I have said before that I think the biggest reason that customers and “regular” people don’t straight up demand businesses get better at security and privacy is that they don’t really understand it.
This is closely followed by the fact that “regular people” aren’t necessarily damaged by these data leaks or anything else all that much. Sure, if your credit card info is stolen it’s a pain to have to cancel the card, etc. but the bank takes care of the loss, they wipe it away from being our problem. So, no huge harm.
But, if you take a deeper look at ransomware, and the number of devices and systems getting hacked, you would realize that the questions Sarah asks here, are not that far-fetched.
- “Can you generate new fingerprints and retinal scans when yours is stolen?
- How long will it take your child to recover from the bad credit history that a third-party created when the kid was still in diapers?
- How confident are you that during surgery, the medical records will accurately reflect known allergies and critical data? (like current use of blood thinners)
- How many days can a business afford to be inoperable following a cyber incident?
- Will you want to drive on a highway, going 70+ miles per hour, if all internet-connected vehicles were hacked in a coordinate attack?”
I get it, you may be thinking Sarah is simply trying to scare all of us, and she probably is. Because she works with this area all of the time, and she knows that none of the above scenarios are all that far-fetched. You probably use your finger to unlock your phone now, if not your face, but how do you lock your phone securely if a copy of your fingerprint is leaked somewhere? You don’t get a new one. Or what happens when your “connected” car is taken over remotely while you’re driving,, or your medical records suddenly disappear (or are altered, which is actually the way scarier result of any hack, paying ransom to get data back is nothing compared to the danger of records being incorrect)?
Those seem like movie pitches, but they aren’t really impossible now. How do you protect your data when it’s actually in the hands of many, many large companies? Will you demand they do a lot more than they have thus far to protect it?