A bit of a reality check

I was on Facebook checking all my security settings again, when I saw something pop up in my feed from Sophos. It was a link to a tool to check your privacy settings called Reclaim Privacy.

After playing with the tool and double checking that my settings were where I wanted them,  I made a point to post it to my own profile.

For me this was super important. I want my private data to stay that way (even if it’s not entirely accurate, mind. I still don’t want it just “out there in the world). Soon a friend of mine messaged me asking about the tool. I took this as an opportunity to educate, and explained what the tool was. She didn’t understand the point.

I was a bit taken aback at first. What do you mean, what’s the point? What’s the point of protecting your private information? To a security professional that seems an odd question that “common sense should answer”.

But this was a friend and she was genuinely curious. I put on my security educator hat and launched into my explanation of how her data can be mined and sold to other people.

“So what? I’m not profiting off of it so what does it matter if someone else does?”

Eh?? She doesn’t care? I tried again “Your activities and interests data is mined and gets passed on and you get all those “targeted ads”. Don’t you get annoyed with the ads?”

“Ads are part of the internet. What about them? I click on them when I see something of interest.”

Now I was starting to get concerned. “But you can see all your info on a simple Google search, your birth date, your home town. This can be used for identity theft.”

“*Shrug* So I’d have to change my credit cards. It’d be a pain, I guess. But what are the odds of it happening really?”

She then said something that drove the point home. “I care more about what trouble my toddler is getting into than someone finding my personal info and using it.”

I can see now where the education process breaks down for the average consumer. We, as security professionals, see the perceived threats and the real ones. We entrenched in them every single day. To many people, they simply don’t see these threats, neither the perceived ones nor the real ones. They only see what’s in their own world right then. As she said she’s more concerned about what her son is doing right then than her personal data.

After a decade and a half, people are just now getting to the point where they use security software. Social media is evolving far faster than the traditional educational approaches. We as security professionals need to take a look at how we are presenting perceived and real risks and change our approach to that of answering the question “So what? Why should I bother?”.

This means reaching out to the average user/consumer and addressing why they really should care. Not just the academics that still need addressing, such as best practices, but addressing what the real risk is to themselves and why they really should bother locking down their profiles and securing their personal data.