Tag Archives: data protection

Your money or your data!

The scene unfolds like a cyber thriller. You fire up your PC and a message appears saying your files have been encrypted. Your screen looks like it’s from the FBI. Sometimes it identifies itself as malware. Sometimes it’s a plain-text message. When you click around in your PC (assuming you still can), you find that your photos and text files are indeed unavailable.

The screen also asks for money. To get the key to unencrypt your files, you must pay, usually in some form of untraceable currency, such as bitcoin. In most cases, there’s a firm deadline when payment must be made. If you miss it, the fees shoot up. At some point, your files are permanently encrypted.

Welcome to the world of ransomware.

While this form of malware can slip into devices in any number of ways, phishing is probably the most common vehicle. Basically, bad guys send innocent-looking emails that ask recipients to click on a link or download an attachment. (Phishing is also used to ask for money directly. A tiny piece of software infects the machine and goes about encrypting files before demanding cash. Sometimes the message pops up automatically. Sometimes there’s a time delay or a switch that lets hackers turn it on when it’s convenient to them.

And sometimes attacks are big and bold. Two assaults on major hospitals in the US, for instance, used multipronged ransomware infiltration to shutdown key networks and records. But experts largely agree that most attacks are on individuals. Mass emailing allows criminals to take advantage of long-tail effects and the fact that many people would rather just pay a few hundred (or thousand) dollars to have their data – which many consider their life – returned to them rather than fight back through various law enforcement channels.

Data hostage taking is on the rise

Given the efficacy of ransomware, the number of attacks is set to grow. In its annual Threat Landscape report, published in January 2016, the European Union Agency for Network and Information Security (ENISA) characterizes 2015 as “the year of ransomware”. According to the study, the number of reported incidences nearly doubled in 2015 compared to 2014, with aggressive phishing campaigns a hallmark of many attacks. Targets tended to be in North America and Western Europe, as residents are perceived to have the money to pay.

ENISA also notes that 2015 was a year of innovation in ransomware development and deployment. The number of new ransomware types quadrupled in the first half of the year alone. Criminals have set up service centers, allowing the non-technical to buy crimeware-as-a-service, further expanding the reach of ransomware. And stealthier delivery methods are still being developed.

Do I know you? Did I ask for this?

Phishing is still the most common delivery method. Which is convenient, in a way, as there are some practical steps you can take to avoid getting scammed. Probably the most important is to maintain an online “stranger danger” mindset. If an email looks even the slightest bit suspicious, don’t open it. If it’s from someone you don’t know, don’t open it. If it says you’ve won the lottery, are being watched by some security agency, asks about an order (you did not make), or promises rewards in some other way, don’t open it. (Similar phishing attacks also appear on Facebook.)

For emails you’ve opened, if they include links or attachments you weren’t expecting or didn’t ask for, don’t click or download. If you feel that you must do either, reply to the sender (if you know them), and ask if they did indeed send you something. If you do not know the sender – delete the email.

And of course, you should build a fortress around your device. This is where AVG can help. We provide antivirus, link scanners, attachment and download checkers, enhanced firewalls, spam blockers, and file encryption to help keep your photos, videos, files, contacts, and devices safer. If you haven’t done so already, give us a try on your PC or Android phone.

‘Instagram for Doctors’ app could risk your privacy

A social networking app called ‘Figure 1’ dubbed the ‘Instagram for doctors’, allows medical professionals to share photos and comments of interesting or baffling clinical cases with the goal of providing advice, education, and treatment options. But does it put patient privacy at risk?

Anyone can download the app and view the material posted on the platform, but only healthcare professionals can post images or make comments.

Any images posted to Figure 1 must have any physical details that could identify patients (faces, tattoos, piercings etc.) obscured or removed using the in-app tools. According to Figure 1, these images are then reviewed by moderators to verify that all identifying information has been properly removed.

However, while the in-app tools help maintain patient anonymity, there may be situations where a patient’s symptoms are so unique that, by virtue of the fact, they could be easily identified.

Figure 1 claims to take the issue of patient privacy extremely seriously, however, Dr Landy the creator of the app admitted that control of the patient consent process was out of their hands — it still remains the responsibility of the medical professional or institution.

