“I work in digital identity” is usually met by blank faces.
Most people don’t really know what it means, and it doesn’t sound like something they want to delve too far into.
It’s understandable, yet symptomatic of a society that doesn’t pay too much regard to digital identity, and often doesn’t understand its vital importance in today’s increasingly digital landscape.
“I have nothing to hide”
The nature of the information some people will offer up publicly online, without first ensuring robust identity practices, is startling. The general excuse is “I have nothing to hide” but, as we know in the industry, your data has real value and could be used against you. Some scenarios could include:
- Posting photos of your baby to Facebook? The social giant technically has a license to use pictures you post to their platform in any way they see fit, subject to users’ scarcely-reviewed privacy settings. Not to mention the potential consequences for the child’s safety or future career.
- Sending your DNA by post to a private company for analysis? This potentially compromises your control over your most intrinsic identifier and could, for example, be sold to insurance companies, leading to policy discrimination. There’s also a possibility that your DNA could be stolen – take, for example, the recent Veritas Genetics breach – an uncomfortable thought for anyone, with ominous significance.
- Accessing your internet banking on public Wi-Fi networks? Untrustworthy operators could be inadvertently exposing your access credentials.
Data is currency. We can foresee some of the dangers of poor cybersecurity practices now (as above) and are likely to experience unforeseen consequences in the future. For instance, what if hackers start attacking medical devices, or self-driving cars? A nuclear power plant in India has already seen worrying malware on its systems. As seen with the Cambridge Analytica case, data has huge potential to affect political situations which, in turn, can influence every aspect of daily life.
The lessons to take from such stories are: people need to be more mindful of the information they offer online; be more careful about which organisations they trust with that data; and, importantly, take steps to safeguard access to all accounts.
Why don’t people care more?
For a lot of consumers, convenience is more important than security. It seems daunting and time consuming to choose optional identity best practices like multi-factor authentication (MFA). Social sign-on, a weak authentication method when used on its own, will often win out. Passwords are similarly weak but are usually accepted as they are a familiar tool – again, the path of least resistance.
Fatigue is another issue. We hear about data breaches and other cybersecurity-related scandals every day – it’s no wonder people end up tuning out. As Adam Buxton put it in his recent podcast with Shoshana Zuboff, author of The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power:
“you may feel that your plate of doom is already full, and you don’t have room for one more thing to worry about, and I heartily sympathise”.
Also a major issue is consumers not understanding why their data is so valuable. They only realise when something truly bad (or at least very inconvenient) happens, such as the scenarios I mentioned above.
So who’s doing a good job at getting the word out to consumers? Let’s look at a few examples.
On an individual level, for example, security researcher Troy Hunt hit headlines with his Have I Been Pwned service, allowing people to check if they have an account that has been compromised in a data breach – for free. He analyses this data and gives advice to organisations and individuals on how to deal with identity-related threats more effectively, noting statistics such as:
“86% of subscribers were using passwords already leaked in other data breaches and available to attackers in plain text”.
Governments are also attempting to promote cybersecurity and identity awareness to citizens and organisations, including the European Union with schemes such as the annual Data Protection Day (also run in the USA as Data Privacy Day) and European Cybersecurity Month, which takes place each October. Other government-supported public outreach includes the global Stop. Think. Connect. Campaign, which is in partnership with the U.S. government. It’s difficult to judge the effectiveness of such messaging, particularly as most people (even within the industry) are unaware of it. Every little helps, but could governments be doing more?
While there is some positive education out there, most of the messaging is aimed at identity/cybersecurity professionals and decision makers. There’s a long way to go to convince consumers to take notice.
In the meantime…
… while consumers are still largely apathetic about digital identity, we need to care about it on their behalf. Short of setting up a password manager for every acquaintance with a tendency for ‘Password1!’, the identity industry can be instrumental in stamping out passwords for good in favour of stronger and more user-friendly authentication methods – promoting the point that these are not mutually exclusive objectives.
While consumers are not usually forced into MFA, make this option easier for them to set up and continue to use. If the process is frictionless, they will be more likely to opt for this approach, and ultimately your services will be more secure.
Contributing to standards and industry associations shaping the identity management ecosystem will also clearly have a positive impact on the future of cybersecurity. Attending any event in digital identity makes it clear that we’re good at collaborating in aid of advancing the industry, putting aside competition in favour of the greater good.
Got other suggestions? Comment below!