by Paul DeLeeuw, Head of Interactive Oversight at ddm marketing+communications
To understand how intertwined online privacy and security have become, consider the humble company-issued laptop. The device might only be given to a new hire after he or she passes a series of mandatory security clearances. Some employees will be asked to provide a fingerprint or facial recognition to use their laptop at all. At a minimum, a unique password is required at sign-in, and that password must be changed out periodically. The parameters of the employees’ online experience are predefined to limit exposure to suspicious websites. Two-factor authentication is required to access sensitive information. Then, when the employee leaves the company, they must hand over the laptop. Any access privileges they gained are revoked, as if they had never joined the company in the first place.
To insist on strict security protocols like these from a potential business partner is not too much to ask in 2023, when defining your organization’s boundaries for security and privacy is ― or should be ― the name of the game. Limiting your employees and clients to security risks is the first rule of doing business online. Following that rule is easier said than done, but it begins with a basic principle: privacy is security.
Imagine you’re about to go on vacation, and you need someone to watch your house while you’re away. Your neighbor next door is nosier. They’re always giving you mail that “accidentally” got delivered to them. Your neighbor across the street is quieter and keeps to himself. Which of the two would you ask to keep an eye on your house? The nosy neighbor seems a bit riskier ― will she poke around and take something? ― while the neighbor across the street seems more likely to bring in the mail, then leave. He’s never seemed interested in the details of your life. If you’ve ever been in this situation, the idea that “privacy equals security” should be intuitive.
Similarly, if you visit a website and it asks for a lot of personal details, at what point should you draw the line? There are no hard and fast rules, but the answer boils down to trust. To convert potential clients and customers, they must first trust in your ability to limit their risk by safeguarding their private data.
New focus on security
To get a rough estimate of the value of individual data, consider the $1.3 billion payout Meta (the parent company of Facebook) recently agreed to in a class-action lawsuit settlement as a result of sharing users’ personal data with third parties. The revelation of Facebook’s data-selling habits sparked a “Great Privacy Awakening” that ultimately moved legislators in Europe and California to pass laws requiring websites to disclose to users whether their data is being shared with third parties, and offer the ability to opt-out of data sharing altogether.
With greater public awareness of the corporate data-sharing landscape came fear. If your online business habits routinely require inputting names, addresses, credit card numbers, and other personally identifying information, some might draw a drastic conclusion: don’t share anything with websites that have no value to you. If that seems overcautious, here are some practical guidelines to keep your data ― and those of your customers and clients ― safe:
1. Always look for a “lock” icon on your browser bar.
This indicates the website you’re visiting encrypts its traffic. In effect, the data it’s interchanging between your server and its computer needs to flow through a lot of different column pipes. Observing these strict protocols helps keep your data private and the interaction secure.
2. Never use the same password twice.
Password managers like OnePassword, MacOS/iCloud Keychain, and Google Chrome’s own built-in manager allow users to store thousands of unique passwords, effectively eliminating the need to remember more than one. When you do not re-use passwords, if any one password is compromised, it will affect only one protected website/account.
3. Use 2-factor authentication whenever possible.
Many websites support a variety of 2-factor authentication tools, which effectively require you to confirm on multiple devices that you’re trying to log in to a site. The power of this protocol is well-documented; 2-factor authentication could have saved the former President of the United States a breach of his Twitter account.
4. If your device offers some kind of biometric ID – facial or fingerprint recognition – use it.
The data they use to scan you is far more complex than a 4-digit unlock code. Then go into your device settings, and set a more complex (but memorable) device passcode. I think of my phone as my offboard brain – it might have more sensitive data about me and my contacts than any other device.
5. When dealing with financial institutions, review their security protocols when you first open an account.
They should require customers to verify any large withdrawals by answering an automatic phone call and speaking to a live customer service agent. Ask them about their fraud prevention procedures. How do they verify credit card transactions, and what is their dispute process? This extra step can safeguard against fraudulent transactions. It’s easier for hackers to steal your username, password, and/or email address than to gain access to your phone number.
6. The services you use are obligated to tell you if your personal information has been compromised.
However, it’s easy to lose track of these notifications if you don’t act on them immediately. Like reviewing your budget, or spring cleaning, you should periodically check a service like “Have I Been Pwned” and look up your email address to see if your data has been released in a security breach. If you see that a breach has exposed your password, change it – and see #2 for using a password manager to both remember it, and keep it secure. I made myself a recurring reminder to check this every 6 months.
If a breached service you’ve used in the past offers you an identity protection package – take it. They wouldn’t offer it if the information that was released wasn’t highly sensitive.
A question of trust
Any online security method you use boils down to a common principle: trust. In the case of a financial institution, your reason for trusting it with large amounts of money (or not) are obvious.
The reasons for using a reputable email server might seem less obvious, but consider the example of Microsoft Office. It uses background tools that will allow an IT expert, auditor, or lawyer to see who logged into your email account, where they were at the time of access, how long they were logged in, and what they did while they had access. This information can then be shared with law enforcement to help determine if the hacker committed a crime. On the other hand, law enforcement can also subpoena Microsoft to get access to this data – something to bear in mind for how you operate your business, and how you share data over email.
The same principle applies to password managers or 2-factor authentication platforms. You can trust the established players in these spaces with your personal information because you can be more confident they will keep your data private. They should use multiple layers of security that make it difficult for hackers to access an individual’s private information. When in doubt, reading the privacy policy is a basic first step toward establishing trust in their process. The policy’s verbiage should be unique, not copy-pasted from that of a reputable company ― never screenshotted, making it impossible to highlight the text. News of any data breach and how it was handled will also reveal how well these platforms keep their users’ data secure.
Establishing trust on an institutional level is not as straightforward as one person reading a privacy policy. When two businesses begin a relationship that involves sharing customer data, it is common to perform risk assessments and security questionnaires to establish trust. As in the example of the company laptop, it’s important to know how long a business keeps past customer and client data on file after their relationship is severed. The answer will reveal a lot about how they value security and privacy. Written privacy policies are important here, too. As a general rule, longer and more thorough privacy policies are more trustworthy ― but they should be read by someone with legal experience. Some of the basics that apply on an individual level apply to business practices too, like which email client they use and whether 2-factor authentication is required to log in to company social media accounts. The more critical the data you’ll share, the more you’ll want to assess and verify the policies and procedures a company follows – something like a SOC 2 Type II document can go a long way, because it will document a company’s security and privacy controls using the SOC 2 criteria, and it’s audited by a reputable third party.
The future of privacy and security
As the cat-and-mouse game between hackers and security providers evolves, keeping pace can make a person dizzy. One new wrinkle is AI. When viewing a privacy policy online, search the page for the phrase “as an AI language model.” It’s a common series of words generated by many AI language models, which are increasingly being used to create privacy policies; a policy drafted and reviewed by a human lawyer (i.e., the thorough ones) will not include this phrase.
When it comes to online security, establishing trust will only become a more important focal point of any business relationship. That means increased vigilance on the part of individuals, even if that means something as simple as changing out your passwords more frequently. Privacy and security will be forever intertwined, so always be mindful of who has access to customer and client data. That basic principle will go a long way.
Paul DeLeeuw is the Head of Interactive Oversight at ddm marketing+communications, a leading marketing agency for highly complex and highly regulated industries. As a tech lead, Paul provides business process and data automation solutions within the healthcare, financial services and manufacturing spaces.
