Feature Article

Privacy & Protection in the Information Age

By Samantha Mocle

It all started with the introduction of the browser - Netscape Navigator, to be exact - which provided the public a groundbreaking introduction to a wide world of information in 1994. Gone were the days in which data searches were limited to company email servers or private databases. Now internet cafes, libraries, and home computers provided points of entry for anyone to explore. For Maithily Erande, who was then an undergraduate studying computer science, the possibilities of the World Wide Web included opportunities to enhance and influence business decisions through data analytics. But, for others, the wealth of accessibility triggered more ominous thoughts - could there be ways to get even more information? What could be done with it? And how might web users gather data without seeking permission? With an estimate that nearly 11.2 billion connected devices will be in use globally by the end of 2018, companies and consumers alike weigh the daily advantages of embracing technological advancement against the threat of cyber intrusions. It is a conundrum that Erande calls the "morality of privacy," namely the dilemma all internet users face with the onslaught of spyware, malware, and increasingly sophisticated hacking.

Privacy and Protection in the Information Age

Today, as associate professor of information technology at Lasell, Erande is well aware that cyberattacks and data breaches have become a top-of-mind issue for corporations, small businesses, and consumers alike, and the focus has rightly turned toward safeguarding data whenever and wherever possible. Still, for anyone who has been the victim of a data breach, it is clear that protecting the privacy of consumers, corporations, and individuals is a work in progress. 

"Technology by itself cannot detect and remedy a hack," said Erande, the former vice president for project engineering at RSG Media. "Human knowledge is required to understand that something is wrong, to fix it, and to develop technology that is smarter than a hacker. In the information age, there are so many systems that talk to one another, that there is no one way to stop infiltrations. We cannot sit back and relax."

With a Pew Research Center estimate that 88 percent of U.S. adults had used the internet by 2016, the number of internet users, paired with the number of connected devices-known as the Internet of Things (IoT) - creates additional possibilities and ease of access for all, including increasing numbers of cyber criminals.

"The IoT has expanded to include devices ranging from smartphones and tablets to wearables, sensors, and security cameras," said Erande. "Each device can have multiple points of vulnerability through the software that informs it or the hardware that powers it."

Is the solution to simply unplug? Not so fast, said Erande. While cyber threats show no sign of stopping, the answer cannot be the elimination of devices or software. Instead, corporations and individual users need to adapt their behavior to become more vigilant in the digital era.

AN INVESTMENT IN THE FUTURE

Strong cybersecurity relies on three tenets of success, said Erande. Information must have integrity; that is, it must be authentic and complete. There must be an availability of systems for storing, delivering, and processing information, as well as for safeguarding access. And, there must be a level of confidentiality that enables certain individuals to obtain information while withholding it from others. These tenets cannot solely stand on the shoulders of technological solutions. While industries move toward automation, this is one area in which the partnership between human intelligence and advanced technology must be reinforced.

Brandon Hanss '10 sees this every day in his work for Veracode, a business-to-business enterprise based in Burlington, Massachusetts, that helps organizations understand the digital risks associated with mergers, partnerships, and regulatory compliance.

"As consumers, we create business for these organizations, and so it is on us to hold them accountable for keeping information secure," he said. For example, Hanss suggests asking banks if their mobile applications are equipped with the strongest possible security, or inquiring if your doctor's office complies with HIPAA laws with both digital and print files.

Corporate change must happen, and fast, he said. Security can no longer be an afterthought, but instead must be baked into software development, financial  investments, and hiring decisions. There are still those who prefer to take the risk of being breached without understanding that the "cost associated is much greater than the preventative investment they could have taken to begin with," Hanss said. Luckily, his experience shows that when research and numbers are presented to the right stakeholders, change can be swift.

"The effort put into mitigating the risk makes all the difference," he said. "Hiring the right people to oversee security means that there is accountability at a higher level."

Not surprisingly, cost can be the "make-it-or-break-it" factor in determining whether a company's data might be breached in the first place. According to the Harvard Business Review, "breaches cost businesses nearly $4 billion" in 2016, with the cost anticipated to have risen by 36 percent by the end of 2017. While organizations invest to safeguard information, cyber attackers also need to invest time and money to retrieve it. According to Erande, one way to elevate a company's security is to ensure that the cost to a potential hacker is higher than the cost of the data itself.

"If the value of your data is worth $100,000 to a cyber attacker but it requires two or three years of work to break into it, it isn't a worthy investment on their behalf," she said. "Companies need to update their systems to make the cost of acquiring their data undesirable."

For individuals, Erande said, it is important to note that cybersecurity is not solely a technological issue. When both perpetrators and victims are human, there must also be a personal investment in data protection beyond any corporate and policy-based remedies. If users are to become continually dependent on digital solutions and technology, they must also behave with cognizance. As cited in a December 2017 Harvard Business Review article, it is "reframing the human-security relationship;" a necessary retraining of human behavior in relation to technology as a way to keep personal data under wraps.

A BALANCING ACT

The digitization of daily communications and transactions poses an issue for those who may want to fill out medical forms on paper or pay bills by mail. If those options cease to exist and modes of participation are entirely digital, individuals must understand how to navigate that landscape with vigilance. It is a task that Kendall Pappas '09 oversees as a senior analyst for Major League Baseball's information security department. In that role, Pappas conducts background checks, handles digital discovery for litigations, monitors data affiliated with investigations, and has helped roll out a leaguewide program on personal security awareness.

