Consider for a moment the very notion of information security. In general, is it really necessary in every aspect of our lives? Do we really need encrypted messaging on our personal phones? What about encrypted email? Do we need secure personal file storage? Should we be careful about what information is available on the internet pertaining not to just our private identities, but also to our daily activities, our thoughts, opinions, and interests. And if we were discussing business instead of personal information, would the answers to these questions be any different?
The very argument over whether private citizens need and even should have access to security to protect their personal communications and information has, surprisingly, been a hot one. The flames of the debate are fanned by media coverage of companies like Apple pushing back on the FBI’s requests for access to suspects’ iPhones and Apple Messages traffic within iOS such as what occurred in the wake of the Orlando night club shooting and the San Bernadino shooting in 2016. The argument tends to center around two general positions: those who say security should be a right and is supported by the Fourth Amendment, and those who essentially say that if someone has nothing to hide, they shouldn’t need security and shouldn’t care if anyone is looking.
Do you have anything to hide?
Let us focus on the second position in this argument. Let’s acknowledge that if someone doesn’t have anything to hide, then that person should not be worried about what criminal investigators might find if they were to be investigated. But there is more to this than criminal investigations. This argument dismisses the notion that individuals have information that is valuable enough to protect or even harmful to them if in the hands of the wrong people. Also, because this sentiment about security is so prevalent, it carries over into business. Add to that the misguided belief that they are not the target of malicious individuals because they have nothing that “hackers” would want and we have a great number of people and organizations that don’t feel being proactive about information security is necessary.
Cybersecurity basics
One of the most fundamental tenets of cybersecurity is “deny all, allow by exception”. In other words, to protect information or any other asset, your baseline policy should be to literally deny everybody’s access in every way. Only by request, and with proper justification, should an individual be explicitly authorized access to what is being protected. This principle is universally endorsed and recommended by all major security standards and certifying organizations, including the National Institute of Standards and Technology’s Special Publications pertaining to technology and information security used by the U.S. federal government, the International Standards Organization’s information security standards used in Europe and around the globe, CompTIA, ISC(2), all of academia, and pretty much every other trusted and credible authority on information assurance and cybersecurity.
If the concept of “deny all, allow by exception” is staple of security for government bodies, banks, healthcare, insurance, investment firms, and corporations, why then do we not accept this into our every day personal lives? And why is this practice not universally applied to all business? One theory is that people simply don’t feel they have information valuable enough to be worthy of the effort required to protect it. It’s true, governments and big businesses have a great deal of sensitive and proprietary information that is worthy of extra efforts and security investments. But those organizations don’t (or at least they shouldn’t) just stop at protecting the sensitive information. Many understand that this tenet does not apply only to especially valuable assets, but instead to everything.
“Its not that I don’t have anything to hide”
Take a moment and ponder this line from the recent Netflix movie, Anon: “It’s not that I don’t have anything to hide, it’s that I don’t have anything I want you to see.” What Amanda Seyfried’s character in this movie understands is that if we share information, even the smallest bits of seemingly harmless information can potentially come back to harm you. Not only that, but it takes much more effort to protect oneself against information freely shared than it does to simply ensure the information isn’t shared in the first place.
A fact of the age that we live in is that technology has infiltrated every aspect of our lives. Gadgets, Internet sites, and cloud services have given us so many valuable benefits that we happily invite more technology into our households and businesses. What we often don’t consider is that just as our daily activities have shifted to incorporated and event to frequently depend on technology, so has crime.
But I don’t have anything to worry about
Thirty years ago, a con artist looked something like Ruprecht from Dirty Rotten Scoundrels, but today fraud comes in the form of social engineering and spam email. Theft and robbery, though still common enough, traditionally involved breaking and entering, the threat of physical harm, and the loss of physical assets. Today, theft and robbery also involves ransomware like the one that crippled the city of Atlanta earlier this year or 2017’s infamous “WannaCry” epidemic. Even major heists no longer look like the movie Reservoir Dogs because criminals can simply hack BitCoin exchanges. Stalkers and sexual predators today no longer need to physically follow their targets around because they can learn their targets habits, routines, and even get ideas on how to engage with someone simply by following their social media presence. Long story short, crime has turned to technology because like in many other areas of life, technology has made committing crime easier and safer for the criminals.
Would you put your personal or company files, like birth certificates, financial documents, and private photos in a box on the sidewalk for storage? Would you secure your home or office with only a screen door while you’re away? Would you build a home or business’s facility out of transparent glass so that every outsider could take note of every intimate detail of the activities happening within? Would you broadcast conversations with friends, family, or a lover over a loud speaker for anybody who might be listening to hear simply because you don’t have anything to hide? Of course you wouldn’t. You wouldn’t do any of these things because you value your physical security and personal space. You, like most everyone else, only showcase specifically what you want others to see and hear.
Considering that everybody has turned to technology, criminals included, why do we not take the same attitude with our electronic lives? To quote Anon again, “It’s not that I don’t have anything to hide, it’s that I don’t have anything I want you to see.”