by Paul DeLeeuw, Head of Interactive Oversight at ddm marketing+communications
To understand how intertwined online privacy and security have become, consider the humble company-issued laptop. The device might only be given to a new hire after he or she passes a series of mandatory security clearances. Some employees will be asked to provide a fingerprint or facial recognition to use their laptop at all. At a minimum, a unique password is required at sign-in, and that password must be changed out periodically. The parameters of the employees’ online experience are predefined to limit exposure to suspicious websites. Two-factor authentication is required to access sensitive information. Then, when the employee leaves the company, they must hand over the laptop. Any access privileges they gained are revoked, as if they had never joined the company in the first place.
To insist on strict security protocols like these from a potential business partner is not too much to ask in 2023, when defining your organization’s boundaries for security and privacy is ― or should be ― the name of the game. Limiting your employees and clients to security risks is the first rule of doing business online. Following that rule is easier said than done, but it begins with a basic principle: privacy is security.
Imagine you’re about to go on vacation, and you need someone to watch your house while you’re away. Your neighbor next door is nosier. They’re always giving you mail that “accidentally” got delivered to them. Your neighbor across the street is quieter and keeps to himself. Which of the two would you ask to keep an eye on your house? The nosy neighbor seems a bit riskier ― will she poke around and take something? ― while the neighbor across the street seems more likely to bring in the mail, then leave. He’s never seemed interested in the details of your life. If you’ve ever been in this situation, the idea that “privacy equals security” should be intuitive.
Similarly, if you visit a website and it asks for a lot of personal details, at what point should you draw the line? There are no hard and fast rules, but the answer boils down to trust. To convert potential clients and customers, they must first trust in your ability to limit their risk by safeguarding their private data.
New focus on security
To get a rough estimate of the value of individual data, consider the $1.3 billion payout Meta (the parent company of Facebook) recently agreed to in a class-action lawsuit settlement as a result of sharing users’ personal data with third parties. The revelation of Facebook’s data-selling habits sparked a “Great Privacy Awakening” that ultimately moved legislators in Europe and California to pass laws requiring websites to disclose to users whether their data is being shared with third parties, and offer the ability to opt-out of data sharing altogether.
With greater public awareness of the corporate data-sharing landscape came fear. If your online business habits routinely require inputting names, addresses, credit card numbers, and other personally identifying information, some might draw a drastic conclusion: don’t share anything with websites that have no value to you. If that seems overcautious, here are some practical guidelines to keep your data ― and those of your customers and clients ― safe:
1. Always look for a “lock” icon on your browser bar.
This indicates the website you’re visiting encrypts its traffic. In effect, the data it’s interchanging between your server and its computer needs to flow through a lot of different column pipes. Observing these strict protocols helps keep your data private and the interaction secure.
2. Never use the same password twice.
Password managers like OnePassword, MacOS/iCloud Keychain, and Google Chrome’s own built-in manager allow users to store thousands of unique passwords, effectively eliminating the need to remember more than one. When you do not re-use passwords, if any one password is compromised, it will affect only one protected website/account.
3. Use 2-factor authentication whenever possible.
Many websites support a variety of 2-factor authentication tools, which effectively require you to confirm on multiple devices that you’re trying to log in to a site. The power of this protocol is well-documented; 2-factor authentication could have saved the former President of the United States a breach of his Twitter account.
4. If your device offers some kind of biometric ID – facial or fingerprint recognition – use it.
The data they use to scan you is far more complex than a 4-digit unlock code. Then go into your device settings, and set a more complex (but memorable) device passcode. I think of my phone as my offboard brain – it might have more sensitive data about me and my contacts than any other device.
5. When dealing with financial institutions, review their security protocols when you first open an account.
They should require customers to verify any large withdrawals by answering an automatic phone call and speaking to a live customer service agent. Ask them about their fraud prevention procedures. How do they verify credit card transactions, and what is their dispute process? This extra step can safeguard against fraudulent transactions. It’s easier for hackers to steal your username, password, and/or email address than to gain access to your phone number.
6. The services you use are obligated to tell you if your personal information has been compromised.
However, it’s easy to lose track of these notifications if you don’t act on them immediately. Like reviewing your budget, or spring cleaning, you should periodically check a service like “Have I Been Pwned” and look up your email address to see if your data has been released in a security breach. If you see that a breach has exposed your password, change it – and see #2 for using a password manager to both remember it, and keep it secure. I made myself a recurring reminder to check this every 6 months.
If a breached service you’ve used in the past offers you an identity protection package – take it. They wouldn’t offer it if the information that was released wasn’t highly sensitive.
A question of trust
Any online security method you use boils down to a common principle: trust. In the case of a financial institution, your reason for trusting it with large amounts of money (or not) are obvious.
The reasons for using a reputable email server might seem less obvious, but consider the example of Microsoft Office. It uses background tools that will allow an IT expert, auditor, or lawyer to see who logged into your email account, where they were at the time of access, how long they were logged in, and what they did while they had access. This information can then be shared with law enforcement to help determine if the hacker committed a crime. On the other hand, law enforcement can also subpoena Microsoft to get access to this data – something to bear in mind for how you operate your business, and how you share data over email.
The future of privacy and security
When it comes to online security, establishing trust will only become a more important focal point of any business relationship. That means increased vigilance on the part of individuals, even if that means something as simple as changing out your passwords more frequently. Privacy and security will be forever intertwined, so always be mindful of who has access to customer and client data. That basic principle will go a long way.
Paul DeLeeuw is the Head of Interactive Oversight at ddm marketing+communications, a leading marketing agency for highly complex and highly regulated industries. As a tech lead, Paul provides business process and data automation solutions within the healthcare, financial services and manufacturing spaces.