How many times do you just click on “agree” for a new service without reading the terms? Do you understand all the privacy features on the various social networks you use? Does that awesome app you just loaded expose your user credentials as plain text in the database? Are you using the same password over and over again on every new site and app? Have you gotten a notice by one of your online services of a security breach in the past six months? Did you actually do anything in response to the Heartbleed vulnerability? Do you even care?
That was the question that was ended up dominating the conversation recently at the PluggedIn Ventures Roundtable on the Consumer Cloud. Given the topic, it was rather wide open and broad topic, which started out strong. Then not ten minutes into the discussion, the security questions came in like a bombshell. The one quote that came out of that talk that really stayed with me was the comment that “no one cares about security”. To a point, that sentiment is correct. Our online behavior belies our true intentions and beliefs. We simply do not care about security as it is too complex, too overwhelming, and too time consuming. We click yes and move ahead.
As consumers though, we do care about security. When Target was caught in a sandal about a breach last Christmas season, people were livid. Still though, even though their credit card numbers might have been circling around the globe passed from hacker to hacker, the general public still shopped at Target, using newly issued credit cards. Only when it becomes really inconvenient do we care about the question of security.
Contrast that with the enterprise. Every company has reams of security protocols and a staff to manage enterprise-wide security, both the physical and the digital. Every new tech vendor has to go through an extensive security and architecture review with the IT team. And even with all these security measures in place, it still does not prevent breaches from occurring. But at least they seem to care and are actually taking steps to address the security holes. It has simply become too big a problem for most to fully grasp and remediate.
Oddly enough though, it is security where the enterprise may take the lead over their consumer cloud brethren. This is in large part due to the initiatives that have evolved within heavily regulated industries to address legislation around privacy and data. Through various incentives and penalties, companies are now tasked with a framework by which to implement privacy, and this includes the broadening digital channels across healthcare, finance, media, and other industries.
HIPAA is one such set of regulations that has moved the healthcare industry to implement greater controls and privacy constraints on patient medical records. This is has even greater relevancy now given the rapidly evolving personal health tech space (like the recent Apple Health announcement) and the push to accelerate EMR (electronic medical records) due to the ACA Meaningful Use initiatives. As the tech world pushes more and more devices and software services to consumers, look for a higher level of security to come with these devices. And when it comes to healthcare, people will care that their privacy is being cared for (even if they still click that check box).
Some are concerned about government involvement in technology. However, it is regulation that forced banks to become much more secure about people’s back accounts. In turn, that helped build trust in the institutions and lowered the number of bank runs. Until the government mandated seatbelts in cars, the auto industry battled ferociously to keep them out of vehicles. The same goes for HIPAA and GLBA and other regulatory frameworks which make industries take stock in the privacy needs of their customers and the general public.
But what is missing still? There is still no framework for modernizing and standardizing security at every level of our cloud infrastructure. It is hodgepodge of things that do not work very well and still manage to leave gaping holes. It is not enough that the host itself is secure, it also matters that the software is not vulnerable and vice versa. Our software in particular is incredibly vulnerable to all sorts of attacks. It is just a matter of time when an even bigger breach than Target wakes us up to the fact that we swept the issue under the rug. This is one area where the enterprise tech world could very likely take the lead on when it comes to building that security and privacy infrastructure for our current age.
Image credit: CC by DaveBleasdale
