Whilst the subject of data security certainly isn’t a new one, it has increasingly come into the limelight over the past 18-24 months by both consumers and the enterprise. But why now? And what has changed?
At a high level, there has been three ages of man's foray into the world of computing.
1960's - 1990's: Getting started with computers, creating never before seen devices with screens, mouses and advanced networking capabilities
1990's – 2010: Building on top of these amazing devices to create the information superhighway (that's the internet to the young people), miniaturisation and mobilisation (apps)
2010 – Now: I believe we’ve entered and are living in an age of data security. I’m not saying the issue of security hasn’t been around until now, of course it has. But it’s no longer a topic that we know little about or a topic that only the security guy in the tinfoil hat is rocking back and forth in the corner screaming about. It’s something we are all aware of and whether we know it or not, it’s something we all have to take responsibility for.
What do I mean by data security?
I'm not just talking about how long your password is - that was the traditional end-user view of ‘security’. No, I'm talking about the bigger picture. Who are we ‘giving’ our data to? What are they doing with it? Can we trust them? And why on earth do they need our street address?
Trusting service providers with our data is a fact of our digital lives. For most sites, we need to register and create an account, however, we can and should limit what these companies know about us. As we have seen over the last number of years, even the big named companies are not immune from attack and data theft (which is also your data). Big names like Adobe, Ebay and Sony come to mind with massive data breaches over the last few years.
Looking at it from the other side, we as service providers, regardless of what our "terms of service" say, have a responsibility to protect our data and customer data from attack and exposure. Nothing will kill a service business faster than its customers losing confidence in its offering and the security of that offering and jumping ship.
Data security is about protecting yourself / your enterprise and your confidential data from exposure to unauthorised parties through the use of proven security and encryption mechanisms.
As I mentioned, this is not a new topic, but rather is just one getting more attention than it previously did - and this is a good thing because there are already improvements being noticed in the wild.
Many organisations are proactively working to improve their security and protect customer data. For example, the concept of "two factor authentication" or 2FA is one that is becoming the norm across the internet with companies like Google, Twitter, LinkedIn and Facebook.
In a nutshell, 2FA is an extra layer of security when you are logging into a system. So your username identifies you, your password is something you know and the third layer is something you have. By "something you have" I mean something that is physically in your possession. Usually this takes the form of a text message from the system e.g. Twitter, with a code to enter into their site. By receiving the code and presenting it to the site you are proving that it’s more than likely you are who you say you are as you have access to that person's phone.
Communicate to customers when issues arise
Sometimes, despite best efforts and the utilisation of best practice security, issues can arise. A good example is the recent Heartbleed attack that swept the internet. In that instance, the industry best-practice software had a previously unknown vulnerability in it which led to the potential exposure of the mechanisms that secure data as it traverses the world.
But a measure of a company (in my opinion) is what they do when an issue arises. A company that stays silent until they figure out exactly what happened and what was taken may think they are doing the right thing but in reality this is almost as bad as the fact that the attack took place at all. A good example is the anger that was directed at Ebay owing to the slow reaction to their data breach.
A good security-conscious company will inform users as these issues arise and keep a constant stream of information flowing to allow users/customers to react and protect themselves elsewhere whether that be password changes or indeed keeping an eye on credit card statements.
The changing face of security
Thankfully the tech world has realised that we have a problem and is working to improve security across the internet. A good example of this is the up and coming secure login technology SQRL - the brain-child of security researcher Steve Gibson.
I won't go into the finer details but, in a nutshell, imagine logging into a site without ever having to enter a username or password. Instead, you use your mobile device to scan a special QR code on the screen which then automagically logs you in. The technology behind this concept is incredibly cool and for the interested amongst you, I encourage you to read the detailed description here.
What should consumers do?
Be more aware of your own security. It is your responsibility as well as that of your service providers. Password managers like LastPass (my password manager of choice) are a great starting point to help with choosing secure passwords. You can also look out for security enhancements from your service providers such as two factor authentication
Be cautious. Convenience is quite the tempter, but are your personal details worth it? Open Wi-Fi access points should not be used for internet banking for example. I was recently in a large global hotel chain who has one of the best online booking systems and apps I have come across. However, I will not store my credit card details with them as they only allow a maximum password of four digits! That is not enough to protect my credit card data or any data for that matter!
What should the enterprise do?
Be aware of the importance of data security and ensure a security element is included in every project. This should include:
Data risk assessments
Balancing security with user experience using champions of user experience working with champions of security to find a workable middle ground
Ensure penetration testing takes place on all new/updated systems.
Regularly review existing systems to ensure compliance and security
Security is a fluid topic and is ever changing. Having an awareness of security related news/world events is crucial to reacting fast and keeping systems secure.
Always challenge the status quo - don't just do it because "that's the way we do it and have done it"
The world of security is ever-changing and the best practice way to do something now may not be the way to do it in a few months. Revisiting security guidelines frequently is a must-do for all organisations.
Security must be a mind-set both in our personal lives as well as in our corporate lives. We have to stop being reactive to security concerns and adopt a proactive stance. Only then can we hope to secure ourselves both now and in the future - it will be worth it in the long run.