There is a direct correlation between privacy and security. The level of privacy you have on the Internet is being decided for you, and so is your level of security.
In 2016, the Federal Communications Commission (FCC) passed rules that would bar your Internet service provider (ISP) from monetizing usage data. Specifically selling your personal usage information to marketers, inserting undetectable tracking cookies, or recording your browsing history to build up a behavioral advertising profile—unless you explicitly gave consent.
This week the Senate voted to repeal those rules. Regardless of how you feel about the repeal, you must be aware that this places cyber security risk on you and your organization. Security and privacy are interconnected. When one is exposed its likely that the other is at risk of being exposed or has already become vulnerable. Here are three examples of how relaxation on privacy laws will impact cyber security.
Risk #1 - Digital Footprint
ISP's must collect data on you before they can sell it. This includes websites you’re browsing, metadata from conversations you have, and search terms you use. Once the data is collected it will need to be stored.
The risk is that Internet service providers do not have a great track record when it comes to keeping information about their customers safe. Back in 2015, Comcast had to pay $33 million for unintentionally releasing information about customers who had paid Comcast to keep their phone numbers unlisted. What could happen if hackers decided to target the treasure trove of personal information ISP's start collecting? People’s personal browsing history and records of their location could easily become the target of hackers who want to blackmail an individual or the organizations that employ them. Unfortunately, this is just the tip of the iceberg.
Risk #2 - Creating holes in your browser security
One of the major threats to cyber security comes from ISP's inserting ads into your browsing. Here we’re talking about your Internet provider placing additional ads in the web pages you view (beyond the ones that already exist). Why is this dangerous?
Inserting new code into a web page in an automated fashion could break the security of the existing code in that page. Security features in sites and apps you use could be broken, and hackers could take advantage of that—causing you to do anything from sending your username and password to them (while thinking it was going to the genuine website) to clicking on a malvertisement installing malware on your computer.
Risk #3 - Pre-installed software on your phone
The last risk comes from Internet providers pre-installing software on our devices—particularly on mobile phones, which most of us purchase directly from the company that provides our cell service, i.e. our ISP. Pre-installed software can record what websites you visit and what search terms you enter, it would be pretty tempting for Internet providers to use it for advertising purposes. What cybersecurity risk does this pose?
Pre-installed software often comes with fairly low-level access to your phone’s systems — which means it can see and access all the parts of your phone’s operating system that would usually be secure. If hackers can find a vulnerability in the pre-installed software, then they can use it as a sort of tunnel to get access to almost anything on your phone. The risk grows exponentially as mobile phones access employers networks after malware has been installed on the mobile device.
Keywords: cyber awareness training, cyber security awareness, human firewall, offensive security, security training, malvertising