Risks and concerns

The question of data security is all important in this particular case, because a data breach could be personally damaging for patients, and financially costly for medical practitioners and institutions alike.

As a patient, here are four questions you might like to ask your health care provider.

  • What assurances do you have that your data is being handled appropriately?
  • If your privacy is relying on any kind of human moderator, who’s watching the moderators?
  • How is your personally identifiable data securely disposed of, and when?
  • Does your provider have suitable data breach prevention policies, and are all their employees familiar with them?

Even though some companies and their employees may have the best intentions for their customers, not having proper measures in place can result in actions that have serious implications — as was the case with the 56 Dean Street clinic in London.

The Figure 1 app is an example of how technology can democratize knowledge to improve the speed and delivery of essential information that can make a real difference to people’s lives.

However, technologies that handle extremely confidential information must be tempered with the right controls to avoid privacy breaches at all costs.

 

Six things to think about in the new year

Here are six things to think about for this year, with business security strategy top of mind…

1. Artificial Intelligence keeping us safe online
Artificial intelligence and machine learning isn’t just about robot dogs and self-driving cars. The latest AVG Business anti-malware products contain a number of sophisticated neural learning and cloud-data collection techniques designed to catch malware earlier and more often. Expect to hear more through 2016 about how artificial intelligence will help transform security solutions to help keep malware at bay.

2. Certificate Authorities: beginning of the end
SSL continued to be a big talking point in 2015 with further vulnerabilities being disclosed. This year the debate will continue around certification, development of new open standards and easier choices for website owners. Every news story about certificate mismanagement, security mishaps, and data breaches puts Certificate Authorities under increasing scrutiny. For many small businesses, the website owners paying a Certificate Authority and submitting themselves to what can sometimes be an arduous verification and checking process, is cumbersome and unnecessary.

This is where technical alternatives like Let’s Encrypt (currently in beta) are bound to flourish.

Additionally, Google’s Certificate Transparency project will continue to identify rogue SSL Certificates through detections built into modern day web browsers, as Google continues to hold Certificate Authorities to account – helping keep us all safer.Lastly, with the promise of other solutions such as the Internet Society’s proposed DANE protocol, offering the ability for any website owner to validate their own SSL certificate and therefore bypass a Certificate Authority altogether, 2016 will be an interesting year to watch!

3. Malvertising, Ad Networks: shape up, or ship out
Malvertising is what happens when malware is served up to innocent web site visitors; it’s happening all too frequently and is caused by questionable third party relationships and the poor security of some online advertising networks. At the root of this problem is the “attack surface” of ever-growing, ever-complex advertising and tracking “scripts” provided by ad networks and included by publishers (often blindly) on their websites. The scripts are slowing the browsing experience and anyone who has installed an ad blocker recently will tell you they can’t believe how fast their favourite websites are now loading. Research conducted by The New York Times showed that for many popular mobile news websites, more than half of the bandwidth used comes from serving up ads. That’s more data from loading the ads, scripts and tracking codes, than the content you can see and read on the page!

Whatever the solution, one thing is for certain, Ad Networks need to shape up and address their security, otherwise 2016 may well be remembered as the year of Malvertising.

4. Augmenting passwords with extra security steps in 2016
The need for strong passwords isn’t going anywhere in 2016. There were reminders in 2015 that even having the world’s longest smartphone passcode doesn’t mean someone can’t figure it out.

This year, there will be growing use of extra steps to make accessing data safer. In 2015, Yahoo announced a security solution using mobile devices rather than a password for access, and we even saw Google include Smart Lock features that can use the presence of other nearby devices to unlock your smartphone. Two-factor authentication – using two steps and ‘something you have and something you know’ to verify someone’s identity – will continue to be popular for use by many cloud-based providers looking to avoid data breaches.

5. The Internet of Things needs security by design
Every device seems to be getting smart – in the home and in the office. You’re likely going to be using your smartphone as a “lifestyle remote” to control a growing array of devices. Being able to set the office temperature remotely, or turn on the kettle in the communal kitchen without leaving your desk may sound helpful, but the devices have the potential to give up WiFi keys. Every unprotected device that is connected to a network is open to hacking. Cyber criminals are probing hardware, scanning the airwaves, and harvesting passwords and other personal identity data from wherever they can. So the advice is simple: every connected innovation needs to be included in your business-wide security.

