WASHINGTON (CBSDC/AP) – Two recent, high-profile stories have served to highlight the vulnerability of digital security systems presently in place at large and widely solicited businesses.
First, Target disclosed that encrypted debit-card PINs, credit and debit card numbers, card expiration dates and other bits of sensitive information were stolen from millions of customers who shopped at the retailer between Nov. 27 and Dec. 15 of last year.
Security experts say it’s the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.
Around the same time, Snapchat said that it planned to put out a more secure version of its application following a breach that allowed hackers to collect the usernames and phone numbers of some 4.6 million of its users, which occurred after security experts warned the company at least twice about a vulnerability in its system.
In addition to corporate privacy and security concerns, thousands of Americans fall victim to breaches of online privacy every year. According to a report released by the Federal Bureau of Investigations, the Internet Crime Complaint Center received a total of 289,874 consumer complaints in 2012.
David Stelzl, author of “Data@Risk” and a prominent speaker specializing in high-tech marketing consultation, also highlighted the issues inherent in the philosophy behind digital security tactics, especially when compared with security systems used to protect offline assets.
“[A]ll physical security is built on the idea of trying to provide prevention, but usually not much. The rest is detection oriented,” he said to CBS DC. “If you look at digital security, the entire … architecture is geared toward keeping people out. Firewalls, passwords, encrypting data – none of this works. People don’t get that. You have to assume [hackers] can get in.”
He added, “When [activism organizations] announce that they plan to break into somebody – Mastercad, PayPal, whomever – they get in. What is demonstrated is that if someone wants to get in, they will get in. It’s just a matter of time.”
Despite that fact, or news of these incidents and the frequency with which Internet scammers strike, Americans continue to take a relaxed approach to protecting their personal information, especially when on computers and mobile devices.
In fact, technology news sites such as Gizmodo have found that people still use “password” as their password online more frequently than any other option, with other easily guessed combinations of letters and numbers such as “123456” and “abc123” not much further down in ranking on the list.
And according to experts in digital security, that attitude – combined with the overall steady improvement in hackers’ abilities – could prove disastrous.
Peter Singer, a senior fellow of foreign policy at the Brookings Institute who is also director of the Center for 21st Century Security and Intelligence and author of “Cybersecurity and CyberWar: What Everyone Needs to Know,” said that Americans need to prioritize the protection of their personal information.
“Cybersecurity is crucial to areas as intimate as your privacy and as weighty as the future of world politics,” he told CBS DC. “Whether you are the president of the United States, of a small business, or your household … all of us make cybersecurity decisions that matter.”
Mauricio Papa, the director of the Institute for Information Security and an associate professor of computer science at the University of Tulsa, agreed.
“Companies need to take the risk of a security breach seriously, not only because they have a need to protect sensitive customer information but also because it may have a serious adverse impact on their business and the bottom line,” he said. “I think we need to understand how these security breaches occurred, learn from them and implement solutions.”
Experts said that today’s technology landscape – heavily focused on concepts such as cloud storage, mobility of devices and social networking – only compounds the problem by encouraging people to share more information on increasingly vulnerable channels while also creating the illusion that information is better protected.
“Social media is not bad, but it has put users in the mindset that you can put anything online, and that passwords and firewalls are protecting them. They’re not. Email is also often thought to be secure, but it’s not,” Stelzl said.
Papa also noted that, while implementing security tools available and improving software design overall could go a long way in helping to protect sensitive information and data, some of the onus must be placed upon the users themselves.
“There are many applications … where users can choose what type of information is shared,” Papa said. “I’d recommend users take the time to configure and tweak security settings. Many times, default settings may be sharing more information than we need or want to share.”
He added, “Security cannot be an afterthought, more so in these times where we are all interconnected and access to information could be just a few keystrokes away.”
Others agreed, not only regarding the necessity of increased personal awareness, but also the tenacity of hackers with malicious intent.
“The problem is that we are not well trained for these new responsibilities,” Singer said. “[Businesses] have to start looking at this as a regular part of their responsibility, just like fire protection, insurance, good operations, [and other elements of business planning and protection].”
He added, “As long as we use the Internet, there will be cyber threats. We need to change our mentality to one of awareness, actions, and resilience. If you are online, you have both vulnerabilities and a responsibility to yourself, your business, and the rest of us online.”
(TM and © Copyright 2013 CBS Radio Inc. and its relevant subsidiaries. CBS RADIO and EYE Logo TM and Copyright 2013 CBS Broadcasting Inc. Used under license. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report.)