NAPERVILLE – I’m at Barnes & Noble, using free Wi-Fi to get online. I’m “unsecured,” and others can potentially see and capture my online activity.
Warnings like this don’t soothe my overdeveloped paranoid muscle. If it was just this one thing, I could get past it, but there’s more.
On Tuesday, Northern Illinois University employees received a mass email saying that soon, we’ll only have to change passwords once a year. New passwords will have to be at least 10 characters instead of the previous eight-character minimum.
This part of the announcement caught my attention: “Research has shown that while frequent password changes provide the illusion of security, longer passwords provide better actual security.”
Um, yes please, I prefer better actual security to the illusion of security. Thanks.
Here’s the kicker. Recent (late June) research from Ipswitch, a Massachusetts-based IT software company specializing in secure file transfers, indicates that IT professionals feel “an overwhelming sense of personal responsibility to protect corporate information or data, even if that involves more work.”
That’s great, right? Yes, until the next line about the research.
“While 84 percent of respondents [of a survey of over 100 IT professionals] claim they feel a sense of responsibility, nearly half (42 percent) report their organization does not mandate methods for securely transferring corporate files or have an automated system in place to mitigate the risk of human error.”
Last week, I noted that unsecured, low-tech stuff like bills and bank statements pose a serious threat to identity and assets. The best coping strategy is to keep as little paper as possible, for the shortest time possible, in a secure place, and shred everything else. That’s doable.
What’s more frightening and frustrating is that while there are coping mechanisms for protecting oneself online too (change passwords frequently, create good passwords, don’t use the same passwords for lots of things, etc.), much of your virtual vulnerability is beyond your control.
We’ve heard what happened with Target, Schnucks, Twitter, Facebook, LivingSocial, the U.S. Department of Homeland Security, JP Morgan Chase, and eBay Inc., all organizations that have had significant data breaches affecting tens of millions of people within the past couple of years.
A report from Verizon said that nearly 80 percent of corporate data intrusions in 2012 were “low difficulty.” Translation: Hackers got in very easily. The 2014 version of the report said that of 100,000 incidents Verizon has analyzed from the past 10 years, 92 percent fall into nine basic attack patterns. Prominent among those patterns are point-of-sale intrusions: retail transactions.
A recent New York Times editorial argues that companies should take two basic steps to protect our privacy better.
First, companies should be more careful about what data they collect, and why.
“By keeping lots of sensitive information, they place themselves and their customers at considerable – and in some cases unnecessarily greater – risk than if they had deleted the data or never collected it. To take one startling example, security experts say there was absolutely no reason for Target to have stored the four-digit personal identification numbers, or PINs, of their customers’ debit cards.”
Second, America should move toward credit cards with chips, rather than our current magnetic strip cards which can be easily faked.
“That’s partly why the United States accounts for nearly half of all global credit card fraud, even though it generates only about a quarter of all credit card spending,” the Times said.
But again, most of this is beyond our control.
• Jason Akst teaches journalism and public relations at Northern Illinois University. He also serves as a board member for the Northern Illinois Newspaper Association, www.ninaonline.org. You can reach him at firstname.lastname@example.org or follow him on Twitter (@jasonakst).