6. Update and upgrade or face the financial and legal consequences?
Upgrading and updating all your software, devices, gadgets and equipment remains a vital business issue. The Internet of Things is raising new questions about who is responsible for what in a legal sense. Who owns data? What happens when machines take “autonomous” decisions? Who is liable if something goes wrong? To take one extreme example, a police officer pulled over one of Google’s driverless cars in November for causing a traffic jam on one Californian highway by driving too slowly. Again, the lesson is clear. The simple rule this year is to ensure that your business software and systems are always using the latest update. Your life may not depend on it, but your livelihood might.

So these are my six “thinking points” as we head into 2016.

Here at AVG, we look forward to helping you keep security front and center for your business this year. For more information on AVG Business security solutions that keep devices, data and people protected every day, across the globe, visit http://www.avg.com/internet-security-business.

4 Tips for Successful Online Sales over the Holiday Season

Christmas is nearly upon us, but is your website ready to make the most of it? In fact, let’s go one step further: are is your website, social media and IT systems all singing the same song?

Preparation and a co-ordinated set up is essential if you’re going to make the most out of any uplift in customer attention and desire to buy from small businesses instead of the big brands.

You can have a killer website but if your social media channels aren’t up-to-date too then you’ll look behind the times and disorganised.  If your IT systems that enable you to take, process, and dispatch orders aren’t up to scratch, then any online sales you do make might go to waste.

The web is available 24/7/365 – this is as level a playing field as it gets for small business, especially when advertising and marketing budgets don’t match those of the large and well established brands.

Customers can be fickle and have short attention spans too, hopping from website to website in a matter of seconds if they don’t see what they’re looking for. This is the same for all businesses, but it underlines the importance of having everything ready, up to date and aligned.

Here are four things you can do to make the most of the holiday season for your small business online:

1. Have a dedicated webpage and keep it live all year round
Have a dedicated web page on your site for popular sales events like Small Business Saturday, Black Friday and Cyber Monday… and keep it live all year round! That might sound counter-intuitive when we’re only talking about one day in the year, but there’s a very good reason you should do this. Once a web page is live it’s far easier to manage: the basic structure can stay the same even if the copy and imagery change. Plus, people don’t always follow the rules when it comes to searching for offers and deals online – they’ll start searching for them whenever the mood takes them, wherever they happen to be. As recent research reveals, when people start looking for information about a purchase, they could be doing it using a mobile on the train, a desktop PC at work, or a tablet when they’re snuggled up in bed.

For example, If they start searching for details about Small Business Saturday in September and October – as Google search data shows – then having your web page already live will allow people to find you. Currys use this tactic with their Black Friday web page.

If you take down your page after the event, then search engines won’t be able to show it to customers whenever they start searching for it next year. They’ll draw a blank and you’ll be starting from square one all over again. Why shoot yourself in the foot? Competition for online orders is tough enough as it is.


2. Facebook is a great starting point for a conversation
“Like” it or not, Facebook is a force to be reckoned with. 84% of internet users between the age of 35-44 are on at least one Facebook service, meaning Facebook, Facebook Messenger, Instagram or WhatsApp. That figure goes up to a whopping 90% for 16-24 year-olds. This is where your customers – existing and future – are likely to be spending a lot of their social media time, so if you’re not on there, they won’t see you.

Make sure you’ve set up a Facebook business page. They won’t want to see a constant stream of sales related messages though. Imagine your business page to be a little bit like your personal Facebook page: it should express the everyday goings on and personality of your business. And in between those posts, you can publish business event or sales related messages. If you’re short on ideas, have a look at how other small businesses have used Facebook to grow their business.


