With the inevitable breaches that are publicized in the news regularly, there begs the question that crosses my mind every now and again: "What exactly are companies doing to protect our data?" Granted, I don't believe companies should post online precisely what they are doing, but some level of reassurance is warranted. Like larger reach out to organizations to ensure their money is well spent. Similarly, like security conscious organization bound by compliance and audit requirements, seem to do to reassure their organizations are compliant to things like PCI and SOC, should be how all organizations and industries operate. Individuals should do that same due diligence to research how the services they store, transmit, and process. At least at the base level of understanding.
For example, here’s something posted on a email service website (not an ad):
While they don’t exactly share all the goods of what they are doing in detail, this company at least demonstrate that they are using “secure implementations of AES, RSA, along with OpenPGP.” With this declaration, that they claim, I don’t have to wonder if they are using MD5 (not encryption) and relying on security through obscurity. It gives some ease knowing that they are saying the right things even if I can't ensure they are doing the right things. Don’t you wonder if other providers and custodians of your data are even attempting to protect your data?
Recently I visited and toured a practicing medical facility that was taking and seeing patients. I looked in the basement and to my surprise, I come to find patient records in Saran Wrap. I'm not sure if they believe the Saran wrap will make sure none of the files walk away. I am also not sure if their customers would feel reassured if their data was only separated by a single door with glass that anyone could walk along the building, smash the window and make away with their medical records. I can strongly hypothesize the answer to that though. :-) It's a fact that medical records are worth more than personal ones, and even credit card information. You would think medical facilities would operate better since they house such data and have been the target of a lot of adversaries recently. I know this is only paper records, but if they treat these files like this, just imagine what they are doing with a patient’s electronic records, which I am sure most have less of a knowledge of how to protect.
Would you be a patient at a place that treats your files like this? Well, you might be already. #justSaying! I am personally going to start inquiring more about the things I am paying for when it comes to choosing one company or provider over another for services. I don't even want to know how their electronic data is stored.
I believe in time; the best companies will prevail after breaches continue to be revealed to the public eye. People decide with their dollars. Maybe one day all data a company collects on a user will be encrypted and not just usernames and passwords. Until then, ask more questions about their practices. The old saying, “ignorance is bliss” will only go so far.