Navigating the Digital Danger Zone

SecurityCan you keep your secrets? Well, it’s certainly getting harder to keep any secret that you have committed to an electronic system: in your company, on your social networks, in your cloud-connected apps – in fact, all the aspects of your digital life are at risk. A recent report claimed that a Russian cybercrime group has stolen 1.2 billion user names and passwords from 420,000 websites, and the US FTC (Federal Trade Commission) went so far as to describe the Apple and Google marketplaces for mobile apps as “a digital danger zone with inadequate oversight”.

The common ‘insecurity’ interest shared by the IT hardware, software and security industry, the cyber crime world, and national spy agencies, presents a dangerous cocktail of reciprocal business advantages. Fear, uncertainty, and doubt are powerful social and political forces involving both stick and carrot elements: consumers are often enticed by convenience and ‘free’ services to provide easy access to privileged information.

What do the keepers of your secrets actually care if your data is lost or stolen? Do they provide any kind of guarantees or offer compensation in case of data loss? In most cases, all that cloud service providers like Amazon, or the email hosters like Microsoft, suffer is a passing dent to their already dubious credibility. In the retail sector, even credit card information losses entail minor financial fines. The US retailer Target expects gross breach-related expenses of $148 million, stemming from the loss of 40 million credit card numbers, partially offset by the recognition of a $38 million insurance receivable – all-in-all a rounding error in the FY 2014 turnover of $72 billion.

However, some data keepers are slowly realizing that their customers now bring privacy protection into purchasing decisions. Edward Snowden’s disclosure of the wholesale NSA data slurping from North American, European and Australian cloud and telco sources has reduced the attractiveness of low-cost, but insecure cloud storage convenience. Many corporate GRC (Governance, Risk and Compliance) strategies now require data storage locations with verifiable data security.  On the consumer front, Google recently announced that it has begun giving better search rankings to websites that use secure, encrypted connections to transmit customer data. The change is designed to promote improved online security by encouraging developers to implement TLS (Transport Layer Security) to encrypt website traffic.

Users unwilling to invest the small amount of time and money needed for malware protective measures can be compared with reckless drivers – not only endangering the driver, but also fellow travelers and associates who are attacked by crooks using compromised devices as launch platforms for spam and scams.

Besides anti-virus and malware measures, I believe that encryption (even lousy encryption) is the overall best way of protecting our data. It puts a lock on the door to our data, and most data burglars just move on to victims that are easier to steal from. So unless you think that your data risks being specifically targeted by crooks or spies, encrypting your data at rest and in transport provides the soundest privacy protection. Of course, encryption has many shades of grey: is it really end-to-end? does it protect your data at rest? are there verifiable routines for data access? what transit protection like VPN and https connections are available? can encryption levels be applied selectively? etc.

Implementing encryption is still not as easy as A/V measures, and is not user-friendly despite dummy guides and friendly-sounding product names like Pretty Good Privacy (PGP) and Public Key Infrastructure (PKI). Encrypting data on a hard drive using, for example, the FileVault in Mac OS systems is a way forward, but that is far from most user’s minds and still requires solid IT policy measures.

Probably the best way to visualize the issue is that whoever you store your data with should be viewed as a bit of a fair-weather friend who cannot be trusted.  You can either take the view of telling them your innermost secrets, followed by “and please don’t tell anyone”, in which case you will remain unsure as to how safe that secret is forever; or, you cannot tell them the actual secret at all.  Using encryption is a way of still keeping that fair-weather friend, but not entrusting them with anything you don’t want the rest of the world to know.