3. Make sure your IT system is safe and secure
If it’s the one day in the year you definitely don’t want to be hacked it’s when you’ve just taken a large number of online orders. We can all remember the Ashley Madison scandal and countless other big brands being hacked and losing customer data over the years. A survey of UK businesses conducted this year also reveals nearly nine out of 10 large businesses said they had suffered some form of information security breach in the last year. Don’t be fooled into thinking it can’t happen to a small business. Hackers – and the viruses they release into the world – will target anyone they think might have weak website security.


4. Ask the experts
If you are concerned your ecommerce and supporting IT system aren’t as secure or co-ordinated as they could be, ask for help. There’s a whole host of free resources for small businesses all over the web to help you understand how healthy and secure your IT system is. For example, AVG’s free IT Security Health Check is a good place to start if you’re not an expert with little time on your hands. It’s short and sweet and offers straightforward tips for how to improve your IT security. The UK government is also offering Innovation Vouchers worth £5,000. These can be used to pay for advice which will help protect and grow your business by having good cyber security in place.

 

At the end of the day

Gearing up your website, social media and IT systems to make the most out of the holidays is only half the battle. Making sure they stay safe and secure, and continue to serve you and your customers well, is the other half.

10 Tips for Safe Holiday Travel

Preparing for a travel holiday involves a huge amount of planning. In today’s world where many things have become faster and easier to achieve with the aid of modern technology you’d think there would be less to consider when going away, but technology can actually add to the list of concerns rather than shortening it.

So before you head off on your travels, consider these 10 tech tips that can help make your holiday safer and less costly while still staying connected.

  1. Roaming Fees
    Check that your mobile is going to work internationally. Even if you don’t intend using it’s there in case of emergencies. Contact your carrier to see if they have a calling plan for the country you are visiting. For example, some phone carriers offer travel packs or roaming options for most places you might visit. Spending between $20-95 initially, dependent on location, can end up saving you hundreds of dollars expense when roaming without a plan.
  1. Controlling Data Usage
    Apps running in the background can eat away at your data and run up expensive charges without you knowing. Going through every app and adjusting data usage settings is a big task, so switching off data roaming completely and only using apps when connected to Wi-Fi is a simple way of keeping data costs under control.
  1. Wi-Fi Safety
    Using public networks in coffee shops, airports and hotels can help you stay connected, however caution should be taken when connecting to them. Avoid disclosing any sensitive information when using a free Wi-Fi hotspot, including banking, credit card information or other personal data. Consider using a virtual private network (VPN) — software that protects your data by encrypting it — so that when using public Wi-Fi networks your data can’t be intercepted.
  1. Audit Apps
    Make sure that you update all the apps on your device before leaving home. Also, take the time to remove the ones that you no longer need, they may be using valuable space, consuming power or using data in the background.
  1. Security Software
    The most important software for your protection online is an antivirus app, as it will help keep you safe when browsing for tourist information on the go. If you don’t already have one, you should install one like AVG AntiVirus for Android.
  1. Anti-theft Software
    Enable and register your device to protect it against theft. AVG Antivirus for Android has an anti-theft option that allows you to lock, locate and, if necessary, wipe your device if it is lost or stolen.
  1. Location Data
    Switch off location based services for apps that don’t need them. Posting a picture online with location data switched on can reveal to burglars that you aren’t home. It may also reveal to pickpockets and thieves your exact location and make you a potential target.
  1. Credit Cards and ATMs
    Inform your bank that you’ll be travelling and where you’re travelling to. This will avoid any transactions being declined because they’re outside of your normal banking habits.Unfamiliarity with the environment might tempt you into using ATMs in locations that aren’t necessarily safe. If possible always use an ATM at a bank. Also, watch out for devices or odd attachments on ATMs — they might be devices that criminals use to skim (copy) your card.When shopping try and use a credit card instead of your debit card that connects to your bank account. If you have new wireless payment cards consider getting a protected wallet.
  1. Using the cloud
    Using cloud storage for your data can be really convenient. If someone steals your device it means you can still have access to your data, be it photos, travel documents or flight itineraries.
  1. Lastly, use your instinct and have a great vacation.

 

 

AVG at the 21st Internet Identity Workshop

The Internet Identity Workshop (IIW) recently held their 21st Meeting and AVG was one of the sponsors.  Once again hosted at the Computer History Museum in Mountain View, California, this academic conference is focused on finding, probing and exploring the issues related to identity management.

