Trust Takes Time and Dedication to Build, But Only A Second to Collapse
2011 is being heralded as the “year of the breach”. Combined with the rise of fraudulent business activities and uncertainty of the U.S. economy, recent studies indicate trust in email, advertising and businesses is heading towards an all-time low. The convergence of these events and data collection abuses has us heading towards a trust tsunami.
Cybercriminals are working 24/7, with increased precision and relevancy. They are no longer content to reach consumers via email phishing. They are moving upstream through the supply chain, targeting business and government leaders. Gleaning data from public sites including LinkedIn, Facebook and businesses’ own sites, they are crafting personalized and compelling emails trolling for access to data, customer lists and confidential information.
Cybercriminals have realized that if they can infiltrate trusted systems and hijack a business’s infrastructure, their ability to compromise a user increases significantly. For example, breaches at leading email marketers provided the capability to mail to millions of unsuspecting users, leveraging their trusted status with ISPs and mailbox providers. By targeting ad networks with malicious advertising, (malvertising), a single ad can be served to hundreds of thousands of users every daily, from the very sites consumers trust and frequent. By compromising the ad supply chain the cybercriminal has effectively bypassed multiple levels of security. The sites may be safe, but the third party ads being served through them and the code being executed are not.
A recent example was with the certificate authority DigiNotar. They experienced a total failure in preventing; detecting; and perhaps most importantly, adequately notifying the browser community that over 500 certificates were fraudulently issued. The reaction by the community was swift and decisive, invalidating all of their certificates. Trust has been lost and likely will never be regained. Mozilla will no longer recognize DigiNotar SSL certificates and has stated their decision is permanent.
Reviewing all of these incidents there is a pattern; a lack of proactive security focus by the company and the failure of adhering to security and privacy stewardship fundamentals. Unfortunately, cybercrime will continue to grow and business leaders need to accept the fact they will likely have an incident. To succeed we can no longer work in isolation, or think we are immune. Our best defense is collaborating, sharing data and best practices. We need to learn from our mistakes and the successes of others.
We must act proactively and be willing to make meaningful changes in our approach to security and privacy. The failure to do so risks significant consequences. One scenario is a tsunami will bring on a trust meltdown. Consumer confidence will continue to decline, negatively impacting the vitality and growth of commerce and fraud losses will wash profits out to sea. The second wave will be the rising tide of regulatory scrutiny, adding costs, and complexity, while stifling innovation.
Fortunately, progress is being made on many fronts. Support of initiatives such as email authentication continues to build momentum and other practices including “always on SSL” and promotion of Why Your Browser Matters are making a difference. The work of the OTA infrastructure and anti-malvertising committees continues to move forward, publishing practical advice and guidelines to aid all sites.
To learn more, I am personally inviting business and policy leaders to join the Online Trust Alliance at the Online Trust Forum in Washington DC, October 17—19. The Forum provides a platform for Learning, Innovation and Collaboration. With over 60 speakers who are thought leaders in security, branding, interactive marketing and public policy, the OTA Forum uniquely provides a 360-degree view of the issues, challenges and remedies. More information is posted at https://otalliance.org/dc.html
Messaging News is a supporter of the Online Trust Forum, and has been for over six years. Join us at the Forum and save $200 off of registration using the discount code OTAMF.
About Craig Spiezle
Craig is a widely recognized expert on consumer trust and the convergence/importance of online policy, privacy, security, governance and stewardship. Recognized as a voice of reason and a trusted advisor, Craig is on the board of the Identity Theft Council, on the editorial advisory board of SC Magazine and was recently appointed to the Federal Communications Commission’s Communication Security, Reliability and Interoperability Council. In addition, Craig is an active member of the Email Service & Providers Coalition, the London Action Plan, InfraGard, the International Association of Privacy Professionals and the Anti-Phishing Working Group. Prior to OTA, Craig spent over a decade at Microsoft, as Director of Security & Privacy Product Management for Internet Explorer, driving the development of anti-spam, anti-phishing, anti-malware and privacy enabling technologies.
- IT Security
- Internet Privacy
- Messaging Security
- Email Security
- Mobile Security
- Internet Security
- Cloud Security
- Information Security
- Internet Privacy
- Privacy Protection
- Email Encryption
- Data Breach Protection
- Spam Filtering
- Virus Protection
- Botnet Detection
- Internet Worm Protection
- Social Business
- Managed IT Services
- Mobile Devices
- Disaster Management
- 1 of 230