In the era of big data, consumers and businesses alike are being shaken by hair-raising data breaches, each one feeling closer and closer to home making people think more about their privacy and security. The most significant event last year was without a doubt the Equifax breach which impacted over 143 million customers. The exposed information included full names, birth dates, Social Security numbers, addresses, credit card numbers and more. Enough information to have your complete identity stolen.

It’s a scary time to trust third parties with your personal data

In case you missed them, here are some of the other household names that suffered breaches in recent years:

  • Uber with names and email addresses of 57 million riders and drivers stored on GitHub exposed
  • Verizon with the customer service log files including name, cell number, and pin of 14 million customers exposed
  • Under Armor’s My Fitness Pal app with the names, emails and passwords of 150 million users exposed
  • The colossal Yahoo! breach with a whopping 3 billion customers exposed

Privacy and security
When Facebook came under scrutiny for sharing the data of more than 50 million users with data firm, Cambridge Analytica, it became very clear that it’s not just data privacy breaches we need to worry about, but trusted services providing our personal information to irresponsible third parties. This sharing may be intentional, it may be clumsy or it may even be automated via the many APIs that make our favorite services more and more integrated and easy to use.
With users rushing to export Facebook data, delete their accounts, change permissions on Uber and reset the password they use across every account including My Fitness Pal, it’s easy to understand their feeling of powerlessness. So what can businesses do? This is where it gets sensitive.

Employees want their privacy – especially on mobile

Today’s leading enterprise IT security companies have an extraordinary ability to protect corporate and personal data, to a level that end users alone cannot. But what is required to protect this data, is visibility of this data.
Mobile security companies, in particular, are challenged by the notion that employees don’t want their company’s IT teams seeing everything they do on their devices. It is widely accepted that as an employee, many of the things you do on your desktop are filtered, monitored and made available to the security team to reduce the employee’s risk exposure, protecting against things like mobile malware, data exfiltration, app leaks and phishing scams.
For a variety of reasons, employees have an entirely different attitude when it comes to mobile, which means a slightly different approach to securing them.

When something is as pleasurable and personal as a phone, we’re more emotionally invested and therefore become less cautious with the information we share.
Nathalie Nahai, author of best-selling book Webs of Influence: The Psychology of Online Persuasion.

Privacy and security

Government surveillance and national security

The UK’s Digital Economy Bill is an example of how legislation can grant governments access to citizen’s data and allows the sharing of that data between governments. While this legislation has been criticized, others have argued that it is necessary for governments to have access to citizens’ information in order to detect fraud against the state and to tackle growing issues such as online terrorism operations and cybercrime as well as protecting children from pornographic material.
In the US there are also the National Security Letters, a provision of the Patriot Act that allows the FBI to access data on American citizens such as phone records, computer records, credit history, and banking history without a judge’s approval.
Just like implementing enterprise mobile security solutions in a business, formal guidance is needed to ensure this kind of data collection actually improves efficiency and services but also ensures that data is adequately protected. With GDPR in play and government entities that handle the sensitive information of European citizens are putting measures in place to ensure this data is protected. As ever, it’s a tussle between privacy and security.

So can data privacy and security co-exist?

Like with so many things, moderation is key – there is always a balance to be found. There is no need to compromise one for the other. For businesses, there are consequences of having over strict security where an IT team has full visibility into every email, every message, every search and every keystroke on an employees device, it would understandably create some upset. Likewise, an approach that is too far on the privacy play, where an employee can access work-related services on a mobile device without supervision leaves the organization – and the employee – exposed to unnecessary risk. Data becomes at risk when things like SMSs with phishing links are clicked, when unauthorized file sharing services are used to upload files, or when a malicious application is downloaded that exfiltrates data to attackers. Even with an endpoint security solution in place, with zero visibility into the actual activity (the traffic), the employee personal data is under threat of exposure.
The balance in the relationship between privacy and security is finding a tool that allows a certain level of visibility: close enough to be able to detect dangerous activity on the device and the network, but high-level enough to protect the user’s need for a private experience.
When it comes to the debate on privacy and security, many people still believe you need to choose one or the other, but the reality is you can have both. The past couple of decades have seen the development of tools that allow for the best of both worlds: security powered by information analysis and simultaneous protection of individual privacy. One of those tools is usage anonymization, which is something we offer our customers at Wandera.
Privacy and security

The tools that allow both data privacy and security

At Wandera, getting this balance right is critical. Relying only on an application with no visibility into traffic would mean a huge portion of the threat landscape would remain unprotected against. Wandera technology scans data traffic to find anomalous, risky, unapproved and malicious data activity and services. This means gathering information about the apps used – for example, the amount of data used by the app, the time it was used, what version and when it was installed. Also vital to this protection is visibility into the domains visited through the browser, but from a privacy perspective, it’s important that the content of the page and how the user interacts with it remains obscured.
That means no analysis of the content of emails or text messages. This level of insight is not required in order to protect the device and its data. For example, if a user receives a phishing link in a text message or email, only the visit to the malicious domain should be scanned and prevented, not the content of the message itself.
Likewise, the actual materials being uploaded to DropBox are kept private to the user – but without mobile content filtering in place, a user might be uploading large files to unsanctioned cloud storage services is information an organization simply must be aware of in order to safeguard against data exposure.

Why encryption doesn’t cut it

Broadly speaking, encryption is incredibly valuable. The vast majority of sensitive transactions that take place on a mobile device are encrypted as they travel from A to B across the internet. If anyone happens to get their hands on it, all they will see is a load of unreadable characters. Many app developers and services take security very seriously and implement special measures to ensure data can’t be decoded. However, there is a surprising proportion of apps and services that simply do not implement good security. Some very large companies have made a mess of security in the development process and in some cases simply haven’t bothered with it at all.
What does that mean? In a nutshell, it means you can’t ever be sure, yet people blindly trust that these services are providing mobile data security. And as demonstrated by the breaches outlined above (which is only a small portion of a huge number of high profile data privacy breaches), users would be wise to trust their privacy with a security provider that can detect data-level attacks that can lead to privacy breaches that would spread their PII all over the internet.
For every 100 employees, every single day there will be 48 different instances of a service being used that is potentially leaking data. Clearly, some visibility into web data is essential in preventing a data leak – but also that user privacy must be respected.
There is a balance in the relationship between privacy and security. No visibility means no security. Full visibility means no privacy. An aggregate, partially anonymized and top-level view into the data is the logical and most secure solution – the alternative is just too risky.
[text-blocks id=”gdpr-mobile-implications”]