The organizers, Phil Windley (@windley) and Kaliya Hamlin (@IdentityWoman) have managed to keep the IIW event rich with content, and suitably engaging to attract a loyal following of technical people.

The core themes of the conference were around trust, identity, privacy and technology – areas that we at AVG are very passionate about!

While a lot of users are quite proficient with the “sticky note system” for managing their internet identity, passwords and usernames – this conference by contrast is aimed at highly technical and advanced solutions that one day might provide a better and more secure alternative.

Technological advancement is happening quickly in the world of identity, and even a relatively new technology such as OAuth 2.0 is old news at IIW, with this year’s conversation all about the Blockchain – a technology utilized by the well-known cryptocurrency, Bitcoin.

Whereas previous identity recommendations have centered around technologies that look like an unbreakable-black-box, the Blockchain discussion is driven by a general consensus for complete transparency underpinned by cryptography that provides security and integrity.

The notion of using a Blockchain, which is a type of ‘distributed ledger’ offers the possibility of providing a secure history of every transaction – a chain of trust, which also acts as a permanent record of your identity that cannot be removed or tampered with.

This model of establishing trust is quite intuitive and human. We trust people who are trusted by others, and so forth. For example, it’s the way Google search rankings work (pages that link to other pages), and the way that SSL certificates are signed so you can trust your banking website.

“No, I am your father!”, from Darth Vader in Star Wars, just wouldn’t have carried the same element of surprise to Luke if they had access to Blockchain technology!

 

It’s Cyberattack Season: Did You Get Your Immunization Shot?

There’s a term in public health known as “herd immunity.” The idea is that when a critical number of people are immunized against a contagious disease, most members of that community become protected against the disease, whether or not they received an inoculation.

Breaking the chain of a disease’s transmission enables us to interrupt the ability of the pathogen to set in at a broader scale in our community. In this way, vaccinations protect people who have and haven’t been vaccinated.

The same principle applies to our digital lives which are just as connected, if not more connected, to digital threats and “pathogens” that steal our data and identities, disrupt our productivity, and mar our public profiles.  We spend a great deal of time and energy investing in firewalls and the technical parts of our infrastructure to protect data and privacy, but what about our behavioral practices?

Do we take the time to inoculate ourselves against habits that could risk the digital wellbeing of our family and friends? Or do we, for example, still ask family members for Social Security numbers via email? Or send credit card information and/or passwords insecurely?

“The important principle here is that there are things I can do to help ensure a safer online world for you, and vice versa.”.

If, for example, you posted a compromising photo on social media, I can opt to not re-post it, protecting you from further harm. And if everyone who comes across the photo does the same, we’ve inoculated you from damage even though you had failed to protect yourself.

This is the mindset that we need to adopt in being good digital citizens and embodying the characteristics of a “smart user.” By doing so, we can create an entire network and community of safety and protection.

Most of us, especially the youth and others around the world who are coming online for the first time, are particularly vulnerable. We were all the same at some time. When I worked at Netscape, for example, and got my first email message from a friend “stranded in Thailand,” asking for money – I almost fell for it! On the exposure curve, I was just like a lot of new users today.

Let’s take a page from the herd immunity playbook and create a safer and more private digital world for all of the new users coming online, in addition to helping these users become more educated in smart online behaviors.

AVG has committed to a smart user digital citizenship initiative to build a better web. Please join us or see how you can support this initiative. Because after all, the more you do to help make the web a safer place, you do so not only for yourself but for the whole herd.

To learn more, please visit smartuser.com.

Web Summit 2015 — security was a hot topic

200 startups gave their pitches at the Web Summit this year in Dublin. Over 2,100 startups participated, the vast majority of which had “poster board” displays and one or two eager founders giving their elevator pitch. That makes the Web Summit a welcome change to other conferences that typically rotate around industry giants.

Two messages seemed to pervade the conference this year: location and security. The “location” bit was the move of the Web Summit from Dublin to Lisbon next year. As you can imagine, this was a bit of a blow to the locals, and they could not stop talking about it.  Hopefully Lisbon imports Guinness and Jameson so that a little bit of Dublin carries over.

