients demand, and the security vetting process is becoming a huge constraint on companies.

To cope with this reality, organizations invest tremendous resources in security policy management and workforce education. Sadly, that doesn’t guarantee anything when dealing with systems that are only as secure as their weakest links are strong.

And so new ideas are adopted to tackle the threat of data breaches, such as the adoption of new identification and authentication methods. Common examples are a Single Sign-On (SSO) used across company assets, passwordless authentication mechanisms utilizing biometric and behavioral attributes, and automation tools that streamline security policies management.

These technological advancements are encouraged by legislative measures promoted around the world by governments and NGOs.
Laws such as the GDPR, the CCPA, New York’s SHIELD act and the Connecticut Insurance Data Security Law are becoming increasingly common and more easily enforced. These acts require companies to comply with strict demands regarding the use of personal data in general and the prevention of data leaks and breaches specifically. This is particularly notable as lawmakers and courts, as well as the public opinion, are more willing than ever to penalize companies for acting carelessly with personal data or jeopardizing user privacy in any way.

One fact that is unlikely to change in the immediate future is that weak or stolen passwords are at the root of most data breaches. Passwords are also an expensive option for security teams to manage, not to mention hated by users. Given all this, it might be time to stop using passwords for authentication altogether.

2020 should be the year we demand more from those we entrust with our personal data. They must start encrypting customer data, controlling who has access to it, and implementing convincingly strong identity verification techniques for those requesting access to it.