Human error key factor in privacy vulnerability: McAfee chief privacy officer

Michelle Dennedy visits Sydney for Privacy Awareness Week

Human error is the key factor in the top three cybersecurity vulnerabilities businesses face, according McAfee chief privacy officer, Michelle Dennedy.

Data privacy must be built into operational systems and data management policies to mitigate the key vulnerability of cyber security – humans

The top three threats to customer privacy this year – targeted point-of-sale malware attacks, software coding errors and internal misuse of customer information – are in whole or part the result of human interaction with security systems.

Dennedy, author of The Privacy Engineer’s Manifesto, who is visiting Australia to send a message to businesses during Privacy Awareness Week, said even the most comprehensive security system has its flaws, most notably human errors or choices that make security processes less robust and result in a loss of customer privacy.

“We live and work in a digital, IP-connected world where privacy and security vulnerabilities cannot be completely programmed out," she said.

"That being said, the best course of action is to plan for the eventuality of errors by building a privacy infrastructure that places protecting customer data at its heart, and provides clear policies and guidelines for employees who are in charge of managing this type of information.

She said she had seen three recent types of vulnerability which could happen to any business that stored customer account and financial details.

"In each case there’s been an important lesson to learn about respect for customer privacy,” she said.

The retail sector in particular has seen a spike in attacks on point of sale (POS) systems as cyber criminals exploit an area where there has been little effort to secure customer data.

“We’ve found that retailers are falling into a ‘security by obscurity’ trap – they mistakenly believe that their POS system is so customised to their particular business requirements that it would be too difficult for hackers to bypass the controls and access the system,” Dennedy said.

“In fact, most use fairly standard systems and processes and it is relatively easy for criminals to gain access to customer account and credit card details; many hackers are using fairly unsophisticated off-the-shelf malware to perpetrate a successful attack.

Some recent data breaches have occurred despite the security system identifying an attack, because the security team ignored or overlooked critical alerts.

The Heartbleed vulnerability in OpenSSL poses one of the most formidable security and privacy concerns in recent memory, given attackers manipulating it could have eavesdropped on communications, stolen data directly from services and users, or impersonated services and users.

Dennedy said Heartbleed was caused by human error in the coding of the software.

"But as this particular technology standard is not very user- or administrator-friendly, the OpenSSL has been implemented poorly in many cases, creating an even broader problem for businesses,” she said.

“Technology developers must go further by building privacy controls into their products at their genesis, rather than attempt to bolt it on to technology as an expensive afterthought with risk-liability implications,” Dennedy said.

Internal data leakages are almost always the result of human error, either from the person handling the customer data, or those in charge of writing, implementing and enforcing the data handling policies or setting access restrictions to sensitive data on the server, including those who no longer work for the company.

With consumers becoming more aware of their digital footprint, and the value of their privacy, these types of vulnerabilities within an organisation’s processes and systems are taken seriously, she said.

"The changes to the Australian privacy laws have helped everyone realise and respect that data is not just data, it’s information on human beings,” Dennedy said.

“What we are aiming for is privacy by design, where businesses think about what their customers would expect from them and use that as a starting point for building a privacy framework.

"We call this ‘privacy engineering’ where customer privacy protection practices are embedded into every aspect of the business and at every level of employee, and that means all staff - current and past.”

Sponsored Content: Collaboration has become the new movement in IT. Servers will become an integral part of this industry transition. Click here to learn more.

Join the ARN newsletter!

Error: Please check your email address.

Tags Heartbleed vulnerabilityPrivacy Awareness WeekMichelle DennedyHeartbleedThe Privacy Engineer’s ManifestoMcAfee chief privacy officer

More about McAfee AustraliaTechnology

ARN Directory | Distributors relevant to this article

 
Computerworld
CIO
Techworld
CMO

Latest News

09:38AM
Study: E-readers, tablets can disrupt sleep
09:06AM
Telstra acquires Pacnet for $US697 million
08:15AM
Google's prototype car ready, but it's more VW Beetle than Porsche
07:53AM
Google looks for partners as it unveils autonomous car prototype
More News
05 May
CeBIT Australia 2015
27 May
World Business Forum Sydney
View all events