“Security” discussions seemed more prevalent than ever before. The recent breaches at TalkTalk and Ashley Madison were discussed over and over again…and the recent UK decision to store web histories for everyone for a year was a hot topic, as was the Safe Harbor European Court of Justice ruling. But, more than that, the need for both security and privacy was raised in almost every context: from publishing your web app to talking to IoT devices. The phrase “the Internet of unpatchable crud” was being thrown around often.  Interestingly, many of these conversations were underway before people learned that I was with AVG, and thus involved with security and privacy issues directly.

Further, a lot of the discussions focused around personal security, not just enterprise security. This is a change from a year ago, or even six months ago. This bodes well for AVG’s move into protecting people as well as devices and data.

AVG has been pushing something called “the law of least data” with IoT groups for a while now. The core idea is that data should be routed as directly as possible between entities. This augments the idea of “storing only required and essential data” that has been a mainstay of good data design for a long time. My canonical example is my thermostat talking to my furnace. While setting up the relationship between the two may require the cloud, the day to day control and feedback between the two should not have to leave my house (i.e., my local area network). Even if encrypted, an eavesdropper could probably tell when someone was at home based on the volume of traffic between the two. This is a simple idea, but an important one. When you extend that thinking to many connected devices, including those dealing with health and security, you can imagine the impacts of not respecting the “law of least data.” However, the business/capitalistic forces at work today mean that every vendor wants to backhaul all data to the cloud under the rubric of “data is the new currency.” This is a dangerous architecture and one that we should all be challenging.

Many people, when asked about their personal data leaking, have a fairly resigned attitude. They say, “it is not a big deal, and I get more personalized offers; I know the tradeoffs I am making.” I like to use a simple example to help people understand that seemingly innocuous data is still valuable and can be used in unexpected ways. If you are a serious cycler, you will probably sign up for a bike ride sharing application.  It is fun; you can compete against others as motivation and track your personal progress online. However, thieves also sign up for these services. Using the simple logic that users who ride the most often and the farthest probably have the most expensive bikes, led the thieves to steal bicycles easily using the location tracking data in the services.  Again, you can extend this idea to all types of data to understand that, by default, we should be keeping our data safe and secure.

So, it was refreshing to see these, and other, security topics being actively discussed at the Web Summit. It bodes well for our industry that this is now top of mind.

 

Web Summit 2015 — security was a hot topic

200 startups gave their pitches at the Web Summit this year in Dublin. Over 2,100 startups participated, the vast majority of which had “poster board” displays and one or two eager founders giving their elevator pitch. That makes the Web Summit a welcome change to other conferences that typically rotate around industry giants.

Two messages seemed to pervade the conference this year: location and security. The “location” bit was the move of the Web Summit from Dublin to Lisbon next year. As you can imagine, this was a bit of a blow to the locals, and they could not stop talking about it.  Hopefully Lisbon imports Guinness and Jameson so that a little bit of Dublin carries over.

“Security” discussions seemed more prevalent than ever before. The recent breaches at TalkTalk and Ashley Madison were discussed over and over again…and the recent UK decision to store web histories for everyone for a year was a hot topic, as was the Safe Harbor European Court of Justice ruling. But, more than that, the need for both security and privacy was raised in almost every context: from publishing your web app to talking to IoT devices. The phrase “the Internet of unpatchable crud” was being thrown around often.  Interestingly, many of these conversations were underway before people learned that I was with AVG, and thus involved with security and privacy issues directly.

Further, a lot of the discussions focused around personal security, not just enterprise security. This is a change from a year ago, or even six months ago. This bodes well for AVG’s move into protecting people as well as devices and data.

AVG has been pushing something called “the law of least data” with IoT groups for a while now. The core idea is that data should be routed as directly as possible between entities. This augments the idea of “storing only required and essential data” that has been a mainstay of good data design for a long time. My canonical example is my thermostat talking to my furnace. While setting up the relationship between the two may require the cloud, the day to day control and feedback between the two should not have to leave my house (i.e., my local area network). Even if encrypted, an eavesdropper could probably tell when someone was at home based on the volume of traffic between the two. This is a simple idea, but an important one. When you extend that thinking to many connected devices, including those dealing with health and security, you can imagine the impacts of not respecting the “law of least data.” However, the business/capitalistic forces at work today mean that every vendor wants to backhaul all data to the cloud under the rubric of “data is the new currency.” This is a dangerous architecture and one that we should all be challenging.

