Loading...
Loading

Privacy Is Security: How Businesses Can Earn Trust While Handling Individual Data Online

2023-07-11by Paul DeLeeuw

Consider the humble company-issued laptop to understand how intertwined online privacy and security have become. The device might only be given to a new hire after passing a series of mandatory security clearances. Some employees will be asked to provide a fingerprint or facial recognition to use their laptops. At a minimum, a unique password is required at sign-in, which must be changed periodically. The employees’ online experience parameters are predefined to limit exposure to suspicious websites. Two-factor authentication is required to access sensitive information. Then, when the employee leaves the company, they must hand over the laptop. Any access privileges they gained are revoked as if they had never joined the company in the first place.

To insist on strict security protocols like these from a potential business partner is not too much to ask in 2023 when defining your organization’s boundaries for security and privacy is - or should be - the game's name. Limiting employees and clients to security risks is the first rule of online business. Following that rule is easier said than done, but it begins with a basic principle: privacy is security.

Imagine you’re about to go on vacation and need someone to watch your house while you’re away. Your neighbor next door is nosier. They’re always giving you mail that “accidentally” got delivered to them. Your neighbor across the street is quieter and keeps to himself. Which of the two would you ask to keep an eye on your house? The nosy neighbor seems a bit riskier -  will she poke around and take something? The neighbor across the street seems likelier to bring in the mail then leave. He’s never seemed interested in the details of your life. If you’ve ever been in this situation, the idea that “privacy equals security” should be intuitive.

Similarly, if you visit a website and it asks for a lot of personal details, at what point should you draw the line? There are no hard and fast rules, but the answer boils down to trust. To convert potential clients and customers, they must first trust your ability to limit risk by safeguarding their private data. 

New focus on security

To get a rough estimate of the value of individual data, consider the $1.3 billion payout Meta (the parent company of Facebook) recently agreed to in a class-action lawsuit settlement due to sharing users’ personal data with third parties. The revelation of Facebook’s data-selling habits sparked a “Great Privacy Awakening” that ultimately moved legislators in Europe and California to pass laws requiring websites to disclose to users whether their data is being shared with third parties and offer the ability to opt-out of data sharing altogether.

With greater public awareness of the corporate data-sharing landscape came fear. If your online business habits routinely require inputting names, addresses, credit card numbers, and other personally identifying information, some might draw a drastic conclusion: don’t share anything with websites that have no value to you. If that seems overcautious, here are some practical guidelines to keep your data - and those of your customers and clients - safe: 

  1. Always look for a “lock” icon on your browser bar. This indicates the website you’re visiting encrypts its traffic. In effect, the data interchanging between your server and its computer needs to flow through many different column pipes. Observing these strict protocols helps keep your data private and the interaction secure. 

  2. Never use the same password twice. Password managers like OnePassword, MacOS/iCloud Keychain, and Google Chrome’s built-in manager allow users to store thousands of unique passwords, eliminating the need to remember more than one. When you do not re-use passwords, if any one password is compromised, it will affect only one protected website/account. 

  3. Use 2-factor authentication whenever possible. Many websites support a variety of 2-factor authentication tools, which effectively require you to confirm on multiple devices that you’re trying to log in to a site. The power of this protocol is well-documented; 2-factor authentication could have saved the former President of the United States a breach of his Twitter account.

  4. Use it if your device offers some biometric ID – facial or fingerprint recognition. The data they scan you is far more complex than a 4-digit unlock code. Then, set a more complex (but memorable) device passcode in your settings. I think of my phone as my offboard brain – it might have more sensitive data about me and my contacts than any other device.

  5. When dealing with financial institutions, review their security protocols when opening an account. They should require customers to verify large withdrawals by answering an automatic phone call and speaking to a live customer service agent. Ask them about their fraud prevention procedures. How do they verify credit card transactions, and what is their dispute process? This extra step can safeguard against fraudulent transactions. It’s easier for hackers to steal your username, password, and/or email address than to gain access to your phone number.

  6. Your services must tell you if your personal information has been compromised. However, losing track of these notifications is easy if you don’t act on them immediately. Like reviewing your budget, or spring cleaning, you should periodically check a service like “Have I Been Pwned” and look up your email address to see if your data has been released in a security breach. If you see that a breach has exposed your password, change it – and see #2 for using a password manager to both remember it, and keep it secure. I made myself a recurring reminder to check this every 6 months.

  7. If a breached service you’ve used in the past offers you an identity protection package – take it. They wouldn’t offer it if the information that was released weren’t highly sensitive. 


A question of trust

Any online security method you use boils down to a common principle: trust. In the case of a financial institution, your reason for trusting it with large amounts of money (or not) is obvious. 

The reasons for using a reputable email server might seem less obvious, but consider the example of Microsoft Office. It uses background tools that will allow an IT expert, auditor, or lawyer to see who logged into your email account, where they were at the time of access, how long they were logged in, and what they did while they had access. This information can then be shared with law enforcement to help determine if the hacker committed a crime. On the other hand, law enforcement can also subpoena Microsoft to access this data – something to bear in mind for how you operate your business and share data over email.

The same principle applies to password managers or 2-factor authentication platforms. You can trust the established players in these spaces with your personal information because you can be more confident they will keep your data private. They should use multiple layers of security that make it difficult for hackers to access an individual’s private information. Reading the privacy policy is a basic first step toward establishing trust when in doubt. The policy’s verbiage should be unique, not copy-pasted from that of a reputable company - never screenshotted, making it impossible to highlight the text. News of any data breach and how it was handled will also reveal how well these platforms keep their users’ data secure.

Establishing trust on an institutional level is not as straightforward as one person reading a privacy policy. When two businesses begin a relationship that involves sharing customer data, it is common to perform risk assessments and security questionnaires to establish trust. As in the example of the company laptop, knowing how long a business keeps past customer and client data on file after their relationship is severed is important. The answer will reveal a lot about how they value security and privacy. Written privacy policies are important here, too. Generally, longer and more thorough privacy policies are more trustworthy - but someone with legal experience should read them. Some of the basics on an individual level apply to business practices too, like which email client they use and whether 2-factor authentication is required to log in to company social media accounts. The more critical the data you’ll share, the more you’ll want to assess and verify the policies and procedures a company follows – something like a SOC 2 Type II document can go a long way because it will document a company’s security and privacy controls using the SOC 2 criteria. Reputable third-party audits it.

The future of privacy and security

As the cat-and-mouse game between hackers and security providers evolves, keeping pace can make a person dizzy. One new wrinkle is AI. When viewing a privacy policy online, search the page for the phrase “as an AI language model.” It’s a common series of words generated by many AI language models, which are increasingly used to create privacy policies; a policy drafted and reviewed by a human lawyer (i.e., the thorough ones) will not include this phrase.

Establishing trust will only become a more important focal point of any business relationship regarding online security. That means increased vigilance on the part of individuals, even if that means something as simple as changing your passwords more frequently. Privacy and security will be forever intertwined, so always be mindful of who has access to customer and client data. That basic principle will go a long way.

news Buffer
Author

Paul DeLeeuw

Paul DeLeeuw is a tech Lead at ddm marketing + communications, a leading marketing agency for highly complex and highly regulated industries.

View Paul DeLeeuw`s profile for more
line

Leave a Comment