"It's about protecting infrastructure, but also about helping our players and contractors learn how to protect themselves," said Pappas. "You're only as strong as your weakest link, and as technology becomes more advanced, cyber attackers become even more clever. You have to take personal steps to protect yourself and your information."

But where does one start? According to Erande, it is important to find balance between digital convenience and awareness. Individuals need to understand what practices they are comfortable with and where they are willing to compromise. "For example, in an ideal world, the best personal security measure would be to change your passwords on a daily or weekly basis," she said. "In that same world, I might love the convenience of paying by phone and not carrying my wallet." Yet neither of these ideas are one-size-fits-all. Navigating the tightrope between ease of access and protective measures is a task that everyone must take seriously.

"There has to be a general understanding of how your personal practices have the potential to expose personal data," said Erande. "Programmers and educators are trying to find ways to build community awareness. If people understand the ramifications and weigh them against their lifestyle, they can at least take informed risks."

Simple measures can be taken with little effort, said Pappas. If a security question asks for the model of your first car, you might enter both the model and the color to nuance the response. Using a password manager can also be useful in developing-and remembering-unique passwords with multiple characters and numbers.

It is also good practice to verify the source and stability of new programs, said Hanss. In many cases, users have the habit of clicking through digital contracts or automatically allowing websites to store data such as credit card information to save time, he said, but consumers should understand that "digital" is not a synonym for "safe."

"People subconsciously assume that apps are safe because it took technological know-how to develop them," he said. He described what he calls a responsibility clause: Do you trust something because it exists and made it to the market, or because you've asked questions and done your research?

THE WAY FORWARD

With threats to cybersecurity having global, national, corporate, and personal implications, Erande identifies three areas that, if properly developed, can lend themselves to positive change: leadership, collaboration, and education.

Strong government and corporate leadership can provide better governance around cybersecurity issues and ensure that the monitoring of and response to threats is handled with urgency. Global collaboration among countries and corporations can also help beat cyber attackers at their own game.

"Cyber criminals work together to share knowledge, sell data, and develop new techniques for infiltration," said Erande. Yet, she noted, those same collaborative practices rarely exist among security vendors. On a global scale, cyber laws have been implemented in a number of countries, but a lack of baseline standardization provides a number of loopholes for criminals to infiltrate as multinational corporations conduct cross-border transactions on a daily basis.

"When you think about the number of independent groups and even whole countries looking to steal and sell information, the ripple effect can have human impact," said Hanss. "Medical records in particular, when in the wrong hands, can alter the way that medicine is marketed, developed, and priced, and in turn impact the world as we know it."

The education component is another pathway to success. In the United States, the National Security Administration (NSA) has developed a cybersecurity curriculum in partnership with higher education institutions - including Lasell College - to develop a pool of students equipped with skills and certifications to navigate future threats. Building the general public's security awareness can aid consumers in considering the implications of each connected device they buy and each piece of information they share online.

Erande looks at technological purchases as the start of a process, rather than the final step in the investment. Research and thoughtful information management - not just one's proficiency on a particular device - may help individuals evade cybersecurity threats that prey on interconnectivity. If your phone links to your car and  also to a digital lock on your front door, a hacker may only need that one entry point in the future to access everything connected to it. As a result, she says, no one should become complacent in storing personal information or financial details on any website or platform, and interconnectivity must go hand-in-hand with digital vigilance.

"If you want to own all of these devices," said Erande, "you have to own what comes with it."

Courtesy of Getty Images

Tips for Protecting Your Information

As a senior analyst for Major League Baseball's information security department, Kendall Pappas '09 educates players, contractors, and staff about keeping their digital information safe. She suggests five key ways to avoid common cybersecurity pitfalls:

USE A PASSWORD MANAGER
Complex passwords with a mix of uppercase and lowercase letters, numbers, and special characters are an absolute best practice - but they're more difficult to remember. A secure password manager (there are several available with a quick Google search) provides a solution to keep hackers out while keeping your
information in one place.

BE SPECIFIC WITH SECURITY QUESTIONS
When selecting security questions to safeguard your access to different websites, use answers that only you would have. For example, if the question asks for your favorite car, you might say, "Dad's red Corvette" to keep intruders from guessing a more common answer.

VERIFY EMAIL SOURCES
If you're not 100 percent sure of an email's source, hover your cursor over the display name of the sender once you've opened it. This will show the actual email address that the communication came from. For example, said Pappas, an email that claims to be from Major League Baseball may, upon closer inspection, be from a rogue sender at M1B.com instead of MLB.com.

CLICK SPARINGLY
The same cursor hover trick works for links. Use caution when clicking through in emails or online, especially if the offer seems too good to be true. Chances are the email offering a sizable donation into your bank account from a member of a royal family overseas is fraudulent.

USE RESEARCH TO COMBAT SCARE TACTICS
Unprompted requests for personal information via email or phone should never cause you to worry-or to give up that information. "Anyone who works for Amazon or the IRS is never going to contact you asking for your social security number, username, or password," said Pappas. Always ask for official documentation, or research the organization, to see if the phone number or email address you were contacted from is legitimate. If it truly isn't a scam, they will have a more verifiable way of contacting you.

Past Issues