Many people, when asked about their personal data leaking, have a fairly resigned attitude. They say, “it is not a big deal, and I get more personalized offers; I know the tradeoffs I am making.” I like to use a simple example to help people understand that seemingly innocuous data is still valuable and can be used in unexpected ways. If you are a serious cycler, you will probably sign up for a bike ride sharing application.  It is fun; you can compete against others as motivation and track your personal progress online. However, thieves also sign up for these services. Using the simple logic that users who ride the most often and the farthest probably have the most expensive bikes, led the thieves to steal bicycles easily using the location tracking data in the services.  Again, you can extend this idea to all types of data to understand that, by default, we should be keeping our data safe and secure.

So, it was refreshing to see these, and other, security topics being actively discussed at the Web Summit. It bodes well for our industry that this is now top of mind.

 

Web Summit 2015 — security was a hot topic

200 startups gave their pitches at the Web Summit this year in Dublin. Over 2,100 startups participated, the vast majority of which had “poster board” displays and one or two eager founders giving their elevator pitch. That makes the Web Summit a welcome change to other conferences that typically rotate around industry giants.

Two messages seemed to pervade the conference this year: location and security. The “location” bit was the move of the Web Summit from Dublin to Lisbon next year. As you can imagine, this was a bit of a blow to the locals, and they could not stop talking about it.  Hopefully Lisbon imports Guinness and Jameson so that a little bit of Dublin carries over.

“Security” discussions seemed more prevalent than ever before. The recent breaches at TalkTalk and Ashley Madison were discussed over and over again…and the recent UK decision to store web histories for everyone for a year was a hot topic, as was the Safe Harbor European Court of Justice ruling. But, more than that, the need for both security and privacy was raised in almost every context: from publishing your web app to talking to IoT devices. The phrase “the Internet of unpatchable crud” was being thrown around often.  Interestingly, many of these conversations were underway before people learned that I was with AVG, and thus involved with security and privacy issues directly.

Further, a lot of the discussions focused around personal security, not just enterprise security. This is a change from a year ago, or even six months ago. This bodes well for AVG’s move into protecting people as well as devices and data.

AVG has been pushing something called “the law of least data” with IoT groups for a while now. The core idea is that data should be routed as directly as possible between entities. This augments the idea of “storing only required and essential data” that has been a mainstay of good data design for a long time. My canonical example is my thermostat talking to my furnace. While setting up the relationship between the two may require the cloud, the day to day control and feedback between the two should not have to leave my house (i.e., my local area network). Even if encrypted, an eavesdropper could probably tell when someone was at home based on the volume of traffic between the two. This is a simple idea, but an important one. When you extend that thinking to many connected devices, including those dealing with health and security, you can imagine the impacts of not respecting the “law of least data.” However, the business/capitalistic forces at work today mean that every vendor wants to backhaul all data to the cloud under the rubric of “data is the new currency.” This is a dangerous architecture and one that we should all be challenging.

Many people, when asked about their personal data leaking, have a fairly resigned attitude. They say, “it is not a big deal, and I get more personalized offers; I know the tradeoffs I am making.” I like to use a simple example to help people understand that seemingly innocuous data is still valuable and can be used in unexpected ways. If you are a serious cycler, you will probably sign up for a bike ride sharing application.  It is fun; you can compete against others as motivation and track your personal progress online. However, thieves also sign up for these services. Using the simple logic that users who ride the most often and the farthest probably have the most expensive bikes, led the thieves to steal bicycles easily using the location tracking data in the services.  Again, you can extend this idea to all types of data to understand that, by default, we should be keeping our data safe and secure.

So, it was refreshing to see these, and other, security topics being actively discussed at the Web Summit. It bodes well for our industry that this is now top of mind.