Privacy concerns influence consumers’ decisions more often
As awareness heightens and attitudes change, security practices evolve
By Rodika Tollefson, ThirdCertainty
Not only do more Americans than ever actually care about privacy, many of us have begun to express displeasure with businesses that fail to secure customers’ personal information.
More than 80 percent of U.S. respondents surveyed by legal firm Morrison & Foerster said they decided not to make a purchase because of privacy concerns. Five years ago, that number was less than 50 percent.
Related Q&A: Why consumers care about privacy
“Privacy is not a theoretical problem because identity theft and the fallout from it is so prevalent,” says Scott Olson, vice president of product at iovation, which provides fraud prevention and customer authentication services.
Consider that some 47 states now have had breach notification laws for a number of years. Meanwhile, cyber attacks have not let up. Last year, the Identity Theft Resource Center tracked 781 data breaches. The ITRC has seen a nearly 400 percent increase in data exposure since it began tracking the trend in 2005.
As a natural consequence, compromised companies are issuing more breach-notification letters than every before. A flood of notification letters has come from the health care sector alone. Health care organizations have reported more than 226 million compromised records from 269 data breaches (paper and electronic) in 2015, based on the Office of Civil Rights online database.
Related video: Honoring privacy can be part of a smart business model
Another measure comes from a Bureau of Justice Statistics estimate showing some 16.6 million Americans, or 7 percent of the U.S. adult population, were victims of at least one identity theft incident in 2014.
“(Privacy) is a concern on most consumers’ minds just because a breach is a painful process to go through,” says Ryan O’Leary, vice president of the Threat Research Center at the security-as-a-service provider WhiteHat Security.
Meanwhile, the Morrison & Foerster survey reinforces the notion that American consumers’ obliviousness to security and privacy exposures may have reached its limit; the number of people concerned about identity theft has doubled between 2011 and 2015.
This is not a good trend for any business. Companies clearly don’t like to be in the spotlight and have been stepping up investments in new ways to stem data breaches, and also to detect scams.
One area of investment has been in authentication systems designed to detect and deter unauthorized parties from logging into online accounts.
“There’s continuous interest around improving security because nobody wants to be called out on not protecting sensitive information,” says Geoff Webb, vice president of solutions strategy at Micro Focus, a global software company whose products include security and identity management.
Webb says that there’s growing interest in biometrics and multifactor authentication. In the past, the high cost and poor reliability of biometrics technology have been barriers. But he says that’s changing.
“Smartphones have changed the game because they have given us a platform to build (and deliver) a lot of good security features,” he says.
Passwords going the way of the dodo
Earlier in September, for instance, HSBC Bank introduced “selfies” as a new way of verifying the identity of customers opening new accounts. Other financial institutions, including MasterCard, are moving toward similar technologies.
“If you went back two years ago, you wouldn’t have had many companies, especially in financial services, talking about the demise of the password,” Olson says. “But increasingly, we are having a lot of conversations around not only making passwords stronger, but … looking at other techniques.”
Americans’ deep-rooted reliance on single-factor authentication has long been, and continues to be, an Achilles heel. We love the convenience of only needing to type a user name and password to access most of our online accounts, including shopping, banking, entertainment, web mail, social and work-related accounts.
Of course, that approach is wide open to spoofing. Bill Gates recognized this as early as 2004 when Microsoft’s then-CEO predicted the demise of the password. It is now a dozen years later and consumers and businesses are only now starting to catch on to what Gates was concerned about.
The problem appears to have reached a tipping point. About 63 percent of data breaches last year involved weak, default or stolen passwords, according to Verizon’s 2016 Data Breach Investigations Report.
All too many people continue to reuse a small number of weak passwords for personal and work-related online accounts. This makes it easy for data thieves and fraudsters. And so the bad guys have been increasingly targeting log on credentials in network breaches and data thefts.
“Because people typically reuse user names and passwords, when that’s compromised once, it’s compromised for a large majority of their existing accounts and for their future accounts,” Olson says.
Expect a breach as inevitable
Consumers should treat their credentials as if they’re going to be compromised—and consider using unique passwords for every website, advises WhiteHat Security’s O’Leary.
“You have to take defensive measures because breaches are typically out of your hands,” O’Leary says.
It was, in fact, much simpler just a decade or so ago for consumers to guard their online personas, says Craig Spiezle, founder and executive director of the nonprofit Online Trust Alliance. Privacy-minded individuals mainly had to make an effort to visit only those websites whose data-handling and privacy policies they could trust.
Now, with the Internet of Things, digital sensors are being embedded into more and more devices. The data collected by IoT sensors can include anything from a person’s GPS location and heart rate to shopping habits. Gartner estimates that by 2020, there will be 13.5 billion connected “things” in the consumer sector alone—up from 4 billion this year.
What’s more, according to a 2014 report by Hewlett-Packard, some 70 percent of the most commonly used IoT devices have user access, password and encryption vulnerabilities.
Risks on consumers’ radar
It took the better part of a decade for consumers and businesses to begin to pay closer attention to privacy and security exposures arising from how we use the Internet.
The question is: Will marketplace reaction to new risks raised by the Internet of Things coalesce much quicker?
That already may be happening. A recent survey by the consulting group KMPG found that nearly a third of consumers surveyed were extremely concerned that wearables, home appliances and other Internet-connected devices and gadgets could be hacked. Another 38 percent said they were somewhat worried.
“More and more sensors are collecting more data as we walk around our homes, to the stores and into businesses,” Spiezle says. “We’re being tracked with a precision and magnitude we never would have thought was possible.”
More stories related to privacy:
Cavoukian Q&A: ‘Privacy by design’ restores control to consumers
Fair or foul? New forensics tools raise privacy concerns
15 million reasons to have a website privacy notice