Privacy concerns influence consumers’ decisions more often

As awareness heightens and attitudes change, security practices evolve

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Not only do more Amer­i­cans than ever actu­al­ly care about pri­va­cy, many of us have begun to express dis­plea­sure with busi­ness­es that fail to secure cus­tomers’ per­son­al information.

More than 80 per­cent of U.S. respon­dents sur­veyed by legal firm Mor­ri­son & Foer­ster said they decid­ed not to make a pur­chase because of pri­va­cy con­cerns. Five years ago, that num­ber was less than 50 percent.

Relat­ed Q&A: Why con­sumers care about privacy

Pri­va­cy is not a the­o­ret­i­cal prob­lem because iden­ti­ty theft and the fall­out from it is so preva­lent,” says Scott Olson, vice pres­i­dent of prod­uct at iova­tion, which pro­vides fraud pre­ven­tion and cus­tomer authen­ti­ca­tion services.

Con­sid­er that some 47 states now have had breach noti­fi­ca­tion laws for a num­ber of years. Mean­while, cyber attacks have not let up. Last year, the Iden­ti­ty Theft Resource Cen­ter tracked 781 data breach­es. The ITRC has seen a near­ly 400 per­cent increase in data expo­sure since it began track­ing the trend in 2005.

As a nat­ur­al con­se­quence, com­pro­mised com­pa­nies are issu­ing more breach-noti­fi­ca­tion let­ters than every before. A flood of noti­fi­ca­tion let­ters has come from the health care sec­tor alone. Health care orga­ni­za­tions have report­ed more than 226 mil­lion com­pro­mised records from 269 data breach­es (paper and elec­tron­ic) in 2015, based on the Office of Civ­il Rights online database.

Relat­ed video: Hon­or­ing pri­va­cy can be part of a smart busi­ness model

Anoth­er mea­sure comes from a Bureau of Jus­tice Sta­tis­tics esti­mate show­ing some 16.6 mil­lion Amer­i­cans, or 7 per­cent of the U.S. adult pop­u­la­tion, were vic­tims of at least one iden­ti­ty theft inci­dent in 2014.

Ryan O’Leary, vice president of the Threat Research Center at WhiteHat Security
Ryan O’Leary, vice pres­i­dent of the Threat Research Cen­ter at White­Hat Security

(Pri­va­cy) is a con­cern on most con­sumers’ minds just because a breach is a painful process to go through,” says Ryan O’Leary, vice pres­i­dent of the Threat Research Cen­ter at the secu­ri­ty-as-a-ser­vice provider White­Hat Security.

Mean­while, the Mor­ri­son & Foer­ster sur­vey rein­forces the notion that Amer­i­can con­sumers’ obliv­i­ous­ness to secu­ri­ty and pri­va­cy expo­sures may have reached its lim­it; the num­ber of peo­ple con­cerned about iden­ti­ty theft has dou­bled between 2011 and 2015.

This is not a good trend for any busi­ness. Com­pa­nies clear­ly don’t like to be in the spot­light and have been step­ping up invest­ments in new ways to stem data breach­es, and also to detect scams.

One area of invest­ment has been in authen­ti­ca­tion sys­tems designed to detect and deter unau­tho­rized par­ties from log­ging into online accounts.

There’s con­tin­u­ous inter­est around improv­ing secu­ri­ty because nobody wants to be called out on not pro­tect­ing sen­si­tive infor­ma­tion,” says Geoff Webb, vice pres­i­dent of solu­tions strat­e­gy at Micro Focus, a glob­al soft­ware com­pa­ny whose prod­ucts include secu­ri­ty and iden­ti­ty management.

Webb says that there’s grow­ing inter­est in bio­met­rics and mul­ti­fac­tor authen­ti­ca­tion. In the past, the high cost and poor reli­a­bil­i­ty of bio­met­rics tech­nol­o­gy have been bar­ri­ers. But he says that’s changing.

Smart­phones have changed the game because they have giv­en us a plat­form to build (and deliv­er) a lot of good secu­ri­ty fea­tures,” he says.

Pass­words going the way of the dodo

Ear­li­er in Sep­tem­ber, for instance, HSBC Bank intro­duced “self­ies” as a new way of ver­i­fy­ing the iden­ti­ty of cus­tomers open­ing new accounts. Oth­er finan­cial insti­tu­tions, includ­ing Mas­ter­Card, are mov­ing toward sim­i­lar technologies.

