The unveiling of the Apple Watch in early September accelerated the hype over wearable technology. Wearables have crossed the threshold of being for the technorati and are now in the consciousness of mainstream consumers. We now want robotics to improve our lives by telling us about our quality of sleep and when we should leave work to make our dinner reservation on time.
The idea of one master wearable device is tantalizing, one control center that manages all of the other devices in our lives, acts as a personal assistant and monitors our health indicators. However, the public is increasingly aware that what you gain in convenience and insights, you relinquish in personal privacy. The collection and analysis of our personal data has innumerable benefits – of which we are only seeing the leading edge – but also exposes consumers and companies to new risks.
In a recent, high-profile incident, hackers released nude photos of celebrities that were obtained by hacking into the iCloud backups of these individual’s iPhone accounts. These photos were intended to be private to the owners and the people they determined to share the images with. Now, their personal moments have become a sensation for any Joe to gawk over.
Apple responded to the incident by first denying that there was a breach, and then by apologizing and offering increased security measures. The company will increase it’s use of two-factor authentication for iCloud accounts and triggering notifications to alert the user if an account has been compromised.
CEO Tim Cook addressed the issue in a Wall Street Journal interview, stating that the company “… want[s] to do everything we can do to protect our customers, because we are as outraged if not more so than they are .” Cook also said that Apple would promote education about security risks and the need for stronger passwords and precautions by users, “I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”
Following this release, Connecticut Attorney General George Jepsen asked for a meeting with Apple leadership with questions about privacy protections for users of the Apple Watch. Jepsen said that he wants to discuss “whether Apple will allow users to store personal and health information on the Apple Watch or on computer servers, and how that information will be protected,” as well as if Apple intends to review privacy policies for applications available in the App Store.
The scrutiny over privacy issues will only increase for Apple as it wades into the complex frontier of identification authentication, security and fraud prevention with the introduction of Apple Pay. The promise of Apple Pay to revolutionize the way we pay is an exciting feature, due to be released in October 2014. However, the dark shadow that hovers over advancement in this sector is data security.
The 2014 State of the Internet of Things study released by Accenture in August 2014 indicates that 69 percent of consumers are planning to purchase an in-home internet-connected device within the next five years, and 50 percent intending to buy a wearable device over the same period. With this widespread, popular adoption, we cannot rely on the consumer to take it upon themselves to be educated about data security.
For instance, a smart, internet-connected home-monitoring system should be able to track the patterns of the homeowner’s activity in order to provide seamless security and system efficiency. This service requires the device to collect a stream of data about customer habits and activities that can then be analyzed to optimize performance. The dark side of this helpful function is that the company must collect, store and analyze a repository of data about consumer behaviors, and this data can be captured for nefarious purposes if it is not secured.
The same is true for cloud applications we use on laptops, wearable devices or mobile phones. The more consumer information about health, or finances or Netflix habits is collected, the more risk there is for exposure. As the volume of personal data that is collected increases, consumers have a right to expect that the companies doing the collection have an obligation to keep it safe.
Home Depot is the latest retailer to face a massive security breach, exposing 56 million payment cards to fraud risk. To its credit, Home Depot fessed up immediately and has worked with credit card issuers to alert consumers and issue new cards. The company benefitted from lessons learned by Target, which pioneered crisis-mitigation strategies for credit card security breaches during the 2013 holiday season.
Fast on the heels of Home Depot, Jimmy Johns announced Sept. 24, that a hacker had infiltrated payment systems at 216 of its locations, stealing payment card information. The sandwich chain may have been waiting for cover, because it surfaced that company knew about the incident two months before making it public.
Companies of every size should take these incidents as notice that data security is a high-profile issue that must be front and center in planning cycles. In addition to straining their relationships with consumers, companies can face stiff fines for the release of certain types of data, as well as significant financial outlay to clean up the mess.
To help your company rise to this challenge, we’ve outlined Blacklight Solutions’ 10-point plan for data security preparedness.
1. Understand where the risks to your business lie.
A comprehensive company audit should include exploration of the following questions:
- What types of data do you collect?
- How is your company data stored?
- Who has access to this data?
- What is the sensitivity level of this data?
2. Know the history of incidents that peer firms have experienced and current practices for your industry.
Plan for resources to ensure that you will stay current on any privacy protection standards or reporting requirements specific to your business.
3. Know the security measures and privacy policies of your partners/vendors.
Educate yourself on how your partners protect the information you share with them. It’s good business to know how secure your third-party data is and how well your partners are taking care of your data. Minimize the potential for collateral damage in the event your partners experience a breach. If you use a cloud vendor, know its security protections as well.
4. Know your company’s data backup and storage procedures.
Make sure all employees who are part of this data-processing pipeline understand where the security risks lie and remain vigilant in monitoring risk indicators.
5. Know the weak points of your system.
Where do the risks lie? Where have other companies seen breaches occur? Make sure that you are using up-to-date technologies; developers and vendors learn from past incidents and update security measures and procedures to meet evolving needs.
6. Understand physical security risks:
- Do employees pose a risk?
- Is there a means for data to physically leave the premises?
7. Consider hiring a Chief Information Security Officer.
There are benefits to hiring an experienced practitioner who thinks about data security all day every day. The payoff in peace of mind and crises averted can be very real. At a minimum, ensure that you are staffed to stay on top of security demands for your business.
8. If needed, hire an information security consulting firm.
If you need experts, or you need on-call, not full-time resources, information security consulting gives you the peace of mind you need as well as leading-edge expertise. In addition, you can align your operational expense for security issues with the need as it arises.
9. Implement appropriate security measures.
This is the next step after you have completed thorough research. Don’t wait, this is a situation in which it is better to be safe than sorry.
10. Plan for a doomsday scenario.
This can be a good exercise for your company’s response team and underscores the real repercussions of a lapse in security measures. A test run will ensure that everyone at your company is taking security seriously. Crisis planning should cover questions such as:
- What does the worst-case look like for your company?
- What constituencies would be affected by a data breach?
- What are the immediate concerns?
- What are the stop-gap measures you can employ?
- Who do you need to notify?
We are seeing an inflection in information security, in which consumers are demanding increased protections. Every company that collects and/or stores customer information will need to prove that they have robust security measures in place and are deserving of consumer confidence. This is an area in which it will pay dividends to commit to advance preparation.
Note: Top image source: Bloomberg: http://www.bloomberg.com/infographics/2014-08-21/top-data-breaches.html
The post Rising Data Security Concerns appeared first on Blacklight Solutions.
