Intro — What the Hack!
Computer hacking is nothing new. It’s actually been around since the 1960’s, where some of the first examples involved MIT students creating programming shortcuts to complete tasks more quickly. Then came the Internet, gaining popularity in the early 1990’s, shortly followed by email. Then businesses started using the internet to reach consumers, then Social Media became a thing. Nowadays every site or blog we visit, every service we use, requires us to create a login to join their community of users.
Therein lies the problem. We’ve created such a fully connected world at such a fast pace that we didn’t even have time to consider the ramifications. Now we all have hundreds of accounts on hundreds of different sites. Most of these are probably using the same couple of passwords. Plus, we willingly provide varying levels of our own personal information to these services all because they “need it” to sign us up. Let’s be honest though, do we really trust these sites to keep our information secure?
The Lack of Security in IT & Development
Security isn’t sexy. Honestly, I think it’s the complete opposite. The word sexy is often attributed to something pretty, powerful, shiny, fast, alluring. Now technology can be sexy. Reddit has countless subreddits dedicated to sexy PC “Battlestations” with colorful PCs and keyboards, beautiful code, alluring Desktops displays (UnixPorn being one of my favorites), etc. but security lacks all that appeal.
Have you ever looked at an excessively long password and thought “Damn…look at the characters on that one”? I highly doubt it. Have you ever been excited about enabling some elaborate multi-factor authentication scheme? Chances are if you say yes to these then you’re probably one of a select few. Security isn’t meant to be attractive. It’s designed to be protective, like safety glasses, a seat belt, or a tetanus shot. There’s nothing dazzling about it, it’s just there. It’s up to us to decide whether to use it.
I feel that because we look at it as such a hindrance we often give ourselves excuses not to practice safer computing. These days we all have a fetish for efficiency and effectiveness. I’ve met many C-level Executives, Doctors, and Business Owners that can’t be bothered to change their password every 90 days….or ever. On top of that, asking them to type out a 15+ character password is like asking them to give up their first born. Time is money to these people so why would they do something to make them less efficient?
Have you ever looked at an excessively long password and thought “Damn…look at the characters on that one”? I highly doubt it.
Then comes Development, which has been a “hot” job market in recent years and has lead to many people teaching themselves programming, going to coding boot camps, or studying Computer Science in College. I have many friends and co-workers who work as Software Engineers or Developers and I’ve asked them “Did you have any classes or training around secure coding?”. The resounding answer was “no”.
This means that the web apps and services we’re using on a daily basis weren’t necessarily designed with Security in mind. Even large enterprises that have implemented secure coding practices still show up in our news feeds everyday about experiencing a breach. So I still pose the question, do we really trust these sites to keep our information secure?
Desensitized to Data Breach
Data breaches are occurring on a daily, if not hourly, basis now. My biggest concern is that this is desensitizing us to the burden this places on our privacy. We are beginning to accept this on-going information leakage as a way of life. Every time I hear of a major corporation losing millions of records now I just hear Freddie Mercury in the background singing “Another one bites the dust”.
However, looking back to Yahoo, Equifax, Target, and Marriott, I have to wonder “is it really their fault?”. Sure, they leaked information on millions of customers causing stress and hardship. Still, these businesses were targeted by thieves and even the best security can only withstand so much. Those in the Cybersecurity field will tell you that there is no silver bullet, no 100% guarantee when talking about information security. When training end users, I like to compare cybersecurity to being chased by a bear in the woods. You don’t have to be the fastest (most secure), you just have to be faster (more secure) than the person next to you. Let them be the low-hanging fruit for hackers.
Only You Can Prevent a Breach of Your Data
For anyone that’s ever had their car or home broken into or had their identity stolen, you understand the helplessness that stems from the experience. The day before it happened you probably gave no thought to the possibility of it. What if you could’ve done something then to prevent it from happening? I’d like to believe that you would go out of your way to do so. So why is it that we don’t take this same approach to securing our identity, personal information, and privacy?
When training end users, I like to compare cybersecurity to being chased by a bear in the woods. You don’t have to be the fastest (most secure), you just have to be faster (more secure) than the person next to you.
We’ve become so used to giving up our information that we rarely consider any consequences before typing it out. Going back to the demand for efficiency, we even have systems now to fill in all our personal data for us because we have to enter it so often. We’ve completely automated the operation of giving up our personal data.
I recently went through my Password Manager, which houses the login information for hundreds of my accounts, only to come to the realization that I’ve willingly given up my information to all these places over the past decade. Recently, I switched to using temporary email accounts for sites I don’t think need my legitimate email but some accounts have access to my address, phone number, and maybe my social security. I was the one that gave them this info. Should that information get leaked then are they really at fault? Maybe I should’ve taken a more responsible approach, not them.
Conclusion — Future Thoughts
Your personal information is yours to give out or to keep private. Now, there are certain things that you can’t keep private and I do know that. Even that information you can’t necessarily keep private (Credit bureaus come to mind) there are steps you can take to prevent identity theft from happening. So my suggestion is this, the next time you sign up for an account or fill out some form where you’re giving away your information…don’t. Does that blog really need your email? Does that online shopping site really need you to create an account to buy from it? If so is there not another shopping site you can find that item on?
I’m not naive, this is something simple to suggest but harder to do in practice. I mean we’re in a Digital world now, the Wild West of the Internet. However, the next time you see a huge data breach… I’m hoping you’ll give it a little more consideration. The goal is not to avoid the internet, or shun the luxuries it’s given us. Despite what I’ve said, I’m not against efficiency and effectiveness and I think technology has taken us a long way in the past 20 years. I only argue that maybe, just maybe, nobody cares about our privacy more than ourselves. Maybe, to protect our own personal information, we have to take responsibility for our own information and implement better internet security practices. We can’t trust the internet to uphold our privacy and keep us secure. Do you trust yourself to keep your information secure?