Scott Olson, iovation vice president of product
Scott Olson, iova­tion vice pres­i­dent of product

If you went back two years ago, you wouldn’t have had many com­pa­nies, espe­cial­ly in finan­cial ser­vices, talk­ing about the demise of the pass­word,” Olson says. “But increas­ing­ly, we are hav­ing a lot of con­ver­sa­tions around not only mak­ing pass­words stronger, but … look­ing at oth­er techniques.”

Amer­i­cans’ deep-root­ed reliance on sin­gle-fac­tor authen­ti­ca­tion has long been, and con­tin­ues to be, an Achilles heel. We love the con­ve­nience of only need­ing to type a user name and pass­word to access most of our online accounts, includ­ing shop­ping, bank­ing, enter­tain­ment, web mail, social and work-relat­ed accounts.

Of course, that approach is wide open to spoof­ing. Bill Gates rec­og­nized this as ear­ly as 2004 when Microsoft’s then-CEO pre­dict­ed the demise of the pass­word. It is now a dozen years lat­er and con­sumers and busi­ness­es are only now start­ing to catch on to what Gates was con­cerned about.

The prob­lem appears to have reached a tip­ping point. About 63 per­cent of data breach­es last year involved weak, default or stolen pass­words, accord­ing to Verizon’s 2016 Data Breach Inves­ti­ga­tions Report.

All too many peo­ple con­tin­ue to reuse a small num­ber of weak pass­words for per­son­al and work-relat­ed online accounts. This makes it easy for data thieves and fraud­sters. And so the bad guys have been increas­ing­ly tar­get­ing log on cre­den­tials in net­work breach­es and data thefts.

 “Because peo­ple typ­i­cal­ly reuse user names and pass­words, when that’s com­pro­mised once, it’s com­pro­mised for a large major­i­ty of their exist­ing accounts and for their future accounts,” Olson says.

Expect a breach as inevitable

Con­sumers should treat their cre­den­tials as if they’re going to be compromised—and con­sid­er using unique pass­words for every web­site, advis­es White­Hat Security’s O’Leary.

You have to take defen­sive mea­sures because breach­es are typ­i­cal­ly out of your hands,” O’Leary says.

Craig Spiezle, Online Trust Alliance founder and executive director
Craig Spie­zle, Online Trust Alliance founder and exec­u­tive director

It was, in fact, much sim­pler just a decade or so ago for con­sumers to guard their online per­sonas, says Craig Spie­zle, founder and exec­u­tive direc­tor of the non­prof­it Online Trust Alliance. Pri­va­cy-mind­ed indi­vid­u­als main­ly had to make an effort to vis­it only those web­sites whose data-han­dling and pri­va­cy poli­cies they could trust.

Now, with the Inter­net of Things, dig­i­tal sen­sors are being embed­ded into more and more devices. The data col­lect­ed by IoT sen­sors can include any­thing from a person’s GPS loca­tion and heart rate to shop­ping habits. Gart­ner esti­mates that by 2020, there will be 13.5 bil­lion con­nect­ed “things” in the con­sumer sec­tor alone—up from 4 bil­lion this year.

What’s more, accord­ing to a 2014 report by Hewlett-Packard, some 70 per­cent of the most com­mon­ly used IoT devices have user access, pass­word and encryp­tion vulnerabilities.

Risks on con­sumers’ radar

It took the bet­ter part of a decade for con­sumers and busi­ness­es to begin to pay clos­er atten­tion to pri­va­cy and secu­ri­ty expo­sures aris­ing from how we use the Internet.

The ques­tion is: Will mar­ket­place reac­tion to new risks raised by the Inter­net of Things coa­lesce much quicker?

That already may be hap­pen­ing. A recent sur­vey by the con­sult­ing group KMPG found that near­ly a third of con­sumers sur­veyed were extreme­ly con­cerned that wear­ables, home appli­ances and oth­er Inter­net-con­nect­ed devices and gad­gets could be hacked. Anoth­er 38 per­cent said they were some­what worried.

More and more sen­sors are col­lect­ing more data as we walk around our homes, to the stores and into busi­ness­es,” Spie­zle says. “We’re being tracked with a pre­ci­sion and mag­ni­tude we nev­er would have thought was possible.”

More sto­ries relat­ed to privacy:
Cavoukian Q&A: ‘Pri­va­cy by design’ restores con­trol to consumers
Fair or foul? New foren­sics tools raise pri­va­cy concerns
15 mil­lion rea­sons to have a web­site pri­va­cy notice