Google is trying to figure out how to get rid of passwords. Twitter is exploring the best way to balance freedom of speech and prevent cyberbullying, and Facebook is trying to be more transparent when it comes to their privacy policies.
Those are just three examples of the immediate challenges major technology companies are up against as they try to build and maintain user trust in 2015. The need to improve security has never been clearer after a year that saw a number of high-profile data breaches that could have been avoided with better security preparation and user education. It was all the focus of the keynote address at the annual ALM LegalTech trade show, which began in New York City Tuesday morning.
Eric Feigenbaum, director of security for Google Apps, told the audience that many of the breaches that haunt executives’ dreams are caused by the integration of personal and professional devices. The best way to solve that, the company thinks, is to put more emphasis on two-factor authentication, perhaps by investing in ways for Google to identify if someone is trying to connect from their home WiFi network, or wearing their registered smartwatch. Current two factor authentication forces a user to not only enter their password into a website, but also verify they are who they say they are via text message or by a variety of other means.
“In most cases [hackers] were getting passwords with phishing, snooping, hacking, keyloggers, etc. and it became really clear in 2014 that passwords are bad and that we need to come up with new technology to get rid of them,” Feigenbaum said. He explained that Google has 500 security professionals, proving the company has a scale that’s only comparable to security in the financial world.
“Where is your money safer: under the mattress or in a bank?” he went on. “And the bank can afford armed guards, video surveillance and the big safes.”
The biggest problem with educating users is that, even after so many high-profile hacks, most people are still targets. The audience on hand to listen to the cadre of privacy officers – from Google, Tumblr, Facebook, Twitter and Microsoft - was made up of hundreds IT professionals, cybersecurity attorneys and digital insurance executives. Yet when questioned about how many use two-factor authentication or how many of their companies conduct data breach drills, perhaps five percent raised their hands.
The pervasive ignorance is never more on display than when tech firms are trying to recover from serious hacks in real-time, said Laura Pirri, Twitter’s legal director.
“Often what happens is that when you have a security incident companies get siloed in trying to figure out what their own response plan is going to be and they end up not sharing critical information with each other than could help other companies prevent those kinds of breaches,” she said before praising U.S. President Obama’s new initiative to promote increased communication among security executives.
“I can say from our experience that when we’ve reached out to others that this was actually a widespread attack and more information sharing about it could have prevented the attack.”
Much of the conversation went back to transparency – whether it was about being proactive in responding to a state-sponsored cyber threat or making it possible for users to decide for themselves if they want to include location information in their posts. The same mentality is visible in the formulation of passwords, when a site says that a user’s password is either weak or strong.
“Change can be difficult but you have to do a really good job, and this is one the provider to do this, to communicate to people why you’re making the changes you’re making and what kind of tools you’re making available to offer users the tools that they want,” said Edward Palmeri Facebook’s director and associate general counsel of privacy and regulatory affairs.
Google’s Feigenbaum put it more simply when he said, “If you make it easy for users to do the right thing they tend to do the right thing.”