Penguins covered by oil, dozens of animals succumbed, more and more petroleum-yellow waves reaching the beaches. On January 15th 2022 around 40 km north from Lima the biggest ecological disaster in history of Peru happened, an oil spill. These images caused us Peruvians indignation and I asked myself: “In 2022, why our lives still rely on extracting oil?”. This is clearly unsustainable and makes me wonder when we’ll see a world without oil.
Drawing a parallel with our digital lives, a lot is unsustainable too. Behind the scenes of our online shopping, digital tax declaration, chats with family across the ocean, and long hours watching videos, these delightful digital experiences can at any time turn into grey. In our digital lives such disaster is a data breach. The good news is that like oil spills, such misfortunes can and must be avoided.
Creators of digital services—which many of us are, directly or indirectly—must put their entire efforts into making our digital lives sustainable because it benefits everyone. Otherwise, we’ll see the oil spills within our digital lives.
The spill of data
From the 2010s when social networks and smartphones became ubiquitous, companies from all industries have been becoming increasingly greedy for data. With the view to gain as much data as possible from users, even if the data is not currently needed, it may be stored for later use. Many companies have followed this paradigm without objections. Leaving users asking why an online store needs to collect users’ gender, marital status, photo, access to your social media feed, and your location, just to name a few. With some services still collecting such data from customers today.
In light of this, what is the most disastrous event that happen in a company just by having stored an enormous amount of people’s data?
As you can now guess, the answer is simple: a data breach. A data breach is a security incident in which unauthorized people accesses sensitive, confidential, protected information stored in company’s data repositories. In practice, such information could be a person’s name, credit card information, medical records, passwords, etc.
A data breach is the oil spill of our digital lives. It will inevitably harm both the individuals whose personal data is now exposed, and the company that collected the data.
Not a single company can claim to be secure enough that a data breach will never happen within its domain. The more data a company stores and the more sensitive such data is, the bigger the disaster can become.
In the very recent years, you might have heard how ransomware has risen to the top of cybersecurity threats for organisations, but reports of data breaches have also continued growing every year. The damage for a company hit by a data breach can be devastating; both in loss of reputation and in fines paid to state regulators or as indemnification to the affected users. It’s sad to see that healthcare institutions are currently the top victim of data breaches.
How do data breaches occur?
Several aspects can go wrong and be the ignition factor for a data breach. From cloud misconfiguration to exploits in third-party software. Nevertheless, compromised credentials (mostly passwords) and phishing are the top factors for data breaches. Remote work has also increased the time to identify and contain a breach, as well as its total cost.
A broader view to prevent data breaches
Most of today’s techniques to prevent data breaches focus on advanced cybersecurity solutions, such as using artificial intelligence and endpoint protection. However, is this the first point to tackle? What if companies widen their perspective and give the individual a way to take part in the solution.
If we move our focus out of protecting the perimeter, how can we minimise the impact of a data breach?
The principle is simple: the less data, the less devastating the breach. Stop collecting unnecessary data, especially sensitive data. Eliminate the dirty practices of collecting too much data. These days any well-informed CIO would feel relieved after knowing that the organisation has stopped such practices.
Secondly, give people the power of self-service. Regardless of what your business calls them; customers, citizens, patients, partners, users, give them simple tools to edit their own data. Encourage them to use the tools, instead of hiding them behind dark patterns. Exercising the right to be erased should be as simple and quick as your nifty user registration process.
Myself I’ve collaborated with identity professionals worldwide and contributed to the Consent Receipt specification by Kantara Initiative. Put it in short: today every time you accept privacy settings and terms, you don’t have a tool to modify those settings in the future. With consent receipts, you will be able to know exactly which consent you gave to whom, under which terms of use, and of course you will be able to revoke consent at any time. We need tools like these in people’s hands to make our digital lives sustainable.
How your company will benefit by embracing this
If your company builds great products and services that make our digital lives sustainable, you are the leaders leaving the skin in the game, and the rewards will come.
Benefits to companies:
- More customers’ trust. There is no single week without the news showing that a web service has misused people’s data, whether comes from Facebook, Google, smaller tech players or from public services from across the globe. Thus, it’s not a surprise if individuals are sceptical of using a new app that the local government is launching. At the other side of the spectrum there are the services getting awarded, KBC in Belgium has been voted the most trusted brand in Belgium for the last five years, in part due to the bank giving their customers a greater sense of that trust, privacy and control.
- More compliance. The new wave of data protection and privacy regulations led by EU’s General Data Protection Regulation (GDPR) is helping companies to set a higher bar for building their digital services. Your company will surf these waves no matter how high the sea rises.
- Huge savings. What could be the biggest cost of doing this wrong? Naturally, the costs of recovering from a data breach. As you know, a data breach can have huge economic impact and even cause a company’s bankruptcy, like Finland’s Vastaamo in 2021.
Finally, your employees want it too. There’s nothing more motivating for an employee, than to feel part of an organisation that cares about the human impact of its products and services. While also feeling that their own personal data as employee is well protected.
We can avoid oil spills, both the ones that affect our sea life and the ones that affect our digital lives.
Preventing a data breach—the oil spill of our digital lives—is better and less costly than trying to recover from such disaster. The fate is in our hands.
We can build better technology, we must do it, and we will do it.
About The Author: Oscar Santolalla
With more than 15 years of experience in the technology space, Oscar is a trusted advisor for Ubisecure Customer Identity and Access Management (CIAM) customers and partners. As a Sales Engineer, Oscar runs product demos, supports customers and partners, and leads the IAM Academy training programme. He is also the author of the book ‘Create and Deliver a Killer Product Demo’, and hosts 'Let's Talk About Digital Identity" podcast.
More posts by Oscar Santolalla