People are very, very worried about protecting their data — but not worried enough to work through the nuts and bolts of protecting it.
That’s the central finding of Malwarebytes Labs’ latest report, “The Blinding Effect of Security Hubris on Data Privacy,” which surveyed almost 4,000 people to measure their confidence in their own privacy and security practices, as well as their confidence that businesses would maintain their privacy.
“With each begrudging entry of sensitive personal information, not to mention each news story about companies such as Facebook and Google abusing that personal information, users are having an emotional reaction to data privacy,” the report found. “What is surprising, however, is that their behavior does not match up with their feelings. … [W]hile data privacy was a top concern, with trust in companies to maintain it painfully low, users did not follow through with some of the more difficult and cumbersome cybersecurity best practices to keep their data safe.”
Why not? It’s not simply that it’s too hard. The answer lies in what the report calls “security hubris.”
Jovi Umawing, Malwarebytes’ senior threat content writer, describes security hubris as “the belief or feeling you get when you follow basic security and privacy best practices while avoiding the difficult or cumbersome tasks, hoping that’s enough to protect your online data.”
It means you’ll take the easy steps but not the hard steps. And it means there’s a big gap between how safe you think you are, and how unsafe you really are.
“This security hubris … is dangerous in today’s climate, as cybercriminals and shady application developers alike identify those blind spots and use them to their advantage,” the report said. “Meanwhile, search engines and social media companies continue to abuse and misuse data users perceive as private, such as their browsing habits and personal information.”
The vast majority (96 percent) of respondents across all generations say they care about their privacy, and 93 percent use security software (see page 10) — but the report identified a number of “security fails,” finding people often ignore steps that would shield them from common attacks.
The top three:
• Skimming or not reading End User License Agreements and consent forms;
• Using the same password across multiple platforms; and
• Not knowing what data their smartphone apps and mobile device apps can access.
The common factor is that all three are very difficult to do correctly, the report found.
“EULAs are long and boring, passwords are hard to remember, and the user just wants to use the app already — why bother with permissions?” it said. “Security hubris makes us believe that since we are secured in one way, then we are secured in all ways. Who cares about passwords when you’re careful about what you post on Facebook?”
That’s bad news for the data on your phone, your laptop and other connected devices — and it’s also bad news for businesses, especially given the growing popularity of “bring your own device” policies.
“There are risks to company data — not just to personal data — when employees bring their devices to work and connect them to the company network,” Umawing said. “Many think that because they’re using their own smartphones or tablets at work, whether they do it purely for personal use or for doing work occasionally, they use company internet the same way they would at home. They install third-party apps or software that, in turn, is given access to work files saved in their phones.
“The same is true for those who bring their laptops to work. They don’t realize this because they normally don’t read app permissions or EULAs.”
That should give business leaders pause — especially because, as Lauren Goode points out in Wired, mobile apps “can vacuum up a crazy amount of data with every interaction,” by accessing the phone’s microphone, cameras, camera roll, location services, calendar, contacts, motion sensors, speech recognition and social media accounts.
“Business leaders should realize that, when it comes to BYOD, their employees don’t have an off switch for certain risky ways they use the internet at home once they’re in the office,” Umawing said.
Employee education and training about the company’s bring-your-own- device policy are essential, she added, but there are certain browsing behaviors, sites and software that businesses should readily block.
“Business leaders should also consider using technology to aid them in controlling what information employees can access while out of the office and ensure that these employees are who they claim to be,” Umawing said. “This is where identity and access management software come in.”
Aside from the gap between perceived data security and reality, Malwarebytes researchers found a gap between people’s trust in social media companies and their trust in search engines.
While trust in search engines wasn’t exactly high (57 percent of Baby Boomers distrust them, compared with 65 percent of Gen Xers, 64 percent of Millennials and 75 percent of Gen Z), almost no one trusted social media companies.
An overwhelming majority — 95 percent — said they distrust social media networks, and 94 percent said they refrain from sharing personal information on social media.
The Pew Research Center found while 5 percent of Americans used social media platforms in 2005, 69 percent were using social media by 2018 — a fourteenfold increase — and that growth occurred across all demographics.
Given the popularity and ubiquity of social media, privacy concerns obviously aren’t keeping people away. So how are users defining the “personal information” they’re not sharing?
Umawing said she’s confident the Malwarebytes survey respondents know what personal information is — at least the common types, such as complete name, home address and date of birth.
“Whether all respondents know or fully understand how their data can be shared remains to be seen,” she said. “I suspect probably not, especially in the U.S., as what counts as ‘personal information’ varies by state.”
People also may not understand that search engines — and not just social media companies — can do worrying things with their information.
Malwarebytes researchers said there’s a “comprehension gap” where people believe search engine companies are more secure than social media platforms. But search engine companies also rely on privacy-invading policies to collect and monetize users’ data.
In fact, Google collects far more data than Facebook, according to the “Google Data Collection” report, released in August.
Vanderbilt University computer scientist Professor Douglas Schmidt led an analysis of the breadth and depth of data collected by Google, finding the digital giant collects and collates almost every move you make online — including music, maps, news, appointments, web browsing and purchases.
Even if you’re not using your phone, Google is collecting. The study found that a dormant Android phone (with Chrome running in the background) sent location information to Google 340 times during a 24-hour period.
“These experiments were done on stationary phones with no user interactions,” the study said. “If you actually use your phone, the information collection increases with Google.”
No easy answers
The Malwarebytes report lists virtual private networks, The Onion Router, and encrypted messengers among privacy tools users might turn to. They all come with their own risks. Not all VPNs are legitimate; sending any personal or unencrypted data over TOR is a bad idea; and messengers are just as likely to be breached as other services.
There are no easy answers.
So what about legislation as a means for changing privacy practices, curbing data collection and reining in the corporations who use it?
“I think more and more internet users and consumers are beginning to realize two things: Their online data is invaluable, and that, as owners of their data, they have a say on what data they choose to share and what they choose not to,” Umawing said.
“Realize also that, as citizens, we too have a voice on matters relating to the government and law enforcement’s use of our information. I think we should make good use of that.
“Legislation on the respect and fair use of online data, I think, is essential and really sets the bar high for current and future companies when it comes to the collection, processing and storing of customer information. We’ve seen how the [General Data Protection Regulation] has significantly impacted businesses in the United States with clients who are in the EU and U.K. markets.”
Promoting change on a policy level is “a great first step,” Umawing said.
“But consumers using their freedom to abstain from paying for products and services — or encourage others to boycott brands by starving them of clicks — to protest companies misusing their data,” she said, “is also a powerful way to get businesses to listen and act.”